Hello,
Recently the issue of crypto and crypto export in fedora/EPEL was raised about beecrypt. This is something that has never been discussed as far as I remember. It should of course be checked with legal.
My question is, does crypto software need a specific treatement in fedora? (And if yes, what is a crypto software?)
-- Pat
On Wed, Mar 19, 2008 at 4:13 PM, Patrice Dumas pertusus@free.fr wrote:
Hello,
Recently the issue of crypto and crypto export in fedora/EPEL was raised about beecrypt. This is something that has never been discussed as far as I remember. It should of course be checked with legal.
My question is, does crypto software need a specific treatement in fedora? (And if yes, what is a crypto software?)
As far as I know crypto has always needed special treatment in Fedora. Most encryption software is considered 'controlled' for export by several nations (I think United States, France, Russia, China, etc). What Red Hat has to do is fill out paperwork with the United States Commerce department whenever new software with encryption is added to Fedora or RHEL. This paperwork is on file and then allows various mirrors to get the software though if inside the US they are required to put up a listing like:
230-Due to U.S. Exports Regulations, all cryptographic software on this 230-site is subject to the following legal notice: 230- 230- This site includes publicly available encryption source code 230- which, together with object code resulting from the compiling of 230- publicly available source code, may be exported from the United 230- States under License Exception "TSU" pursuant to 15 C.F.R. Section 230- 740.13(e). 230- 230-This legal notice applies to cryptographic software only. Please see 230-the Bureau of Export Administration (http://www.bxa.doc.gov/) for more 230-information about current U.S. regulations.
like mirrors.kernel.org. I have been told that similar rules are in place for other countries dealing with encryption.
On Wed, Mar 19, 2008 at 04:48:52PM -0600, Stephen John Smoogen wrote:
On Wed, Mar 19, 2008 at 4:13 PM, Patrice Dumas pertusus@free.fr wrote:
Hello,
Recently the issue of crypto and crypto export in fedora/EPEL was raised about beecrypt. This is something that has never been discussed as far as I remember. It should of course be checked with legal.
My question is, does crypto software need a specific treatement in fedora? (And if yes, what is a crypto software?)
As far as I know crypto has always needed special treatment in Fedora. Most encryption software is considered 'controlled' for export by several nations (I think United States, France, Russia, China, etc). What Red Hat has to do is fill out paperwork with the United States Commerce department whenever new software with encryption is added to Fedora or RHEL.
Then we have to register crypto packages somewhere such that the people in charge can do the paperwork, isn't it? Don't we need a guideline here?
-- Pat
On Thu, 2008-03-20 at 10:23 +0100, Patrice Dumas wrote:
Then we have to register crypto packages somewhere such that the people in charge can do the paperwork, isn't it? Don't we need a guideline here?
I actually need to prep a guideline that has all packages with crypto technology block FE-LEGAL (if that's still the alias). We'll use that to get an audit of the code to make sure its either not new crypto, or if it is, alert the appropriate people for export filings.
On Thu, Mar 20, 2008 at 07:47:41AM -0400, Jesse Keating wrote:
On Thu, 2008-03-20 at 10:23 +0100, Patrice Dumas wrote:
Then we have to register crypto packages somewhere such that the people in charge can do the paperwork, isn't it? Don't we need a guideline here?
I actually need to prep a guideline that has all packages with crypto technology block FE-LEGAL (if that's still the alias). We'll use that to get an audit of the code to make sure its either not new crypto, or if it is, alert the appropriate people for export filings.
Looks good.
There are other questions that should be answered, however, in my opinion (with external sources of information if possible, no need to be fedora centric).
What is the criteria for being a crypto technology? It is easy to spot many packages that are not crypto, but for others it is not very clear to me. For example at which point a math library becomes a crypto library? And what about an applicatin that compute hashes? Also does the registration need to be done each time there is a new release or once for all?
-- Pat
On Thu, 2008-03-20 at 13:00 +0100, Patrice Dumas wrote:
Looks good.
There are other questions that should be answered, however, in my opinion (with external sources of information if possible, no need to be fedora centric).
What is the criteria for being a crypto technology? It is easy to spot many packages that are not crypto, but for others it is not very clear to me. For example at which point a math library becomes a crypto library? And what about an applicatin that compute hashes? Also does the registration need to be done each time there is a new release or once for all?
These are all good questions, and we need to get Steve Grubb plugged in here to answer some of these.
On Thu, Mar 20, 2008 at 6:00 AM, Patrice Dumas pertusus@free.fr wrote:
On Thu, Mar 20, 2008 at 07:47:41AM -0400, Jesse Keating wrote:
On Thu, 2008-03-20 at 10:23 +0100, Patrice Dumas wrote:
Then we have to register crypto packages somewhere such that the people in charge can do the paperwork, isn't it? Don't we need a guideline here?
I actually need to prep a guideline that has all packages with crypto technology block FE-LEGAL (if that's still the alias). We'll use that to get an audit of the code to make sure its either not new crypto, or if it is, alert the appropriate people for export filings.
Looks good.
There are other questions that should be answered, however, in my opinion (with external sources of information if possible, no need to be fedora centric).
What is the criteria for being a crypto technology? It is easy to spot many packages that are not crypto, but for others it is not very clear to me. For example at which point a math library becomes a crypto library? And what about an applicatin that compute hashes? Also does the registration need to be done each time there is a new release or once for all?
Back in 2001, it needed to be done everytime there was an update to the code (eg everytime we patched kerberos openssh and put it out.. a new fax was sent to DoC in Washington and the mirror push had to wait until then.) However I am not sure if we had to do it with coreutils (md5sum).. but I am not sure if patching that ever came up. I was mostly on the "crap remove this from the mirrors, someone pushed too early" end of things.
On Thu, Mar 20, 2008 at 07:47:41AM -0400, Jesse Keating wrote:
On Thu, 2008-03-20 at 10:23 +0100, Patrice Dumas wrote:
Then we have to register crypto packages somewhere such that the people in charge can do the paperwork, isn't it? Don't we need a guideline here?
I actually need to prep a guideline that has all packages with crypto technology block FE-LEGAL (if that's still the alias). We'll use that to get an audit of the code to make sure its either not new crypto, or if it is, alert the appropriate people for export filings.
Hate to be difficult, but what about a package like ocaml-cryptokit which originates outside the US?
http://pauillac.inria.fr/~xleroy/software.html#cryptokit
(I don't think that particular package has anything which could be described as "new crypto").
Rich.
packaging@lists.fedoraproject.org