| |||||||||||||
overly restrictive reading of the EARoverly restrictive reading of the EARPosted Oct 23, 2003 2:23 UTC (Thu) by roelofs (guest, #2599)Parent article: Bernstein wins, sort of Anyone seeking to export "encryption software" to any country other than Canada must seek a license from the Commerce Department, barring encryption software used for "authentication or digital signature" functions alone. That's incorrect. Open Source software (including associated binaries) is explicitly exempt from that rule under License Exception TSU, as noted in the 6 June 2002 clarification of section 740.13(e) of the EAR (see Federal Register, vol. 67, no. 109, p. 38857, middle of page):
c. Clarification of when a notification is required. i. Encryption source code that would be considered publicly available, and corresponding object code. This rule simplifies U.S. export treatment of encryption source code that would be considered publicly available, by allowing all such source code (and corresponding object code) to be exported and reexported under License Exception TSU once notification (or a copy of the source code) is provided to BIS, regardless of whether a fee or royalty is charged for the commercial production or sale of products developed using this software. Refer to ยง 740.13(e). This exception is used by both Debian and Info-ZIP (although I seem to have forgotten to upload the updated notice to the latter site...I'll fix that soon). Note that other portions of the EAR provide the proper contact addresses and so forth. The relevant copy of the Register is available in PDF form from some US government site, but I've forgotten which one (LoC? BIS? check Google for "License Exception TSU" and/or "Federal Register"). Greg Roelofs
(Log in to post comments)
overly restrictive reading of the EAR Posted Oct 23, 2003 7:40 UTC (Thu) by cate (subscriber, #1359) [Link] IIRC Debian contacted the US government and now every package change (outside non-US section) in Debian will sent a notification to the US government. IIRC it toke time before Debian would be legally able to put criptographic software in main So, maybe everyone can export open source cryptographic software, but the burocracy is still so high that I whouldn't call freedom.
overly restrictive reading of the EAR Posted Oct 23, 2003 13:38 UTC (Thu) by zone (guest, #3633) [Link] http://www.debian.org/legal/cryptoinmainIt appears you can either notify the BXA when you add a program to the archive that incorporates cryptography, or when you add any new program and specify that cryptographic functionality may be added later. So it's more likely Debian only sends notification when new packages are added to the archive, not for every package change. And I'm not sure what you mean by too much bureaucracy :-).
overly restrictive reading of the EAR Posted Oct 23, 2003 15:37 UTC (Thu) by cate (subscriber, #1359) [Link] Ok. I remembered incorrectly :-(. I was wondering how many notification would send the kernel, (one by every commit?). Thanks for the correction!
EAR/TSU links Posted Oct 23, 2003 17:38 UTC (Thu) by roelofs (guest, #2599) [Link] I wrote:This exception is used by both Debian and Info-ZIP (although I seem to have forgotten to upload the updated notice to the latter site...I'll fix that soon). Note that other portions of the EAR provide the proper contact addresses and so forth. The relevant copy of the Register is available in PDF form from some US government site, but I've forgotten which one (LoC? BIS? check Google for "License Exception TSU" and/or "Federal Register"). The BIS notification page is here:
http://www.bxa.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html However, its link to the Federal Register is bogus; the correct one is:
http://w3.access.gpo.gov/bis/fedreg/ear_fedreg02.html#67fr38855 ...and it also comes in WordPerfect and plain ASCII formats. I've also updated the Info-ZIP site with the current notification. Greg Roelofs
|
|||||||||||||
