xdm crypto support (and what to do in general on fd.o).

Jim Gettys Jim.Gettys at hp.com
Tue Aug 17 11:17:28 PDT 2004


I've put in the mail the crypto letters required by the U.S. Government
for exporting cryptography, for xdm, as a member of X.org's BOD.
I notified them both of ftp.x.org and www.freedesktop.org, since we do
our development on fd.o and often release software there as well (not to
mention the CVS repository).

See: http://www.debian.org/legal/cryptoinmain for lots of useful
information and the legal opinion given to the Debian project. I've
gotten the same information internally in HP that matches the opinion
that Debian paid to have done.  Note that this situation is for open
source work; if you work for a company that does products containing
crypto, you still have to follow the commercial rules on the topic.

For this X.org release:
  1) we need to commit the wraphelp.c file of whatever version is
appropriate for xdm.
  2) Notification is needed.
	o We need to add the notice below to the website 
	o with our release itself in the FTP directory. 
	o I'd put it in the top of any tarball we generate that 
	contains crypto.
	o I'd also add it to a readme file next to wraphelp.c just to
	 be complete,
	o have a pointer from any fd.o project containing crypto 
	to the notice.
I think that will cover all the bases.

For the future: if we add *additional* programs/libraries to the
distribution/web site/archive, we are supposed to draft and send in new
letters the first time we distribute them.  See the above link for
details.

Note that this is true for freedesktop.org as well; letters should be
sent in whenever new crypto appears.  The letters are reasonably
painless to deal with.

We do not have to notify for every release or change, nor do we have to
wait until we hear from the government having sent in the letters. 
Binaries compiled from the source can also be redistributed freely.

If the notice is put into the wiki, it should be locked somehow so that
it can't be trivially changed, I suspect.

And if you think this is a bit silly, you aren't alone.  But at least we
can integrate/export the code and binaries these days without too much
trouble.
                            Regards,

                             - Jim Gettys


Notification Language for Posting of Open Source Code with Crypto
-----------------------------------------------------------------

Export Requirements.   You may not export or re-export this software or 
any copy or adaptation in violation of any applicable laws or
regulations.

Without limiting the generality of the foregoing, hardware, software,
technology or services provided under this license agreement may not be
exported, reexported, transferred or downloaded to or within (or to a
national resident of) countries under U.S. economic embargo including
the following countries:  

Cuba, Iran, Libya, North Korea, Sudan and Syria. 
This list is subject to change.
     
Hardware, software, technology or services may not be exported,
reexported, transferred or downloaded to persons or entities listed on
the U.S. Department of Commerce Denied Persons List, Entity List of
proliferation concern or on any U.S. Treasury Department Designated
Nationals exclusion list, or to parties directly or indirectly involved
in the development or production of nuclear, chemical, biological
weapons or in missile technology programs as specified in 
the U.S. Export Administration Regulations (15 CFR 744).   

By accepting this license agreement you confirm that you are not located
in (or a national resident of) any country under U.S. economic embargo,
not identified on any U.S. Department of Commerce Denied Persons List,
Entity List or Treasury Department Designated Nationals exclusion list,
and not directly or indirectly involved in the development or production
of nuclear, chemical, biological weapons or in missile technology
programs as specified in the U.S. Export Administration Regulations.

Software available on this web site contains cryptography and is
therefore subject to US government export control under the U.S. Export
Administration Regulations ("EAR"). EAR Part 740.13(e) allows the export
and reexport of publicly available encryption source code that is not
subject to payment of license fee or royalty payment.  Object code
resulting from the compiling of such source code may also be 
exported and reexported under this provision if publicly available and
not subject to a fee or payment other than reasonable and customary fees
for reproduction and distribution.  This kind of encryption source code
and the corresponding object code may be exported or reexported without
prior U.S. government export license authorization provided that the
U.S. government is notified about the Internet location of the 
software. 

The open source software available on this web site is publicly
available without license fee or royalty payment, and all binary
software is compiled from the source code.  The U.S. government has been
notified about this site and the location site for the source code. 
Therefore, the source code and compiled object code may be 
downloaded and exported under U.S. export license exception (without a
U.S. export license) in accordance with the further restrictions
outlined above regarding embargoed countries, restricted persons and
restricted end uses.  

Local Country Import Requirements.  The software you are about to
download contains cryptography technology.  Some countries regulate the
import, use and/or export of certain products with cryptography.  The
X.org Foundation makes no claims as to the applicability of local
country import, use and/or export regulations in relation to the
download of this product.  If you are located outside the U.S. and
Canada you are advised to consult your local country regulations to
insure compliance.




More information about the release-wranglers mailing list