Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cryptographic Software in Debian's Main Archive

Posted by michael on from the groundbreaking-events dept.

Cine writes: "James Troup and Sam Hartman recently sent a note to all debian mirror maintainers, to inform them about the current situation and future plans. Sometime after March 8th, crypto software like OpenSSH, SSL support, and many other enhancements will be integrated into the debian main archive. This is in accordance to legal advice the Debian project received."

96 comments

  1. Wait... by Anonymous Coward · · Score: 0

    After all this time, they still don't have OpenSSH in the main sections? I knew they were behind the times with kernel, glibc, and X, but goddamn!

    1. Re:Wait... by pfharlock · · Score: 1

      ummmm, no usually they are ahead of the other distro's, ie as soon as it comes out it's in the distro. Oh wait, you must have been using the sissy stable version of debian. get a clue and use woody. That being said it really doesn't matter where the hell they keep ssl/ssh and all that stuff. I use them on my machine all the time and I typed in apt-get install ssh so on and so forth to get them so what's the big deal. They want to restructure the layout internally, doesn't affect me a bit.

  2. Crypto by Ashcrow · · Score: 5, Interesting

    Crypto helps aid in privacy, and privacy should be available to everyone no matter who they are or where they live.

  3. Hi. Here is Crypto by 1155 · · Score: 1

    It's as though they just walked up and handed security to those who don't know how to use it. I haven't used debian, but I understand you can install it if you need it, and you need it if you install it. They just made it a lot tougher to maintain mirrors in some respects, and at the same time made it an easier sell.

    1. Re:Hi. Here is Crypto by Mr_Person · · Score: 4, Insightful
      It's as though they just walked up and handed security to those who don't know how to use it.
      It's not like having extra security without knowing exactly what it does is a bad thing. The Crypto section doesn't just contain things like PGP, but important server utilities like SSH, SSL and other things. It's my opinion that SSH should be installed by default (in place of telnet) on every server as it is much more secure. The people you're talking about probably didn't understand exactly how telnet worked and they probably won't understand exactly how SSH works, but they'll still get the benefits of the extra security as will anyone who depends on the servers that they run.
    2. Re:Hi. Here is Crypto by 1155 · · Score: 1

      I was looking at globalization more than just having security. Say I moved to France. I could not take it with me, and the French version would be different than the United States version. Not to say that encryption isn't good, but maybe it should be looked at differently than to just add it in there.

  4. Hope it works out by Mr_Person · · Score: 4, Interesting

    The Debian team has been working on this for a long time. Hopefully it will make installations and upgrades quicker as the servers can now be on the same continent :-).

    One thing that was interesting is that under section 740.13(e) of the US EAR, the software can be exported as long as the people that are exporting it file for export notification. Apparently one thing that they were worried about was whether or not the individual mirrors had to each file or if Debian could just file for the main archives and all the mirrors. According to their legal advice that should be okay. Let's just hope that they don't have any legal problems with it in the future.

    1. Re:Hope it works out by Anonymous Coward · · Score: 0

      Hehehe. So my bragging about the +1 gets me a -1, eh? Well, this will just have cost the moderators suckered in to lose some karma. My 'l337 pr0p4g4d4 skillz strike again.

      You can't stop the trolls.

    2. Re:Hope it works out by Anonymous Coward · · Score: 0

      You know, I thought this was a troll at first too. But then I thought about it. How the heck did the BSD guys distribute strong crypto stuff for 2 years before Debian got around to it? The same law applied to Debian as the BSDs. Did they just have better lawyers? Or something else?

  5. That's great - no more hunting around by Anonymous Coward · · Score: 0

    for compatible crypto packages!

    Thanks, Debian!

    The crypto situation was so screwed up before only terrorists could understand it.

  6. glad to see by Partisan01 · · Score: 2, Insightful

    I'm really glad to see this finally being included into the main archive. I'm also glad to see that they consulted legal sources before charging into any of this. Hopefully they will keep integrating cryptography into the distro more as time goes on. Keep up the good work guys.

    --
    ahh, the egg in the basket..
  7. This advice is bogus. by Anonymous Coward · · Score: 1, Interesting

    According to the link, as soon as you sell the software you have to file various things.

    This restricts people from selling debian.

    Which makes life hard for CD distributors, and is in contradiction with the GPL.

    Note: I do not sell debian( or any software ).

    1. Re:This advice is bogus. by tftp · · Score: 2
      1. The distributors don't necessarily need to export the product.
      2. The distributors are not required to put the crypto components on the CD.
      3. There is no GPL violation in not distributing the software in question :-)
    2. Re:This advice is bogus. by Anonymous Coward · · Score: 0

      OH NO! Violating the GPL?!

    3. Re:This advice is bogus. by Xtifr · · Score: 3, Insightful

      This restricts people from selling debian.

      Yes, but it's the US gummit doing the restricting. Nor is this issue specific to Debian: any distro which includes crypto-enabled software (mozilla, galeon, even mutt) is going to have the same issues. If you want to sell a modern, non-crippled Linux distro of any type from the US, you're either going to have to:

      a) sell only to US citizens, or
      b) do the paperwork.

      Which makes life hard for CD distributors

      Apparently, the US gummint doesn't care. If I were a US-based CD vendor, I'd definitely complain to my gummint, but I'm not.

      and is in contradiction with the GPL.

      No, the GPL has nothing to do with it. The GPL addresses copyright issues. Other legal issues, like patents and other gummint regulations, are outside the scope of the GPL.

    4. Re:This advice is bogus. by Anonymous Coward · · Score: 0

      I'm not sure "in contradiction with the GPL" is
      sufficient to trump federal law. In the fight between open source and the feds, bet on the guys with the guns and badges.

    5. Re:This advice is bogus. by erlenic · · Score: 1

      In the fight between open source and the feds, bet on the guys with the guns and badges.

      I don't know about the badges, but both sides have guns.

  8. And to think... by ghack · · Score: 2, Interesting

    ...most projects are un-aware of the fact that open source is exempt. I suppose projects such as openbsd, based in other countries, still have the advantage though - defining when software is sold for a fee is difficult. is a fee only for media, or for a compilation, etc, still under this open source clause?

    1. Re:And to think... by Ben+Hutchings · · Score: 2

      The advice they received was that reasonable charges can be made for distribution and support (but not for licensing) without affecting the export status of the software.

  9. no real effect by Anonymous Coward · · Score: 2, Insightful

    Unless I am missing something, this won't have any real effect on end users. When I request a package to install it, I request it by name and have no idea what subdirectory it is kept in, apt keeps track of this information for me.

    1. Re:no real effect by Xtifr · · Score: 2, Funny

      Very nearly true. The main end-user effect will be on the bandwidth-challenged, who will find ssh and SSL-enabled versions of mozilla, galeon, mutt, evolution, and ghod knows what else on their CDs in the future. These people will end up saving a lot of download time (and possibly money if they pay by the minute for being online).

      The flip-side of this is that CD vendors in the US might be slightly more reluctant to jump through the hoops necessary to distribute Debian on CD. However, the same hoops are going to be required for any other distros that include non-crippled SSL-enabled apps and the like, so I don't imagine this is going to be a major problem.

    2. Re:no real effect by Ray+Dassen · · Score: 4, Informative

      Unless I am missing something, this won't have any real effect on end users.

      It will have benefits for end users, though probably not highly visible ones.

      Cryptographic software packaged for Debian is available (and has been for a long time already) through non-us.debian.org , but crypto-in-main will make further integration of crypto possible. A number of packages in main will get enhanced functionality once crypto is in main. E.g. CVS can start supporting Kerberos for authentication.

      The functionality enhancements made possible by crypto-in-main are not limited to the direct benefits of crypto, as I can illustrate with the Gnumeric package. The Gnumeric spreadsheet can be built to be able to fetch data from databases using GDA, the GNU Data Access library. Currently the Debian package is not built with GDA support. The reason for this is that Debian's GDA packages are on non-US (because their source package requires the PostgreSQL development package; PostgreSQL is on non-US as it is built with SSL support). Once we have crypto-in-main, I can build Gnumeric packages that have GDA support (probably in a separate plugin package).

    3. Re:no real effect by Dwonis · · Score: 2

      Not quite. Because there is crypto software in main, Debian developers now have the option of integrating crypto into the rest of the operating system.

    4. Re:no real effect by Sentry21 · · Score: 2

      The flip-side of this is that CD vendors in the US might be slightly more reluctant to jump through the hoops necessary to distribute Debian on CD.

      Nonsense, it'll make things easier. They don't have to burn non-US CDs, which makes images easier to find, and as long as they don't ship to the export-restricted countries (which is easier to filter via mail than download), then they're fine.

      --Dan

  10. [OT?] Debconf 2002 announced by illusion_2K · · Score: 2, Informative

    Perhaps this is a bit offtopic, but Debconf 2002 was also announced today. Will holding it in Canada make a difference crypto-wise? Probably not, but it should be a rockin' good time for participants anyway.

    It's also been conveniently scheduled to coincide nicely with the Ottawa Linux Symposium. Other than that, more info will be forthcoming within the next couple of weeks.

  11. IP address based restrictions by cabbey · · Score: 5, Interesting
    From the lawyer's response:
    Simply posting cryptographic software on a server that may be accessible from an embargoed country does not constitute ``knowledge'' that the software has been exported there. Therefore, criminal liability would not apply to the act of posting. We recommend that you perform IP checking and deny downloads to known embargoed countries. This due diligence also would provide a defense to a claim of civil liability. If you find out that your software has been downloaded to a prohibited destination, then I recommend that you block future downloads to that specific site unless and until you obtain a license from BXA.

    This is the second time I've seen this "recomendation" come out of a legal organization, in almost exactly the same wording no less. I've got to believe therefore that they are pulling it from some other source, such as an official regulation or other document.

    Does anyone have such a list though? Can anyone provide a copy of it? Is it even technically possible to generate? In real time, or even close? I mean sure, it's technically trivial to implement this blocking, just a few iptables/ipchains commands, or some entries in the firewall's firmware... but I think getting that list to begin with is nearly impossible. How do you know where the other end of the phone line that is dialed into some modem bank on the other side of the net is?

    In the last instance that I saw this (an external server at work) corporate legal was threatening to pull the plug if the admins didn't provide proof they were doing this. After much head scratching and searching the net my sugested response was that they would be happy to implement this just as soon as the legal department provided them with such a list.

    I'm told they never heard back from legal on that topic.
    1. Re:IP address based restrictions by Mr_Person · · Score: 3, Informative
      Does anyone have such a list though? Can anyone provide a copy of it? Is it even technically possible to generate? In real time, or even close?
      Well, the Debian announcement says this:
      BXA regulations require that you not knowingly export to embargoed countries, as a show of good faith you may wish to consider implementing a reverse IP lookup that identifies the computer requesting the download, and that blocks downloads of the cryptographic archive to countries embargoed by the United States: Cuba (.cu), Iran (.ir), Iraq (.iq), Libya (.ly), North Korea (.kp), Syria (.sy), Sudan (.sd) and Taliban Occupied Afghanistan.
      I know it's not an IP list, but it would be fairly simple to impliment - just block those TLD's. I suppose it would slow your server down some, having to reverse resolve every IP that connects to it. As far as updating the list, that shouldn't be too hard - all you have to do is have your lawyer give you a call every time a country is added or removed from the list (how often does that happen?) and just add their ccTLD to the block list. Or, just did a quick Google search and you can get a list from the U.S. Department of State.
    2. Re:IP address based restrictions by norwoodites · · Score: 1

      If I remember correctly, Netscape used to use this technic but it was the opposite where you could not download the software unless you were from an US IP address but it failed and I could never download Netscape with 128bit encryption even though I was in the US and using an university computer.

    3. Re:IP address based restrictions by cabbey · · Score: 3, Informative

      The list of contries is easy to get sure, but as you said: the reverse lookups (1) will kill your server and (2) will open you up to more DOS attacks . Just imagine a dns server that doesn't properly close connections, forcing them to time out, now imagine two or three of them configured into a delegation round robin... a few incoming requests and your machine grinds itself into dust trying to resolve the reverse IP... get enough of those and you'll tie up enough socket resources to choke the machine. Also a reverse DNS entry isn't a requirement, many networks don't provide them. Working from domain names just doesn't seem technically feasible... pulling netblocks from iana maybe more doable, but still isn't even close to 100% accurate.

    4. Re:IP address based restrictions by Waffle+Iron · · Score: 5, Funny
      I sleep better at night knowing that through the tireless diligence of webmasters all over the world, running millions of reverse IP lookups every day, there is probably not a single copy of ssh available in any of those countries. Kudos to all those who participate in this grand, impenetrable virtual fortress.

      This achievement is a real testament to the vision and wisdom of our leaders.

    5. Re:IP address based restrictions by fferreres · · Score: 4, Informative

      No reverse lookups needed. There are publicly available IP mappings databases. If the IP has been assigned to a banned country, then it IS in the list.

      I suggest the debian maintainers should check at LEAST this site.

      http://caida.org

      If you want to testdrive the acuracy of the mappings, why not check if it works fine for your connection. Just inset your IP number and go!:

      http://netgeo.caida.org/perl/netgeo.cgi?target=& me thod=getCountry&nonblocking=true";

      --
      unfinished: (adj.)
    6. Re:IP address based restrictions by fferreres · · Score: 1

      Correct version...(slashdot eated the last one :-)

      http://netgeo.caida.org/perl/netgeo.cgi?target=Y OU R_IP_GOES_HERE&me thod=getCountry&nonblocking=true

      --
      unfinished: (adj.)
    7. Re:IP address based restrictions by waynec · · Score: 1

      and of course, those of us working and living in these 'embargoed' countries are already using US based proxies to avoid the censorship at home. Those 'restrictions' are no restrictions at all.

    8. Re:IP address based restrictions by Anonymous Coward · · Score: 0

      Yeah... and I'm outside the US, and used to use an open wingate (SOCKS proxy) I found in the US to download, giving them false identity information I got out of an online white pages.

      It's all such a waste of time. There are loads of publically accessible webcaches/proxies in the rest of the world. Why even both trying to block those TLDs.

    9. Re:IP address based restrictions by Anonymous Coward · · Score: 0

      It eated it?

      :-))

      sorry it made me laugh. had you been female i would say it was cute

    10. Re:IP address based restrictions by fferreres · · Score: 1

      I think it's a spanish expression, sometimes I forget which localities are for what language, or what language I'm using!

      Shame you weren't girl also :)...

      --
      unfinished: (adj.)
  12. Re:SLASHDOT IST TOT by Mr.+Piccolo · · Score: 0, Offtopic

    So CmdrTaco = God?

    Don't make me laugh.

    --
    Glückwünsche, haben Sie Slashdot ermordet, indem Sie zum korporativen Druck beugten und Subskriptionen einlei
  13. do I have to spell it out for you... by Anonymous Coward · · Score: 0

    Bush admits Shadow U.S. government in place

  14. Money is spent on being sneaky... by Futurepower(tm) · · Score: 5, Insightful


    It amazes me that the U.S. government has done as much as it can to try to outlaw privacy. To me, it seems that things are out of control in some parts of the U.S. government. The U.S. spends more on surveillance of everyone everywhere than any country ever has in the history of the world. Money is spent on being sneaky, rather than on making good relationships.

    It is futile to try to avoid the export of software, particularly when having it is legal in other countries. Yet taxpayer money is spent on this. The U.S. government, in my opinion, should not try to control the entire world.

    More on the extremes of U.S. government policy: What should be the Response to Violence?

    --
    Bush's education improvements were
    1. Re:Money is spent on being sneaky... by Anonymous Coward · · Score: 0

      Yeah, we do spend a lot of money on spying. Then again the US is one of the few places on Earth where a lot of what our spies do is illegal on home territory. Unlike most citizens, we can sue our spies when we catch them doing something unethical on home turf..

      I have to agree that export rules regarding encryption are idiotic. If "badguys" really want something, they'll get it and it won't download it from debian.com or whatever.

  15. seperate standards? by Anonymous Coward · · Score: 0

    after reading the legalese, the only thing i'm curious about is why there are different standards for crypto that has examinable source and crypto that is only available in executable form. isn't it already known that pgp, rsa, , etc are strong whether or not the source and algorithms are published?

  16. One more step... by castlan · · Score: 0, Offtopic
    Wow, integrated cryptography! Now why does that sound familiar?

    Oh yeah... It seems that the Debian Project is one step closer to supplanting OpenBSD. ;)

    Four years without a remote hole in the default install!

    The OpenBSD project produces a FREE, multi-platform 4.4BSD-based UNIX-like operating system. Our efforts emphasize portability, standardization, correctness, proactive security and integrated cryptography. OpenBSD supports binary emulation of most programs from SVR4 (Solaris), FreeBSD, Linux, BSD/OS, SunOS and HP-UX.

    OpenBSD is freely available from our FTP sites, and also available in an inexpensive 3-CD set. The current release is OpenBSD 3.0 which started shipping December 1, 2001. The CDs (and Shirts) can be ordered...

    OpenBSD contains OpenSSH, which supports SSH1 and SSH2!

    OpenBSD is developed by volunteers. The project funds development and releases by selling CDs and T-shirts, as well as receiving donations. Organizations and individuals donate and thus ensure that OpenBSD will continue to exist, and will remain free for everyone to use and reuse as they see fit.

    It seems that OpenSSH is still being integrated into the main archive of Debian, Woody (aka 3.0) is still awaiting release, and there is no specific holistic proactive security project. Nevertheless, portability, correctness et al. are definitely emphasized. Now the binary emulation may seem a dubious feature in many cases, especially with Linux occasionally recieving more support than many commercial Unices, though there are some efforts at binary emulation on Suns.

    Okay, I'll admit - this was a troll. OpenBSD is still very valuable and viable, and still the best choice for security minded situations. But as yet another bulwark of OpenBSD is breached by Debian, this topic will again merit reevaluation. I still feel that the distant future will find OpenBSD being outpaced by whatever system the Debian Project presents, be it still based on Linux, a more direct BSD derivative, or a more direct embodiment of the GNU System.

    -castlan
  17. Re:SLASHDOT IST TOT by cmbofh · · Score: 0, Troll

    > Glückwünsche, haben Sie Slashdot ermordet, > indem Sie zum korporativen Druck beugten und > Subskriptionen einleiteten. fish translation?

  18. This is just a bad idea. by njdj · · Score: 4, Informative

    For the Debian end user, getting stuff like OpenSSH has been very easy, contrary to what some posters have said. There is little or no benefit for most end users in this change; and a huge increase in trouble and inconvenience for some end users, who happen to be citizens or residents of a country like Cuba that the Bush regime doesn't currently like.

    US crypto regulations are not only a nuisance, they're also volatile. "Things are getting better", we hear. Bullshit. Things are changing unpredictably. Few people (and certainly no software developers) have any idea what US policy will be next year.

    The only sensible policy is to keep the crypto archive in a country that has never had export regulations for crypto software (there are many).

    1. Re:This is just a bad idea. by crond · · Score: 1

      I don't think this is a bad idea.

      As you say, it is very easy to get non-US software, add a line in sources.list, and never think about it again. However, there are a lot of other applications where crypto isn't needed for the package to work.

      For example, you can get 'lynx' from the main server. If you need https support, just fetch the 'lynx-ssl' package from the non-US server.

      But what if the maintainer is from the USA? I suppose that would prohibit him from uploading such a package to the non-US server.

      Compare the LDAP utilities. There is no cryptographic version of them in the Debian archive. Ben Collins couldn't upload them.

      Of course, I do some magic with stunnel to get my passwords encrypted anyway, but it's not the best way to go.

      And the LDAP packages are just an example. How many other packages out there would be built with the (optional) crypto support, if they could be uploaded in the US main archive?

  19. Re:SLASHDOT IST TOT by NWT · · Score: 1

    Glückwünsche, haben Sie Slashdot ermordet, indem Sie zum korporativen Druck beugten und subskriptionen einleiteten.
    translation:
    Congratulations, you killed slashdot because you couldn't resist the coroporate pressure and because you introduced subscriptions.

    The translation may not be 100% accurate, but it's about the new subscription system introduced yesterday ...

    --
    Life sucks.
  20. What are you waiting for? by pioppo · · Score: 0, Offtopic

    Hey! Yes I'm talking to you, there in the states...

    Why are you still there instead of migrating in
    a really democratic country, where citizens are
    free too write/use/export/pubish/reverse-engineer
    any kind of software they like?

    1. Re:What are you waiting for? by Anonymous Coward · · Score: 0

      And where would that be? It seems to me that EU is hoping to become what USA is now. Only recently it has been chosen that it must be illegal to crack the region-check on your DVD-player in the entire EU. In GB it'll even become illegal to import DVD's from USA!! The world is a Fscked up place, and it's only getting worse.

      // annoia

  21. better yet, it is and has been! by twitter · · Score: 2
    The good news is that crypto is available everywhere. The bad news is it does not work the way it should.

    As US residents who did not know how to program crypto know, crypto is available in outher countries. A few years ago, the easiest way to get secure shell was to get OpenBSD from Canada, or buy something expensive. Programers with access to crypto knowledge could make what they wanted.

    One of the main goals of public key encryption thechnology was to aid people in countries likely to be on US blacklists. Giving those people the ability to communicate privatly is much worse for oppressive governments than any improvement in that government's software library. Governments can usually afford programers and have what they want where they want it.

    Most countries have proved that crypto is a doubtful tool of subversion. Oppresive countries have made cryptography illegal (yes, I'm refering to past US laws and current UK laws). Those that use it only set themselves up for investigation. Indeed, we can be sure that owning a computer at all in some places will earn you a beating.

    I'm happy to see the US going in the right direction for a change. I have and love Debian. One of the best things about it is secure shell. It's great to be able to use and administer my home machines from work or anywhere else in the world without worrying about someone breaking in. "ssh user@mahine -X" run on my lan makes all of my machies transparently usable at once through a single monitor and keyboard. Having this wonderful tool even easier to get is a great step forward. Hopefully the US will consider this one of the weapons to freely distribute from the "Arsenal of Democracy". Go get it!

    --

    Friends don't help friends install M$ junk.

  22. Re:widening post in slashdot comments by Anonymous Coward · · Score: 0

    It doesn't work in Mozilla, either. Come on, Klerck, get with it.

  23. Yay! by Mike+Hicks · · Score: 2

    Yay! Now I should be able to get this stuff from the nearby and really fast mirror on campus. Ahh..

    Now, I just wonder if the FreeS/WAN folks will ever get their code integrated with the standard Linux kernel..

  24. The legal advice is dated by Anonymous Coward · · Score: 0

    ...before September 11 last year. It makes me wonder about its validity when commenting on Government policy.

  25. Tremendous effect by coyote-san · · Score: 2

    This will have a huge effect in the long run, since crypto isn't just used for encryption. It's also used for authentication, and is critical in token-based authentication (e.g., smartcards). With tokens, you have strong authentication ("something you have" (token) and "something you know" (passphrase), lacking only "something you are" (e.g., fingerprint)).

    This allows you to do some really nice things. You want temporary root access? Sure - put your card in the reader and type in your passphrase. Once you remove the card, root access goes away.

    Or you need access to a database containing confidential information? Put in the your card and you gain access to database... but it will be dropped when you remove your card.

    --
    For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
    1. Re:Tremendous effect by Xtifr · · Score: 1

      This will have a huge effect in the long run, since crypto isn't just used for encryption.

      I think you're missing Mr. Coward's point. Crypto was already available to Debian users. To most, this change will be all-but-transparent, due to the magic of apt-get.

  26. Hey Moderator! by castlan · · Score: 1

    Flamebait perhaps, but not Off Topic. Integrated crypto is a significant feature of OpenBSD. Now Debian has the capability to integrate their crypto. This will propel Debian forward significantly into areas where OpenBSD was once undisputedly the better choice. Perhaps instead of ignorantly moderating, you could have actually posted a response. Of course, that assumes that you are capable of intelligent communication. My bad.