Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cryptographic Software in Debian's Main Archive

Posted by michael on from the groundbreaking-events dept.

Cine writes: "James Troup and Sam Hartman recently sent a note to all debian mirror maintainers, to inform them about the current situation and future plans. Sometime after March 8th, crypto software like OpenSSH, SSL support, and many other enhancements will be integrated into the debian main archive. This is in accordance to legal advice the Debian project received."

9 of 96 comments (clear)

  1. Crypto by Ashcrow · · Score: 5, Interesting

    Crypto helps aid in privacy, and privacy should be available to everyone no matter who they are or where they live.

  2. Hope it works out by Mr_Person · · Score: 4, Interesting

    The Debian team has been working on this for a long time. Hopefully it will make installations and upgrades quicker as the servers can now be on the same continent :-).

    One thing that was interesting is that under section 740.13(e) of the US EAR, the software can be exported as long as the people that are exporting it file for export notification. Apparently one thing that they were worried about was whether or not the individual mirrors had to each file or if Debian could just file for the main archives and all the mirrors. According to their legal advice that should be okay. Let's just hope that they don't have any legal problems with it in the future.

  3. Re:Hi. Here is Crypto by Mr_Person · · Score: 4, Insightful
    It's as though they just walked up and handed security to those who don't know how to use it.
    It's not like having extra security without knowing exactly what it does is a bad thing. The Crypto section doesn't just contain things like PGP, but important server utilities like SSH, SSL and other things. It's my opinion that SSH should be installed by default (in place of telnet) on every server as it is much more secure. The people you're talking about probably didn't understand exactly how telnet worked and they probably won't understand exactly how SSH works, but they'll still get the benefits of the extra security as will anyone who depends on the servers that they run.
  4. IP address based restrictions by cabbey · · Score: 5, Interesting
    From the lawyer's response:
    Simply posting cryptographic software on a server that may be accessible from an embargoed country does not constitute ``knowledge'' that the software has been exported there. Therefore, criminal liability would not apply to the act of posting. We recommend that you perform IP checking and deny downloads to known embargoed countries. This due diligence also would provide a defense to a claim of civil liability. If you find out that your software has been downloaded to a prohibited destination, then I recommend that you block future downloads to that specific site unless and until you obtain a license from BXA.

    This is the second time I've seen this "recomendation" come out of a legal organization, in almost exactly the same wording no less. I've got to believe therefore that they are pulling it from some other source, such as an official regulation or other document.

    Does anyone have such a list though? Can anyone provide a copy of it? Is it even technically possible to generate? In real time, or even close? I mean sure, it's technically trivial to implement this blocking, just a few iptables/ipchains commands, or some entries in the firewall's firmware... but I think getting that list to begin with is nearly impossible. How do you know where the other end of the phone line that is dialed into some modem bank on the other side of the net is?

    In the last instance that I saw this (an external server at work) corporate legal was threatening to pull the plug if the admins didn't provide proof they were doing this. After much head scratching and searching the net my sugested response was that they would be happy to implement this just as soon as the legal department provided them with such a list.

    I'm told they never heard back from legal on that topic.
    1. Re:IP address based restrictions by Waffle+Iron · · Score: 5, Funny
      I sleep better at night knowing that through the tireless diligence of webmasters all over the world, running millions of reverse IP lookups every day, there is probably not a single copy of ssh available in any of those countries. Kudos to all those who participate in this grand, impenetrable virtual fortress.

      This achievement is a real testament to the vision and wisdom of our leaders.

    2. Re:IP address based restrictions by fferreres · · Score: 4, Informative

      No reverse lookups needed. There are publicly available IP mappings databases. If the IP has been assigned to a banned country, then it IS in the list.

      I suggest the debian maintainers should check at LEAST this site.

      http://caida.org

      If you want to testdrive the acuracy of the mappings, why not check if it works fine for your connection. Just inset your IP number and go!:

      http://netgeo.caida.org/perl/netgeo.cgi?target=& me thod=getCountry&nonblocking=true";

      --
      unfinished: (adj.)
  5. Money is spent on being sneaky... by Futurepower(tm) · · Score: 5, Insightful


    It amazes me that the U.S. government has done as much as it can to try to outlaw privacy. To me, it seems that things are out of control in some parts of the U.S. government. The U.S. spends more on surveillance of everyone everywhere than any country ever has in the history of the world. Money is spent on being sneaky, rather than on making good relationships.

    It is futile to try to avoid the export of software, particularly when having it is legal in other countries. Yet taxpayer money is spent on this. The U.S. government, in my opinion, should not try to control the entire world.

    More on the extremes of U.S. government policy: What should be the Response to Violence?

    --
    Bush's education improvements were
  6. This is just a bad idea. by njdj · · Score: 4, Informative

    For the Debian end user, getting stuff like OpenSSH has been very easy, contrary to what some posters have said. There is little or no benefit for most end users in this change; and a huge increase in trouble and inconvenience for some end users, who happen to be citizens or residents of a country like Cuba that the Bush regime doesn't currently like.

    US crypto regulations are not only a nuisance, they're also volatile. "Things are getting better", we hear. Bullshit. Things are changing unpredictably. Few people (and certainly no software developers) have any idea what US policy will be next year.

    The only sensible policy is to keep the crypto archive in a country that has never had export regulations for crypto software (there are many).

  7. Re:no real effect by Ray+Dassen · · Score: 4, Informative

    Unless I am missing something, this won't have any real effect on end users.

    It will have benefits for end users, though probably not highly visible ones.

    Cryptographic software packaged for Debian is available (and has been for a long time already) through non-us.debian.org , but crypto-in-main will make further integration of crypto possible. A number of packages in main will get enhanced functionality once crypto is in main. E.g. CVS can start supporting Kerberos for authentication.

    The functionality enhancements made possible by crypto-in-main are not limited to the direct benefits of crypto, as I can illustrate with the Gnumeric package. The Gnumeric spreadsheet can be built to be able to fetch data from databases using GDA, the GNU Data Access library. Currently the Debian package is not built with GDA support. The reason for this is that Debian's GDA packages are on non-US (because their source package requires the PostgreSQL development package; PostgreSQL is on non-US as it is built with SSL support). Once we have crypto-in-main, I can build Gnumeric packages that have GDA support (probably in a separate plugin package).