On Jun 7, 2006, at 1:30 PM, Colm MacCarthaigh wrote:
e) people who are in the banned set of countries and people in
countries that forbid encryption cannot legally download the
current
httpd-2 packages because they include mod_ssl even when it won't be
used.
I don't see how this can possibly be the case. If crypto code is
illegal
locally, then it is illegal locally and people need to figure that out
from themselves.
The point is that they may want to download a web server which doesn't
have that problem, and right now they are limited to 1.3.x. I consider
Web servers to be something we would want people in those countries
to be able to download without concern. Freedom of the press.
If a person happens to live in a country which is on
the USA's banned list, there's nothing illegal (purely from their
perspective) about their act of download, US law does not apply to
them.
Right, but it does apply to us (and to Ireland as well, AFAIK) if we
encourage people in those countries to download the web server but
do not also provide a non-crypto alternative.
Surely the illegality is that the ASF exports the code to those
countries, and if anyone is answerable to those particular laws it is
any US-based exporter of the code. I just want to be clear about this
distinction, if it's correct.
Mostly. The banned countries are also banned by the EU (the
anti-terrorism laws), so it isn't as simple as you might think.
And pointing out the fact that this is all just a stupid waste
of time doesn't work either, apparently, as the current government
is technologically illiterate.
Or is there a suggestion that the situation invalidates the user's
license? (contracts can be invalidated when a law is broken, but it's
complex stuff).
No, it is strictly an advertising problem placed on the ASF.
I think the best way to accomplish that is to separate mod_ssl into a
subproject that is capable of producing overlay releases for each
release of httpd.
yuck! -1
Okay, let me put it in a different way. The alternatives are
1) retain the status quo, forbid distributing ssl binaries, and
include
in our documentation that people in banned countries are not
allowed
to download httpd 2.x.
2) split the distribution into plain and crypto parts and only have to
deal with the export controls within the crypto distribution.
3) delete mod_ssl from httpd
Pick one.
Thoughts? Anyone have any better ideas?
Is the mere legal registration of the ASF within US borders a solid
stumbling block here? As in, could the situation be remedied by
forbiding US-based distributors? (Similar to what Debian used to do
with
it's non-US repositories).
The ASF is within US borders and is a US corp. And, no, whatever it
was that Debian was trying to do is not even remotely sufficient for
the US because it just makes each developer the exporter.
....Roy
