On Feb 20, 2007, at 10:55 PM, Cliff Schmidt wrote:
+1 to everything above -- although, rather than saying a later notice
needs to be sent out when the encryption functionality changes, I'd
put it as, "a later notice needs to be sent when any information on
the prior notice has changed"...but this would typically only be the
case for changes in manufacturer to some included crypto component.
See http://www.apache.org/dev/crypto.html#faq-additionalemails.
Yep, I oversimplified.
We don't know exactly where the line needs to be drawn, since
the BIS has been very lenient or very overloaded in the
past and never (to my knowledge) taken us to task for doing
it wrong. Or maybe we always did it right. Nevertheless, the EAR
is the law as far as the ASF is concerned, and has to be obeyed
even if we think the law is confusing and pointless.
My guess is that ongoing development of source code bits within
subversion qualifies as an open conference, just like our mailing
lists, and thus not subject to the export controls. It is only
No -- the BIS folks consider open source development in between
releases to be the same as beta releases. There is a separate license
just for betas, but the TSU one is simpler. This is why we send the
TSU notification prior to starting to commit encryption code to SVN.
This is also covered in the FAQs:
Ah, rats, I was hoping that it wasn't classified as 5D002 until
the code was in functional form, since that is what the definitions
in 772 and 740 would indicate. But you are right that what matters
more is what BIS folks consider.
http://www.apache.org/dev/crypto.html#faq-firstnotification
http://www.apache.org/dev/crypto.html#faq-public
If any of these FAQs could be more clear, let me know.
Actually, I think it would be clearer as a step-by-step decision
process rather than a FAQ. I'm not volunteering any more, though.
...although, speaking of the exports page, I noticed that there is now
software with an ECCN of "EAR99". I'm not aware of any software we
distribute at Apache that meets this category. Can anyone tell me
what the rationale is for this?
Umm, my bad -- I read the definition on their summary page and followed
how it was used by other companies. The definition in section 734
(c) "Items subject to the EAR" consist of the
items listed on the Commerce Control List (CCL)
in part 774 of the EAR and all other items which
meet the definition of that term. For ease of
reference and classification purposes, items
subject to the EAR which are not listed on the
CCL are designated as "EAR99."
is more clear. So, our software would only be EAR99 if it were not
publicly available, since making non-5D002 software publicly
available means the items is not "subject to the EAR", so that is
only a concern for redistributors that distribute modified versions.
Not our problem. I'll fix the page. Damn spaghetti regs.
....Roy
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
