Re: Crypto and export laws
Austin Bingham wrote: I'm trying to get a handle on how python intersects with crypto-related export control laws in the US and elsewhere. My current understanding, per the PSF's wiki, is that any crypto related and potentially export-sensitive code is in the ssl wrapper, and that, in fact, this only links to the actual encryption implementation (presumably libssl or something.) One caveat is that windows installations may include the ssl implementation. Does this effectively sum up python's exposure to export laws? On a technical level, does removing the ssl module from a distribution remove all references to encryption? Of course I'm not asking for actual legal advice, but can anyone think of any other part of the code that might run afoul of export rules? Thanks. Here's a summary: * Python uses OpenSSL in the ssl module and the hashlib module. * hashlib falls back to its own implementations of the md5 and sha algorithms. * ssl doesn't work without OpenSSL installed on the system. * The Windows intaller of Python ships with the OpenSSL libs. * The only Python module that actually contained crypto code was the rotor module (implementing an enigma-style cipher), but that was removed a long time ago. Depending on how close a country follows the Wassenaar Arrangement (http://www.wassenaar.org/) OpenSSL, Python and all other open-source software falls under the GENERAL SOFTWARE NOTE part 2.: The Lists do not control software which is either: 1. ... 2. In the public domain. If you're shipping a closed-source product that includes OpenSSL, then you'd have to follow the rules in category 5 part 2 of the dual-use list: http://www.wassenaar.org/publicdocuments/index_CL.html However, some countries add some extra requirements to the WA dual-use list, so you need check those as well. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Sep 25 2009) Python/Zope Consulting and Support ...http://www.egenix.com/ mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/ ::: Try our new mxODBC.Connect Python Database Interface for free ! eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ -- http://mail.python.org/mailman/listinfo/python-list
Re: Crypto and export laws
M.-A. Lemburg m...@egenix.com (M-L) wrote: M-L Depending on how close a country follows the Wassenaar M-L Arrangement (http://www.wassenaar.org/) OpenSSL, Python M-L and all other open-source software falls under the M-L GENERAL SOFTWARE NOTE part 2.: M-L M-L The Lists do not control software which is either: M-L 1. ... M-L 2. In the public domain. M-L M-L If you're shipping a closed-source product that includes M-L OpenSSL, then you'd have to follow the rules in category 5 M-L part 2 of the dual-use list: M-L http://www.wassenaar.org/publicdocuments/index_CL.html But Python is not in the public domain. Open source != public domain. Public domain means there is no copyright and no license attached to it, AFAIK. -- Piet van Oostrum p...@cs.uu.nl URL: http://pietvanoostrum.com [PGP 8DAE142BE17999C4] Private email: p...@vanoostrum.org -- http://mail.python.org/mailman/listinfo/python-list
Re: Crypto and export laws
Piet van Oostrum wrote: M.-A. Lemburg m...@egenix.com (M-L) wrote: [ ... ] M-L M-L The Lists do not control software which is either: M-L 1. ... M-L 2. In the public domain. M-L [ ... ] But Python is not in the public domain. Open source != public domain. Public domain means there is no copyright and no license attached to it, AFAIK. I believe that public domain has different meanings in copyright law and in crypto law. In crypto law I think it means generally available, in that it's silly to impose import or export restrictions on something that's already obtainable everywhere. Mel. -- http://mail.python.org/mailman/listinfo/python-list
Re: Crypto and export laws
Ben Finney ben+pyt...@benfinney.id.au (BF) wrote: BF Piet van Oostrum p...@cs.uu.nl writes: But Python is not in the public domain. Open source != public domain. BF One always needs to be aware of what bizarro-world definitions these BF legalese documents are using for terms we might normally understand. BF However, in this case it seems fairly sane and : BF GTN In the public domain BF GSN This means technology or software which has been made BF available BF ML 22 without restrictions upon its further dissemination. BF URL:http://74.125.153.132/search?q=cache:t8kUZpvsUncJ:www.wassenaar.org/controllists/2008/WA-LIST%2520(08)%25201/16%2520-%2520WA-LIST%2520(08)%25201%2520-%2520DEF.doc+%22definitions+of+terms+used+in+these+lists%22cd=1hl=enct=clnkie=UTF-8 Yes, I found that a few minutes ago, in between my cooking preparations :=) Public domain means there is no copyright and no license attached to it, AFAIK. BF More accurately, it generally refers to a work with no copyright holder BF and hence no license *needed* by anyone to perform acts normally BF reserved to a copyright holder. BF So free software still held under copyright is not “in the public BF domain” by the above definition. BF In any case, the part that seems to apply clearly to Python is this one: BF GENERAL SOFTWARE NOTE BF The Lists do not control software which is either: BF 1. Generally available to the public by being: BF a. Sold from stock at retail selling points without restriction, BF by means of: BF 1. Over-the-counter transactions; BF 2. Mail order transactions; BF 3. Electronic transactions; or BF 4. Telephone call transactions; and BF b. Designed for installation by the user without further BF substantial support by the supplier; BF URL:http://74.125.153.132/search?q=cache:oUPbVxp4coMJ:www.wassenaar.org/controllists/2008/WA-LIST%2520(08)%25201/02%2520-%2520WA-LIST%2520(08)%25201%2520-%2520GTN%2520and%2520GSN.doc+general+note+softwarecd=1hl=enct=clnkie=UTF-8 BF Python is certainly generally available, by being sold as described BF above (as well as other means), and with no further substantial support BF from the supplier. BUT: then it continues to state that the above does not apply to cryptographic software. At least that's how I interpret the following sentence: Note Entry 1 of the General Software Note does not release software controlled by Category 5 - Part 2 (Information Security). except that Category 5 - Part 2 makes some exceptions. BF So AFAICT, the Wassenaar Arrangement on export controls explicitly BF excludes Python (and most widely-sold free software) by the “generally BF available to the public by being sold from stock at retail” definition. I had heard of the WA before (if only because I live in the same country) but never looked into it. So does this mean that the export of crypto software (with the exceptions above) is not allowed from European countries either? I.e. that we in Europe have been infected with these stupid USA export laws, maybe in a milder form? -- Piet van Oostrum p...@cs.uu.nl URL: http://pietvanoostrum.com [PGP 8DAE142BE17999C4] Private email: p...@vanoostrum.org -- http://mail.python.org/mailman/listinfo/python-list
Re: Crypto and export laws
Piet van Oostrum p...@cs.uu.nl writes: But Python is not in the public domain. Open source != public domain. One always needs to be aware of what bizarro-world definitions these legalese documents are using for terms we might normally understand. However, in this case it seems fairly sane and : GTN In the public domain GSN This means technology or software which has been made available ML 22 without restrictions upon its further dissemination. URL:http://74.125.153.132/search?q=cache:t8kUZpvsUncJ:www.wassenaar.org/controllists/2008/WA-LIST%2520(08)%25201/16%2520-%2520WA-LIST%2520(08)%25201%2520-%2520DEF.doc+%22definitions+of+terms+used+in+these+lists%22cd=1hl=enct=clnkie=UTF-8 Public domain means there is no copyright and no license attached to it, AFAIK. More accurately, it generally refers to a work with no copyright holder and hence no license *needed* by anyone to perform acts normally reserved to a copyright holder. So free software still held under copyright is not “in the public domain” by the above definition. In any case, the part that seems to apply clearly to Python is this one: GENERAL SOFTWARE NOTE The Lists do not control software which is either: 1. Generally available to the public by being: a. Sold from stock at retail selling points without restriction, by means of: 1. Over-the-counter transactions; 2. Mail order transactions; 3. Electronic transactions; or 4. Telephone call transactions; and b. Designed for installation by the user without further substantial support by the supplier; URL:http://74.125.153.132/search?q=cache:oUPbVxp4coMJ:www.wassenaar.org/controllists/2008/WA-LIST%2520(08)%25201/02%2520-%2520WA-LIST%2520(08)%25201%2520-%2520GTN%2520and%2520GSN.doc+general+note+softwarecd=1hl=enct=clnkie=UTF-8 Python is certainly generally available, by being sold as described above (as well as other means), and with no further substantial support from the supplier. So AFAICT, the Wassenaar Arrangement on export controls explicitly excludes Python (and most widely-sold free software) by the “generally available to the public by being sold from stock at retail” definition. -- \ “What you have become is the price you paid to get what you | `\ used to want.” —Mignon McLaughlin | _o__) | Ben Finney -- http://mail.python.org/mailman/listinfo/python-list
Re: Crypto and export laws
Piet van Oostrum wrote: M.-A. Lemburg m...@egenix.com (M-L) wrote: M-L Depending on how close a country follows the Wassenaar M-L Arrangement (http://www.wassenaar.org/) OpenSSL, Python M-L and all other open-source software falls under the M-L GENERAL SOFTWARE NOTE part 2.: M-L M-L The Lists do not control software which is either: M-L 1. ... M-L 2. In the public domain. M-L M-L If you're shipping a closed-source product that includes M-L OpenSSL, then you'd have to follow the rules in category 5 M-L part 2 of the dual-use list: M-L http://www.wassenaar.org/publicdocuments/index_CL.html But Python is not in the public domain. Open source != public domain. Public domain means there is no copyright and no license attached to it, AFAIK. As already mentioned in the thread, the in the public domain phrase in the WA list refers to anything that is available to anyone without restrictions to dissemination, e.g. open-source software, freeware, etc. For things you sell, the more restrictive cat. 5 part 2 note applies if you ship crypto code. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Sep 25 2009) Python/Zope Consulting and Support ...http://www.egenix.com/ mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/ ::: Try our new mxODBC.Connect Python Database Interface for free ! eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ -- http://mail.python.org/mailman/listinfo/python-list