So addressing only the crypto software issue and with the caveat that I am also not a lawyer but I have had to deal with certain aspects of this in the past....
Crypto software is one of those bizarre dual use items in terms of arms imports and exports. While we as geeks just think of this is software or mathematics and might be confused as to why governments care, governments do care deeply about this. And their way of expressing how much they care about this issue is by passing laws and prosecuting folks.
One of the easiest ways to get in trouble is for one to make the software available to residents and/or citizens of certain countries as well as available to people on a long list kept by different governments. We can have a long debate about the morality of this concept but those who make the laws have decided that is the law. And often these laws are crafted such that the executive can change important details on short notice and that puts the risk of prosecution at the whims of different world leaders.
The license that the software is released under is not important.
What Ron is stating is that squeak source supplied some additional protections to prevent accidentally making the software available to folks who the US feels should not have access.
If you have moved the software to another hosting provider without the permission or knowledge of the author, and therefore the owner of the software, you have put that person at additional risk. In addition you and the hosting provider are taking on additional risk.
If it was moved to GitHub I strongly recommend reviewing their policies on trade controls and what risks you assume.
Finally I would strongly recommend talking to a competent legal advisor who is deeply familiar with the details of these laws. They are complex and highly variable between different parts of the world.
I know this seems like a lot of trouble and wasted time but you can spend a giant amount of time and money defending oneself from arms trafficking charges.
Thanks, Bruce. The part about (the possibility that) squeak source is configured to restrict distribution was the missing piece for me. I had previously assumed (hah!) that it would be available to anyone anywhere.
On Sun, May 31, 2020, 10:39 Bruce O'Neel <[hidden email]> wrote:
as Bruce said, regulations around cryptography exports from the US are complex, and controversial. I am afraid that this thread has the potential to confuse the Smalltalk community, and it raises more questions than gives answers (which is fine but where do we go from here?)
I am also not a lawyer, also have dealt with this issue before (on several occasions), and every single time the conversation turns into personal opinions and (almost always) corporate lawyering that will follow a CYA route without properly researching the facts. I hope to provide some information that might clarify this a bit to the best of my understanding.
Cryptography Exports from the US is best described here:
This link will be most relevant to open source software:
The previously cited link at Github (https://help.github.com/en/github/site-policy/github-and-trade-controls) is only partially relevant here, and it’s really important if you want to use the Github Enterprise Server to host your repositories.
The http://www.squeaksource.com/Cryptography/ resource is not blocked for access from export-controlled countries (easily verifiable by using a combination of VPN, Tor and proxychains).
The Squeaksource repository acknowledges on the home page the hosting support provided by the Software Composition Group and University of Bern, based in Switzerland. While the IP of the service itself appears to be in the US state of Texas, WHOIS on the domain reveals that the registrar is http://www.hetzner.com/ which appears to be hosted in Bavaria, Germany. This means that if tomorrow the owner of the domain decides to change the DNS records and host it in another jurisdiction instead, there is no one who can stop them.
The rest is my personal opinion:
If you read the text of the EAR and take into account all other facts, I think that the notion that anyone should get into trouble by copying open source Smalltalk crypto libraries to other repositories is just a pure FUD. This software is open source, it is publicly available including the source code, it is hosted on a domain that is controlled by a non-US entity, and it’s easily accessible in its current form from countries that are currently on the US ‘vorboten’ list.
That said, I won’t discourage anyone from seeking a legal advice but if you do, make sure these points are addressed.
signature.asc (849 bytes) Download Attachment
> On 1 Jun 2020, at 06:39, Jerry Kott <[hidden email]> wrote:
> If you read the text of the EAR and take into account all other facts, I think that the notion that anyone should get into trouble by copying open source Smalltalk crypto libraries to other repositories is just a pure FUD. This software is open source, it is publicly available including the source code, it is hosted on a domain that is controlled by a non-US entity, and it’s easily accessible in its current form from countries that are currently on the US ‘vorboten’ list.
In reply to this post by Bruce O'Neel-2
What I do not like is that people say " group but they keep kicking me out of their mailing list ” when this is absolutely not true!
We can discuss and can argue even violently but we do not lie.
03 59 35 87 52
Assistant: Aurore Dalle
FAX 03 59 57 78 50
TEL 03 59 35 86 16
S. Ducasse - Inria
40, avenue Halley,
Parc Scientifique de la Haute Borne, Bât.A, Park Plaza
Villeneuve d'Ascq 59650
|Free forum by Nabble||Edit this page|