FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Packaging

 
 
LinkBack Thread Tools
 
Old 03-19-2008, 09:48 PM
"Stephen John Smoogen"
 
Default crypto in fedora

On Wed, Mar 19, 2008 at 4:13 PM, Patrice Dumas <pertusus@free.fr> wrote:
> Hello,
>
> Recently the issue of crypto and crypto export in fedora/EPEL was raised
> about beecrypt. This is something that has never been discussed as far
> as I remember. It should of course be checked with legal.
>
> My question is, does crypto software need a specific treatement in
> fedora? (And if yes, what is a crypto software?)
>

As far as I know crypto has always needed special treatment in Fedora.
Most encryption software is considered 'controlled' for export by
several nations (I think United States, France, Russia, China, etc).
What Red Hat has to do is fill out paperwork with the United States
Commerce department whenever new software with encryption is added to
Fedora or RHEL. This paperwork is on file and then allows various
mirrors to get the software though if inside the US they are required
to put up a listing like:

230-Due to U.S. Exports Regulations, all cryptographic software on this
230-site is subject to the following legal notice:
230-
230- This site includes publicly available encryption source code
230- which, together with object code resulting from the compiling of
230- publicly available source code, may be exported from the United
230- States under License Exception "TSU" pursuant to 15 C.F.R. Section
230- 740.13(e).
230-
230-This legal notice applies to cryptographic software only. Please see
230-the Bureau of Export Administration (http://www.bxa.doc.gov/) for more
230-information about current U.S. regulations.

like mirrors.kernel.org. I have been told that similar rules are in
place for other countries dealing with encryption.






--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"

--
Fedora-packaging mailing list
Fedora-packaging@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-packaging
 
Old 03-20-2008, 08:23 AM
Patrice Dumas
 
Default crypto in fedora

On Wed, Mar 19, 2008 at 04:48:52PM -0600, Stephen John Smoogen wrote:
> On Wed, Mar 19, 2008 at 4:13 PM, Patrice Dumas <pertusus@free.fr> wrote:
> > Hello,
> >
> > Recently the issue of crypto and crypto export in fedora/EPEL was raised
> > about beecrypt. This is something that has never been discussed as far
> > as I remember. It should of course be checked with legal.
> >
> > My question is, does crypto software need a specific treatement in
> > fedora? (And if yes, what is a crypto software?)
> >
>
> As far as I know crypto has always needed special treatment in Fedora.
> Most encryption software is considered 'controlled' for export by
> several nations (I think United States, France, Russia, China, etc).
> What Red Hat has to do is fill out paperwork with the United States
> Commerce department whenever new software with encryption is added to
> Fedora or RHEL.

Then we have to register crypto packages somewhere such that the people
in charge can do the paperwork, isn't it? Don't we need a guideline
here?

--
Pat

--
Fedora-packaging mailing list
Fedora-packaging@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-packaging
 
Old 03-20-2008, 10:47 AM
Jesse Keating
 
Default crypto in fedora

On Thu, 2008-03-20 at 10:23 +0100, Patrice Dumas wrote:
> Then we have to register crypto packages somewhere such that the people
> in charge can do the paperwork, isn't it? Don't we need a guideline
> here?

I actually need to prep a guideline that has all packages with crypto
technology block FE-LEGAL (if that's still the alias). We'll use that
to get an audit of the code to make sure its either not new crypto, or
if it is, alert the appropriate people for export filings.

--
Jesse Keating
Fedora -- All my bits are free, are yours?
--
Fedora-packaging mailing list
Fedora-packaging@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-packaging
 
Old 03-20-2008, 11:00 AM
Patrice Dumas
 
Default crypto in fedora

On Thu, Mar 20, 2008 at 07:47:41AM -0400, Jesse Keating wrote:
> On Thu, 2008-03-20 at 10:23 +0100, Patrice Dumas wrote:
> > Then we have to register crypto packages somewhere such that the people
> > in charge can do the paperwork, isn't it? Don't we need a guideline
> > here?
>
> I actually need to prep a guideline that has all packages with crypto
> technology block FE-LEGAL (if that's still the alias). We'll use that
> to get an audit of the code to make sure its either not new crypto, or
> if it is, alert the appropriate people for export filings.

Looks good.

There are other questions that should be answered, however, in my opinion
(with external sources of information if possible, no need to be fedora
centric).

What is the criteria for being a crypto technology? It is easy to spot
many packages that are not crypto, but for others it is not very clear
to me. For example at which point a math library becomes a crypto
library? And what about an applicatin that compute hashes? Also does the
registration need to be done each time there is a new release or once
for all?

--
Pat

--
Fedora-packaging mailing list
Fedora-packaging@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-packaging
 
Old 03-20-2008, 01:39 PM
Jesse Keating
 
Default crypto in fedora

On Thu, 2008-03-20 at 13:00 +0100, Patrice Dumas wrote:
> Looks good.
>
> There are other questions that should be answered, however, in my opinion
> (with external sources of information if possible, no need to be fedora
> centric).
>
> What is the criteria for being a crypto technology? It is easy to spot
> many packages that are not crypto, but for others it is not very clear
> to me. For example at which point a math library becomes a crypto
> library? And what about an applicatin that compute hashes? Also does the
> registration need to be done each time there is a new release or once
> for all?

These are all good questions, and we need to get Steve Grubb plugged in
here to answer some of these.

--
Jesse Keating
Fedora -- All my bits are free, are yours?
--
Fedora-packaging mailing list
Fedora-packaging@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-packaging
 
Old 03-20-2008, 02:00 PM
Rex Dieter
 
Default crypto in fedora

Richard W.M. Jones wrote:


Hate to be difficult, but what about a package like ocaml-cryptokit
which originates outside the US?


irrelevant, I think. What matters (most) is who's distributing the
crypto binaries and from where => fedora, USA


-- Rex

--
Fedora-packaging mailing list
Fedora-packaging@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-packaging
 

Thread Tools




All times are GMT. The time now is 06:37 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org