1. Forum
  2. Usenet
  3. LINUX.DEBIAN.PROJECT

  • several questions /Debian Source Code build 11.3/related to Unrestricte

    From =?UTF-8?B?0JXQutCw0YLQtdGA0LjQvdCwI@21:1/5 to All on Wed Apr 13 16:00:01 2022
    Good afternoon!



    We are planning to use Debian Source Code build 11.3 (the “Software”) in Russia and have several questions related to Unrestricted Encryption Source Code Notification Commodity ( https://www.debian.org/legal/notificationforarchive, “Notification”) and export restrictions of the US Export Control Act ("EAR").



    In your Notification you mention that Debian is free access code
    (accordingly we suppose that it can be EAR99 or Not subject to EAR). At the same time you refer to the exception TSU specified in Part 740.13 EAR
    (however, paragraph e(1) is missing in the text we saw https://www.ecfr.gov/current/title-15/subtitle-B/chapter-VII/subchapter-C/part-740/section-740.13).
    You also refer to the cryptography functionality thank can trigger
    exception ENC as well



    Accordingly we would like to know whether:

    (1) the Software can be freely distributed, including in Russia, due to
    being EAR99 or Not subject to EAR

    (2) the Software is subject to other ECCN (please specify, which one) and
    can be distributed only subject to exceptions (TSU, ENC or other - please specify)



    Thank you

    <div dir="ltr"><div class="gmail_default" style="font-family:comic sans ms,sans-serif;color:#330099"><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US" style="font-size:10pt;font-
    family:Arial,sans-serif;color:rgb(31,73,125)">Good afternoon!</span></p>

    <p class="MsoNormal" style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US" style="font-size:10pt;font-family:Arial,sans-serif;color:rgb(31,73,125)"> </span></p>

    <p class="MsoNormal" style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US" style="font-size:10pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">We are planning to use
    Debian Source Code build 11.3 (the “Software”) in Russia and have several questions related to Unrestricted Encryption Source Code Notification Commodity (<a href="https://www.debian.org/legal/notificationforarchive" style="color:blue">https://www.debian.org/legal/notificationforarchive</a>,
    “Notification”) and export restrictions of the US Export Control Act (&quot;EAR&quot;).</span></p>

    <p class="MsoNormal" style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US" style="font-size:10pt;font-family:Arial,sans-serif;color:rgb(31,73,125)"> </span></p>

    <p class="MsoNormal" style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US" style="font-size:10pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">In your Notification you
    mention that Debian is free access code (accordingly we suppose that it can be EAR99 or Not subject to EAR). At the same time you refer to the exception TSU specified in Part 740.13 EAR (however, paragraph e(1) is missing in the text we saw </span><span style="font-size:10pt;font-family:Arial,sans-serif;color:rgb(31,73,125)"><a href="https://www.ecfr.gov/current/title-15/subtitle-B/chapter-VII/subchapter-C/part-740/section-740.13" style="color:blue"><span lang="EN-US">https://www.ecfr.
    gov/current/title-15/subtitle-B/chapter-VII/subchapter-C/part-740/section-740.13</span></a></span><span lang="EN-US" style="font-size:10pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">). You also refer to the
    cryptography functionality thank can trigger exception ENC as well </span></p>

    <p class="MsoNormal" style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US" style="font-size:10pt;font-family:Arial,sans-serif;color:rgb(31,73,125)"> </span></p>

    <p class="MsoNormal" style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US" style="font-size:10pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">Accordingly we would like
    to know whether:</span></p>

    <p class="MsoNormal" style="margin:0cm 0cm 0.0001pt 71.4pt;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US" style="font-size:10pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">(1)<span style="font-variant-numeric:normal;font-variant-
    east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:&quot;Times New Roman&quot;">  
    </span></span><span lang="EN-US" style="font-size:10pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">the Software can be freely distributed, including
    in Russia, due to being EAR99 or Not subject to EAR</span></p>

    <p class="MsoNormal" style="margin:0cm 0cm 0.0001pt 71.4pt;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US" style="font-size:10pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">(2)<span style="font-variant-numeric:normal;font-variant-
    east-asian:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:&quot;Times New Roman&quot;">  
    </span></span><span lang="EN-US" style="font-size:10pt;font-family:Arial,sans-serif;color:rgb(31,73,125)">the Software is subject to other ECCN (please
    specify, which one) and can be distributed only subject to exceptions (TSU, ENC or other - please specify)</span></p>

    <p class="MsoNormal" style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US" style="color:rgb(31,73,125)"> </span></p>

    <p class="MsoNormal" style="margin:0cm 0cm 0.0001pt 35.4pt;font-size:11pt;font-family:Calibri,sans-serif"><span lang="EN-US" style="color:rgb(31,73,125)">Thank
    you</span></p></div></div>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andrew M.A. Cater@21:1/5 to All on Wed Apr 13 16:20:01 2022
    On Wed, Apr 13, 2022 at 04:44:02PM +0300, Екатерина Лапшина wrote:
    Good afternoon!



    Good afternoon, Ekaterina

    We are planning to use Debian Source Code build 11.3 (the “Software”) in Russia and have several questions related to Unrestricted Encryption Source Code Notification Commodity ( https://www.debian.org/legal/notificationforarchive, “Notification”) and export restrictions of the US Export Control Act ("EAR").



    Only source code: no binaries? The source code requirement is an old one - see below - and effectively disappeared a long time ago.

    This all dates initiallly from 200/2001 - Ben Collins was the Debian Project Leader then.

    The legal opinion then from US lawyers is at https://www.debian.org/legal/cryptoinmain.en.html.

    At one point, we maintained cryptographic software in a separate "non-US" archive. That's not been necessary for approximately 15 or 20 years.


    In your Notification you mention that Debian is free access code
    (accordingly we suppose that it can be EAR99 or Not subject to EAR). At the same time you refer to the exception TSU specified in Part 740.13 EAR (however, paragraph e(1) is missing in the text we saw https://www.ecfr.gov/current/title-15/subtitle-B/chapter-VII/subchapter-C/part-740/section-740.13).
    You also refer to the cryptography functionality thank can trigger
    exception ENC as well


    The review by the NSA went long ago. Debian has treated the code as being exportable worldwide but has not normally accepted new official mirrors in countries subject to US sanctions like Iran, Syria or Cuba.

    I'm unaware of Russian law at the moment: it is possible that import and
    use in Russia would be legitimate under Russian law.


    Accordingly we would like to know whether:

    (1) the Software can be freely distributed, including in Russia, due to being EAR99 or Not subject to EAR


    This appears to be the case, at least de facto.

    (2) the Software is subject to other ECCN (please specify, which one) and can be distributed only subject to exceptions (TSU, ENC or other - please specify)


    Various people have asked about ECCN over the years: it seems that our
    software is acceptable for US export and import. I am NOT a registered lawyer
    - none of this should be taken as legal advice.


    Thank you

    With every good wish, as ever,

    Andy Cater

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Paul Wise@21:1/5 to Andrew M.A. Cater on Thu Apr 14 10:40:01 2022
    On Wed, 2022-04-13 at 14:14 +0000, Andrew M.A. Cater wrote:

    The review by the NSA went long ago. Debian has treated the code as being exportable worldwide but has not normally accepted new official mirrors in countries subject to US sanctions like Iran, Syria or Cuba.

    There has been an official mirror for Iran ftp.ir.debian.org on and off
    since around 2014. The first mirror in Iran seems to have been added to
    the mirror list in 2013. There are currently six different mirrors in
    Iran but no public mirrors in Syria/Cuba in the mirrors list though.

    I'm unaware of Russian law at the moment: it is possible that import and
    use in Russia would be legitimate under Russian law.

    There already are Russian Debian derivatives like Astra Linux, so
    presumably this is fine.

    https://wiki.debian.org/Derivatives/Census/AstraLinux

    --
    bye,
    pabs

    https://wiki.debian.org/PaulWise

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEYQsotVz8/kXqG1Y7MRa6Xp/6aaMFAmJX2vAACgkQMRa6Xp/6 aaMvaw/+Ks9B258+ZLD0gMLuHKm3SghvNWnQnQqvVTyUs/D7s5ljeqzbdagEmQnH v1tJqGPiwXiZr/VOA5PITHPE38YQpVH+jlWcbZOI8P4BIR2VjbRVUfqSUuvlg04i 2T6NCCxz0jLYv5tH/j7jQQh/sla15ptiR96oA49oq26v1ppmpx6KrbQDK+eZ0gO6 SLqqOzEXmhrTmrTLxqK5zMOjfx+iBNqgHQaTug02+5iAcVWUyozGdpTZ9I7qSMIS qzACKHG9it0/NDwNVdMmTDUW3/PHN3lw0gHjXFsDoaiJd2f9RCr/RdrR+jxvEtwT nzSSLWexlrlvN9MKXwubrirIQbXGcffd+amvm193nFIe/ORfcNvloMQOMDh2bQGN +4z+gN5rmA2S5q2DEhtSKcbscRMTm5n+uXnGVj3ltFl0B+3rEJBRAMMwU4g0pvyr hxzSEL8BeE0B534UNLRpxrK8ZmM52UcqWBTPn9RhPOQyNypjZ9wxm/l78hDM/L0E h/SFYw7h49hxNZaqrBYe1cmqRDeLQu9JzDngNV8f6KLo3jXjoh5mJeQwgfQdMatk 7LznJUJIIiMkDN9qyEGeaYxZ5SF3nEaGRw+KUk4vuQoRS+WU/zHZDUjG9bLp3UY+ 09+M0oq+bK9czwuuZb6+U0djy6XCVmKvcSy6ggBSs5IkEIBXM60=
    =9wAy
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Andrew M.A. Cater@21:1/5 to Paul Wise on Thu Apr 14 16:20:01 2022
    On Thu, Apr 14, 2022 at 04:27:28PM +0800, Paul Wise wrote:
    On Wed, 2022-04-13 at 14:14 +0000, Andrew M.A. Cater wrote:

    I'm unaware of Russian law at the moment: it is possible that import and use in Russia would be legitimate under Russian law.

    There already are Russian Debian derivatives like Astra Linux, so
    presumably this is fine.

    https://wiki.debian.org/Derivatives/Census/AstraLinux

    --
    bye,
    pabs

    https://wiki.debian.org/PaulWise

    Ekaterina,

    To follow up to this:

    https://www.debian.org/mirror/list suggests that there are already six
    mirrors within the Russian Federation while one of them is an official
    country top-level mirror of Debian.

    Bandwidth varies: I'd suggest contacting the administrators there
    to see how usable it is. You may also find that a local university
    or higher education institution may have a private Debian mirror.

    ftp.ru.debian.org appears to be at campus.mephi.ru
    [National Research Nuclear University : MEphI] and the
    administrator's email is mirror-private@ut.mephi.ru

    That suggests that there is no particular problem either from
    Debian or from within Russia. Any situation may change but you
    will probably get the best information by talking to Russians using/administering/responsible for Debian systems.

    https://www.debian.org/international/Russian suggests two
    Debian mailing lists. We also appreciate that not all our
    documentation / websites / Wiki pages are translated but https://www.debian.org/index.ru.html may also give you
    useful information in Russian if this is of benefit.

    With every good wish,

    Andrew Cater

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)