[pycrypto] Policy changes - Now accepting patches from the U.S.

Dwayne C. Litzenberger dlitz at dlitz.net
Tue Nov 30 07:08:37 CST 2010

On Tue, Nov 30, 2010 at 06:49:17AM -0500, Paul Koning wrote:
>In this case, it seems to me you're changing PyCrypto from a project that 
>is NOT "subject to the EAL" (the U.S. Export regulations) to one that is.  
>Are you sure you want to do that?

No, I'm not sure, really.  All of your concerns are valid.

However, PyCrypto is stagnating, and I think it's partly due to the 
no-US-origin policy that I had adopted.  Instead of having a lot of people 
contributing to PyCrypto, we have a lot of people asking for things on the 
mailing list, but not contributing because I've told them that they can't.
If PyCrypto had been getting the contributions it needs from outside the 
US, I would have maintained the old policy.

Also, I've always *acted* as if the US rules applied to PyCrypto, even 
though I strongly suspect that they don't, because I've never been sure 
enough about it to be confident in completely ignoring the US rules.  This 
has put me into the bizarre situation of following the US rules, but not 
accepting US contributions.

In any case, there's no reason to panic.  Because of the way the 
regulations work, the US rules don't automatically apply just because there 
are 10 lines of US-origin code in PyCrypto.  It's some weird rule like 
"over 50% of the value of the export", so if the people who are concerned 
about this policy change can garner the necessary non-US contributions so 
that they clearly overwhelm US contributions, please do so.  It shouldn't 
be impossible: there have been very, very few people contributing to 
PyCrypto lately.  (Thank you to those people!)

As for the actual regulations, from my perspective, the current Canadian 
and American rules aren't that different from each other, as far as 
software "in the public domain" are concerned.  Both countries maintain 
lists of countries that you can't deliberately export to, and the US 
additionally requires a one-time "TSU NOTIFICATION" email.

Sigh.  I just wish crypto would get dropped from Wassenaar so that we could 
stop having these useless converations.  I can dream...

- Dwayne

Dwayne C. Litzenberger <dlitz at dlitz.net>
  OpenPGP: 19E1 1FE8 B3CF F273 ED17  4A24 928C EC13 39C2 5CF7

More information about the pycrypto mailing list