[pycrypto] Policy changes - Now accepting patches from the U.S.
Dwayne C. Litzenberger
dlitz at dlitz.net
Tue Nov 30 18:06:22 CST 2010
On Tue, Nov 30, 2010 at 11:06:58AM -0500, Paul Koning wrote:
>Indeed it's a limitation. I remember the exact same issue in the days of
>the FreeSWAN project (which was also Canada-based, and had a strict "no US
>contributions" policy that was not relaxed).
Does anybody actually still use FreeS/WAN?
On the other hand, other large projects, like Debian, Ubuntu, Mozilla,
etc., have integrated crypto into their main distributions. If the people
in the Canadian or U.S. government(s) do something stupid with crypto
export laws, it's not just going to be PyCrypto that's affected.
>50%? I must admit that it's a while since I seriously studied the rules.
>So I did some reading. There are definitions of what fraction is "de
>minimis" ("too small to matter") -- the one that appears to apply is 10%.
>And there are some conditions where *any* contribution is enough to
>matter; I did not analyze all the specifics. (If you want to do the
>reading, see section 734 of the US export regulations.)
Oh, I don't know; you're probably right. One of the painful things about
this is that I don't have an international traffic-in-arms lawyer on
>> As for the actual regulations, from my perspective, the current Canadian
>> and American rules aren't that different from each other, as far as
>> software "in the public domain" are concerned. Both countries maintain
>> lists of countries that you can't deliberately export to, and the US
>> additionally requires a one-time "TSU NOTIFICATION" email.
>One consideration is that you may be traveling down a one way road. Once
>you take this step you can't go back. While today's regulations may make
>that tolerable, tomorrow's may not be so benign. The export rules are
>subject to random change at any time, without any rational process
I agree; that was the reason that I implemented the no-US-origin policy in
the first place. However, I'm tired of turning down good patches from
people, while not getting patchees from outside the US. At the current
rate, Python 3.x support is never going to happen. *Something* needs to
You talk about rational processes... *Legislation* is also subject to
random change at any time, without any rational process involved. Look
at what's happening with copyright. Look at how effectively we're
dealing with global warming. Look at software patents, the DMCA,
Australian wiretap laws, airport security.
In democratic countries, the laws are only going to be rational if the
people are, so people need to be taught how to think rationally---heck,
even to *value* thinking rationally. Every minute I spend not worrying
about where patches come from is a minute that I can spend helping
organizations like CFI, EFF, ACLU, RDFRS, and JREF to promote rational,
If you want to put together a group of non-US people who will actually
contribute patches of suitable quality, then I'll do what I can to help
you. My offer to hand over control of PyCrypto to somebody else still
In other words, I agree, but show me the code.
Dwayne C. Litzenberger <dlitz at dlitz.net>
OpenPGP: 19E1 1FE8 B3CF F273 ED17 4A24 928C EC13 39C2 5CF7
More information about the pycrypto