[pycrypto] Policy changes - Now accepting patches from the U.S.

Dwayne C. Litzenberger dlitz at dlitz.net
Tue Nov 30 18:06:22 CST 2010

On Tue, Nov 30, 2010 at 11:06:58AM -0500, Paul Koning wrote:
>Indeed it's a limitation.  I remember the exact same issue in the days of 
>the FreeSWAN project (which was also Canada-based, and had a strict "no US 
>contributions" policy that was not relaxed).

Does anybody actually still use FreeS/WAN?

On the other hand, other large projects, like Debian, Ubuntu, Mozilla, 
etc., have integrated crypto into their main distributions.  If the people 
in the Canadian or U.S. government(s) do something stupid with crypto 
export laws, it's not just going to be PyCrypto that's affected.

>50%?  I must admit that it's a while since I seriously studied the rules.  
>So I did some reading.  There are definitions of what fraction is "de 
>minimis" ("too small to matter") -- the one that appears to apply is 10%.  
>And there are some conditions where *any* contribution is enough to 
>matter; I did not analyze all the specifics. (If you want to do the 
>reading, see section 734 of the US export regulations.)

Oh, I don't know; you're probably right.  One of the painful things about 
this is that I don't have an international traffic-in-arms lawyer on 

>> As for the actual regulations, from my perspective, the current Canadian 
>> and American rules aren't that different from each other, as far as 
>> software "in the public domain" are concerned.  Both countries maintain 
>> lists of countries that you can't deliberately export to, and the US 
>> additionally requires a one-time "TSU NOTIFICATION" email.
>One consideration is that you may be traveling down a one way road.  Once 
>you take this step you can't go back.  While today's regulations may make 
>that tolerable, tomorrow's may not be so benign.  The export rules are 
>subject to random change at any time, without any rational process 

I agree; that was the reason that I implemented the no-US-origin policy in 
the first place.  However, I'm tired of turning down good patches from 
people, while not getting patchees from outside the US.  At the current 
rate, Python 3.x support is never going to happen.  *Something* needs to 

     You talk about rational processes... *Legislation* is also subject to 
     random change at any time, without any rational process involved.  Look 
     at what's happening with copyright.  Look at how effectively we're 
     dealing with global warming.  Look at software patents, the DMCA, 
     Australian wiretap laws, airport security.

     In democratic countries, the laws are only going to be rational if the 
     people are, so people need to be taught how to think rationally---heck, 
     even to *value* thinking rationally.  Every minute I spend not worrying 
     about where patches come from is a minute that I can spend helping 
     organizations like CFI, EFF, ACLU, RDFRS, and JREF to promote rational, 
     evidence-based reasoning.

If you want to put together a group of non-US people who will actually 
contribute patches of suitable quality, then I'll do what I can to help 
you.  My offer to hand over control of PyCrypto to somebody else still 

In other words, I agree, but show me the code.

- Dwayne

Dwayne C. Litzenberger <dlitz at dlitz.net>
  OpenPGP: 19E1 1FE8 B3CF F273 ED17  4A24 928C EC13 39C2 5CF7

[1] http://lists.dlitz.net/pipermail/pycrypto/2010q4/000280.html

More information about the pycrypto mailing list