As I understand it, software which links with crypto libs must (still) be uploaded to non-US. I have packaged the ARIS Extractor from SecurityFocus, which links with libcurl to perform an HTTPS POST request. Though it seems to run fine with non-SSL libcurl, it cannot fulfill its intended purpose without SSL support.
Should I: 1. Leave the dependencies as determined by the shlibs file from libcurl, which says that either libcurl or libcurl-ssl is OK, and upload to main. There is nothing in ARIS Extractor which could even be considered a hook to something definitively cryptographic, so this should be legal, yes? Of course, the software would not be useful without libcurl-ssl, and that is undesirable. 2. Depend on libcurl-ssl only and upload to non-US. Is this legal? (I am in the US, but ARIS Extractor contains no crypto) 3. Hand off the package to someone in the free world ? -- - mdz
