Policy says of uploading to non-US: "This applies only to packages which contain cryptographic code. A package containing a program with an interface to a cryptographic program or a program that's dynamically linked against a cryptographic library should not be distributed via the non-US server if it is capable of running without the cryptographic library or program."
In this case, the program is literally capable of running without the cryptographic library or program, but will have significantly reduced functionality (its primary function, uploading its reports, is broken). Does this program need to go in non-US, and if so, is it legal for me to upload it there? ----- Forwarded message from Matt Zimmerman <[EMAIL PROTECTED]> ----- Date: Sat, 26 Jan 2002 18:05:33 -0500 From: Matt Zimmerman <[EMAIL PROTECTED]> Resent-From: debian-devel@lists.debian.org To: debian-devel@lists.debian.org Subject: Depending on non-US libs As I understand it, software which links with crypto libs must (still) be uploaded to non-US. I have packaged the ARIS Extractor from SecurityFocus, which links with libcurl to perform an HTTPS POST request. Though it seems to run fine with non-SSL libcurl, it cannot fulfill its intended purpose without SSL support. Should I: 1. Leave the dependencies as determined by the shlibs file from libcurl, which says that either libcurl or libcurl-ssl is OK, and upload to main. There is nothing in ARIS Extractor which could even be considered a hook to something definitively cryptographic, so this should be legal, yes? Of course, the software would not be useful without libcurl-ssl, and that is undesirable. 2. Depend on libcurl-ssl only and upload to non-US. Is this legal? (I am in the US, but ARIS Extractor contains no crypto) 3. Hand off the package to someone in the free world ? -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] ----- End forwarded message ----- -- - mdz
