On Mon, 18 Apr 2016, Mojca Miklavec wrote:
> This seems to be a problem for GPG though. Apparently USA export
> restrictions forbid exporting software that does cryptography (and
> some other countries might have import restrictions).
That's largely ancient history.
> I have a problem understanding those rules because we are not dealing
> with encrypted information, but merely use the same algorithms to
> verify authenticity of the packages. On the other hand I have problems
> believing that this problem really cannot be solved ... MacPorts
> apparently solved it.
Even in the days of the draconian export restrictions:
1) Export of *signing* software was permitted. Though since signatures
are basically encrypted hashes, it could get "interesting" to determine
whether a given piece of software complied.
2) Export of encryption software was allowed, provided that it had a
sufficiently limited key size, e.g. 40-bit "export grade" keys.
3) That nonsense was mostly eliminated in 2000. See, e.g.:
http://www.crypto.com/exports/
Nevertheless, the damage lingers. Within the past year, three separate
major exploitable vulnerabilities in OpenSSL have been found, all in
relation to the support for "export grade" keys.
Fred Wright
_______________________________________________
macports-dev mailing list
[email protected]
https://lists.macosforge.org/mailman/listinfo/macports-dev
