FAQ
I'm trying to get a handle on how python intersects with
crypto-related export control laws in the US and elsewhere. My current
understanding, per the PSF's wiki, is that any crypto related and
potentially export-sensitive code is in the ssl wrapper, and that, in
fact, this only links to the actual encryption implementation
(presumably libssl or something.) One caveat is that windows
installations may include the ssl implementation.

Does this effectively sum up python's exposure to export laws? On a
technical level, does removing the ssl module from a distribution
remove all references to encryption? Of course I'm not asking for
actual legal advice, but can anyone think of any other part of the
code that might run afoul of export rules? Thanks.

Austin

Search Discussions

  • M.-A. Lemburg at Sep 25, 2009 at 8:50 am

    Austin Bingham wrote:
    I'm trying to get a handle on how python intersects with
    crypto-related export control laws in the US and elsewhere. My current
    understanding, per the PSF's wiki, is that any crypto related and
    potentially export-sensitive code is in the ssl wrapper, and that, in
    fact, this only links to the actual encryption implementation
    (presumably libssl or something.) One caveat is that windows
    installations may include the ssl implementation.

    Does this effectively sum up python's exposure to export laws? On a
    technical level, does removing the ssl module from a distribution
    remove all references to encryption? Of course I'm not asking for
    actual legal advice, but can anyone think of any other part of the
    code that might run afoul of export rules? Thanks.
    Here's a summary:

    * Python uses OpenSSL in the ssl module and the hashlib module.

    * hashlib falls back to its own implementations of the md5 and
    sha algorithms.

    * ssl doesn't work without OpenSSL installed on the system.

    * The Windows intaller of Python ships with the OpenSSL libs.

    * The only Python module that actually contained crypto code
    was the rotor module (implementing an enigma-style cipher),
    but that was removed a long time ago.

    Depending on how close a country follows the Wassenaar
    Arrangement (http://www.wassenaar.org/) OpenSSL, Python
    and all other open-source software falls under the
    GENERAL SOFTWARE NOTE part 2.:

    """
    The Lists do not control "software" which is either:
    1. ...
    2. "In the public domain".
    """

    If you're shipping a closed-source product that includes
    OpenSSL, then you'd have to follow the rules in category 5
    part 2 of the dual-use list:

    http://www.wassenaar.org/publicdocuments/index_CL.html

    However, some countries add some extra requirements to the
    WA dual-use list, so you need check those as well.

    --
    Marc-Andre Lemburg
    eGenix.com

    Professional Python Services directly from the Source (#1, Sep 25 2009)
    Python/Zope Consulting and Support ... http://www.egenix.com/
    mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
    mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
    ________________________________________________________________________

    ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::


    eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
    Registered at Amtsgericht Duesseldorf: HRB 46611
    http://www.egenix.com/company/contact/
  • Piet van Oostrum at Sep 25, 2009 at 12:27 pm

    "M.-A. Lemburg" (M-L) wrote:
    M-L> Depending on how close a country follows the Wassenaar
    M-L> Arrangement (http://www.wassenaar.org/) OpenSSL, Python
    M-L> and all other open-source software falls under the
    M-L> GENERAL SOFTWARE NOTE part 2.:
    M-L> """
    M-L> The Lists do not control "software" which is either:
    M-L> 1. ...
    M-L> 2. "In the public domain".
    M-L> """
    M-L> If you're shipping a closed-source product that includes
    M-L> OpenSSL, then you'd have to follow the rules in category 5
    M-L> part 2 of the dual-use list:
    M-L> http://www.wassenaar.org/publicdocuments/index_CL.html
    But Python is not in the public domain. Open source != public domain.
    Public domain means there is no copyright and no license attached to it,
    AFAIK.
    --
    Piet van Oostrum <piet at cs.uu.nl>
    URL: http://pietvanoostrum.com [PGP 8DAE142BE17999C4]
    Private email: piet at vanoostrum.org
  • Mel at Sep 25, 2009 at 12:58 pm

    Piet van Oostrum wrote:

    "M.-A. Lemburg" (M-L) wrote:
    [ ... ]
    M-L> """
    M-L> The Lists do not control "software" which is either:
    M-L> 1. ...
    M-L> 2. "In the public domain".
    M-L> """
    [ ... ]
    But Python is not in the public domain. Open source != public domain.
    Public domain means there is no copyright and no license attached to it,
    AFAIK.
    I believe that "public domain" has different meanings in copyright law and
    in crypto law. In crypto law I think it means "generally available", in
    that it's silly to impose import or export restrictions on something that's
    already obtainable everywhere.

    Mel.
  • Ben Finney at Sep 25, 2009 at 1:21 pm

    Piet van Oostrum <piet at cs.uu.nl> writes:

    But Python is not in the public domain. Open source != public domain.
    One always needs to be aware of what bizarro-world definitions these
    legalese documents are using for terms we might normally understand.
    However, in this case it seems fairly sane and :

    GTN "In the public domain"

    GSN This means "technology" or "software" which has been made
    available

    ML 22 without restrictions upon its further dissemination.

    <URL:http://74.125.153.132/search?q=cache:t8kUZpvsUncJ:www.wassenaar.org/controllists/2008/WA-LIST%2520(08)%25201/16%2520-%2520WA-LIST%2520(08)%25201%2520-%2520DEF.doc+%22definitions+of+terms+used+in+these+lists%22&cd=1&hl=en&ct=clnk&ie=UTF-8>
    Public domain means there is no copyright and no license attached to
    it, AFAIK.
    More accurately, it generally refers to a work with no copyright holder
    and hence no license *needed* by anyone to perform acts normally
    reserved to a copyright holder.

    So free software still held under copyright is not ?in the public
    domain? by the above definition.


    In any case, the part that seems to apply clearly to Python is this one:

    GENERAL SOFTWARE NOTE

    The Lists do not control "software" which is either:

    1. Generally available to the public by being:

    a. Sold from stock at retail selling points without restriction,
    by means of:

    1. Over-the-counter transactions;

    2. Mail order transactions;

    3. Electronic transactions; or

    4. Telephone call transactions; and

    b. Designed for installation by the user without further
    substantial support by the supplier;

    <URL:http://74.125.153.132/search?q=cache:oUPbVxp4coMJ:www.wassenaar.org/controllists/2008/WA-LIST%2520(08)%25201/02%2520-%2520WA-LIST%2520(08)%25201%2520-%2520GTN%2520and%2520GSN.doc+general+note+software&cd=1&hl=en&ct=clnk&ie=UTF-8>

    Python is certainly generally available, by being sold as described
    above (as well as other means), and with no further substantial support
    from the supplier.

    So AFAICT, the Wassenaar Arrangement on export controls explicitly
    excludes Python (and most widely-sold free software) by the ?generally
    available to the public by being sold from stock at retail? definition.

    --
    \ ?What you have become is the price you paid to get what you |
    `\ used to want.? ?Mignon McLaughlin |
    _o__) |
    Ben Finney
  • Piet van Oostrum at Sep 25, 2009 at 1:45 pm

    Ben Finney (BF) wrote:
    BF> Piet van Oostrum <piet at cs.uu.nl> writes:
    But Python is not in the public domain. Open source != public domain.
    BF> One always needs to be aware of what bizarro-world definitions these
    BF> legalese documents are using for terms we might normally understand.
    BF> However, in this case it seems fairly sane and :
    BF> GTN "In the public domain"
    BF> GSN This means "technology" or "software" which has been made
    BF> available
    BF> ML 22 without restrictions upon its further dissemination.
    BF> <URL:http://74.125.153.132/search?q=cache:t8kUZpvsUncJ:www.wassenaar.org/controllists/2008/WA-LIST%2520(08)%25201/16%2520-%2520WA-LIST%2520(08)%25201%2520-%2520DEF.doc+%22definitions+of+terms+used+in+these+lists%22&cd=1&hl=en&ct=clnk&ie=UTF-8>
    Yes, I found that a few minutes ago, in between my cooking preparations
    :=)
    Public domain means there is no copyright and no license attached to
    it, AFAIK.
    BF> More accurately, it generally refers to a work with no copyright holder
    BF> and hence no license *needed* by anyone to perform acts normally
    BF> reserved to a copyright holder.
    BF> So free software still held under copyright is not ?in the public
    BF> domain? by the above definition.
    BF> In any case, the part that seems to apply clearly to Python is this one:
    BF> GENERAL SOFTWARE NOTE
    BF> The Lists do not control "software" which is either:
    BF> 1. Generally available to the public by being:
    BF> a. Sold from stock at retail selling points without restriction,
    BF> by means of:
    BF> 1. Over-the-counter transactions;
    BF> 2. Mail order transactions;
    BF> 3. Electronic transactions; or
    BF> 4. Telephone call transactions; and
    BF> b. Designed for installation by the user without further
    BF> substantial support by the supplier;
    BF> <URL:http://74.125.153.132/search?q=cache:oUPbVxp4coMJ:www.wassenaar.org/controllists/2008/WA-LIST%2520(08)%25201/02%2520-%2520WA-LIST%2520(08)%25201%2520-%2520GTN%2520and%2520GSN.doc+general+note+software&cd=1&hl=en&ct=clnk&ie=UTF-8>
    BF> Python is certainly generally available, by being sold as described
    BF> above (as well as other means), and with no further substantial support
    BF> from the supplier.
    BUT: then it continues to state that the above does not apply to
    cryptographic software. At least that's how I interpret the following
    sentence:

    Note Entry 1 of the General Software Note does not release
    "software" controlled by Category 5 - Part 2 ("Information
    Security").

    except that Category 5 - Part 2 makes some exceptions.
    BF> So AFAICT, the Wassenaar Arrangement on export controls explicitly
    BF> excludes Python (and most widely-sold free software) by the ?generally
    BF> available to the public by being sold from stock at retail? definition.
    I had heard of the WA before (if only because I live in the same
    country) but never looked into it. So does this mean that the export of
    crypto software (with the exceptions above) is not allowed from European
    countries either? I.e. that we in Europe have been infected with these
    stupid USA export laws, maybe in a milder form?
    --
    Piet van Oostrum <piet at cs.uu.nl>
    URL: http://pietvanoostrum.com [PGP 8DAE142BE17999C4]
    Private email: piet at vanoostrum.org
  • M.-A. Lemburg at Sep 25, 2009 at 3:56 pm

    Piet van Oostrum wrote:
    "M.-A. Lemburg" (M-L) wrote:
    M-L> Depending on how close a country follows the Wassenaar
    M-L> Arrangement (http://www.wassenaar.org/) OpenSSL, Python
    M-L> and all other open-source software falls under the
    M-L> GENERAL SOFTWARE NOTE part 2.:
    M-L> """
    M-L> The Lists do not control "software" which is either:
    M-L> 1. ...
    M-L> 2. "In the public domain".
    M-L> """
    M-L> If you're shipping a closed-source product that includes
    M-L> OpenSSL, then you'd have to follow the rules in category 5
    M-L> part 2 of the dual-use list:
    M-L> http://www.wassenaar.org/publicdocuments/index_CL.html
    But Python is not in the public domain. Open source != public domain.
    Public domain means there is no copyright and no license attached to it,
    AFAIK.
    As already mentioned in the thread, the "in the public domain" phrase
    in the WA list refers to anything that is available to anyone
    without restrictions to dissemination, e.g. open-source software,
    freeware, etc.

    For things you sell, the more restrictive cat. 5 part 2 note
    applies if you ship crypto code.

    --
    Marc-Andre Lemburg
    eGenix.com

    Professional Python Services directly from the Source (#1, Sep 25 2009)
    Python/Zope Consulting and Support ... http://www.egenix.com/
    mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
    mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
    ________________________________________________________________________

    ::: Try our new mxODBC.Connect Python Database Interface for free ! ::::


    eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
    Registered at Amtsgericht Duesseldorf: HRB 46611
    http://www.egenix.com/company/contact/

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppython-list @
categoriespython
postedSep 25, '09 at 6:56a
activeSep 25, '09 at 3:56p
posts7
users5
websitepython.org

People

Translate

site design / logo © 2021 Grokbase