Code contributions, ITAR/EAR, incrimination vs. contribution

Caskey L. Dickson caskey at
Wed Nov 11 17:14:38 CET 1998

On Wed, 11 Nov 1998, brian moore wrote:

> On Tue, Nov 10, 1998 at 08:54:23PM -0800, Caskey L. Dickson wrote:
> > On Tue, 10 Nov 1998, brian moore wrote:
> > 
> > > I think the biggest problem is for those of us in the US, though.
> > > Signing such a thing could be incriminatory.
> > 
> > IANAL: The FSF takes their role of defending free software very seriously.
> Sort of a catch-22: if you do major work it can't be included or the
> code would be compromised, but if you sign the form so it can be
> included, you've admitted to a crime.
> It makes it rather difficult to do much in the US except compile.

Perhaps.  The admitting to working on a project that has the potential to
be in violation of the ITAR/EAR when you upload your contributions is a
sticky problem.  Otoh, provided you aren't contributing code to the core
crypto engine then you aren't really doing anything.  Key management, for
instance, isn't crypto, but it is a large part of any security product.

For example, I would feel perfectly justified distributing a key server
from inside the US without concern.  It is no more a crypto product than
an egg timer is a bomb, despite the fact that they go well together. 

I would liken this to the various regulations regarding gun sales in the
US.  Most any parts are available through mail order or OTC, but the frame
itself (stamped with a serial number) can only be bought through a
licensed gun dealer.  

For GnuPG the 'frame' of the weapon is the encryption/decryption modules
(cipher.c, decrypt.c, encr-data.c, etc...)  while the rest is just
supporting stuff that, in and of itself, is not in any way subject to

Again, IANAL, and I applaud Werner's attention to detail as regards
protecting the source of GnuPG from potential 'corruption' that would
subvert the goals of GnuWare. 


P.S. (unrelated) For those looking, I haven't yet updated my RPM spec page
with the latest work sent by Ross Golder, I hope to have time today. 

    Heuer's Law: Any feature is a bug unless it can be turned off.
Caskey <caskey*>       ///                pager.818.698.2306
TechnoCage Inc.                     ///|               gpg: aiiieeeeeee!!!
    Early bird gets the worm, but the second mouse gets the cheese.

More information about the Gnupg-devel mailing list