Signing packages without violating restrictions/laws
fw at fwright.net
Mon Apr 18 13:39:55 PDT 2016
On Mon, 18 Apr 2016, Mojca Miklavec wrote:
> This seems to be a problem for GPG though. Apparently USA export
> restrictions forbid exporting software that does cryptography (and
> some other countries might have import restrictions).
That's largely ancient history.
> I have a problem understanding those rules because we are not dealing
> with encrypted information, but merely use the same algorithms to
> verify authenticity of the packages. On the other hand I have problems
> believing that this problem really cannot be solved ... MacPorts
> apparently solved it.
Even in the days of the draconian export restrictions:
1) Export of *signing* software was permitted. Though since signatures
are basically encrypted hashes, it could get "interesting" to determine
whether a given piece of software complied.
2) Export of encryption software was allowed, provided that it had a
sufficiently limited key size, e.g. 40-bit "export grade" keys.
3) That nonsense was mostly eliminated in 2000. See, e.g.:
Nevertheless, the damage lingers. Within the past year, three separate
major exploitable vulnerabilities in OpenSSL have been found, all in
relation to the support for "export grade" keys.
More information about the macports-dev