Re: Problem serving one-click installer to Syria

Magnus Hagander wrote:
> On Tue, Jun 15, 2010 at 15:28, Dave Page <dpage(at)postgresql(dot)org> wrote:
>> On Tue, Jun 15, 2010 at 12:16 PM, Greg Stark <gsstark(at)mit(dot)edu> wrote:
>>> On Tue, Jun 15, 2010 at 7:58 AM, Stefan Kaltenbrunner
>>> <stefan(at)kaltenbrunner(dot)cc> wrote:
>>>> yeah - We really can't discriminate against some of our users in that
>>>> way(and we are not doing that on any of our other sites). If we cannot get
>>>> this fixed in a generic way we really need to look into alternative ways -
>>>> at least for people being affected by that - to get to the one-click
>>>> installer.
>>> Well South Korea would have been obviously just a mistake. But I would
>>> expect it to be an issue for any US company to server IPs in Syria,
>>> North Korea, Cuba, Iran, or Burma/Myanmar. Actually I don't know what
>>> restrictions there would be for a product that isn't being sold but I
>>> wouldn't be surprised if they wanted to be conservative and just not
>>> serve those IPs at all.
>>>
>>> For the community it might be tricky to solve since many of the
>>> servers are hosted or sponsored by US organizations. Having some
>>> servers with different rules than others might complicate matters
>>> significantly.
>> Greg is entirely correct. We cannot export or facilitate the export of
>> cryto code to embargoed countries, such as Syria due to US export
>> laws. This doesn't just apply to EnterpriseDB of course, it applies to
>> the community as well, either where our servers are in the US, or the
>> people working on them are in the US. The penalties for ignoring this
>> are *extremely* harsh.
>
> Well, it only applies to the US, so all our mirrors outside of the US
> should be fine, AFAIK. Nor does it apply to community members outside
> the US, however they'd do anything about that.

exactly - and other large projects (like debian) who used to do a
"non-US" mirror set stopped doing that ages ago (around the release of
Sarge - 3.1)

>
>
>> The situation is ridiculous I know - it's easy to get OpenSSL from any
>> number of places of course. As of this morning, we have people looking
>> into the legal issues to see if there is a way that we (EnterpriseDB
>> and the community) can make all our downloads available universally
>> without putting anyone at risk of prosecution. We're also talking to
>> other large organisations involved in Open Source to see if/how they
>> deal with this within the projects they work on.
>
> AFAIK, open source *communities* don't generally do anything at all
> about this. We can restrict access to any of our servers that run in
> the US, but as long as there are mirrors and the licence is open,
> anybody outside the US can just redistribute it. So it sounds like th
> easy fix is to just mirror it onto the community mirror network.

yeah that seems like a very simple solution, just upload the stuff to
the mirror network and provide an "if the above link to download fails
with an error try here" on the main website.

Stefan