The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PGP issues



> I just discovered that we have pgp-i _and_ pgp-us in non-us. So why
> is pgp-us in `non-us'? And why do both packages have

Well, I am not the one in charge of this system, but I would say the reason is 
this: Neither version can be exported from the US due to US export 
regulations.  (The exception is that it may be exported to Canada).  All 
non-us mirrors are located outside of the US.  This means that US Debian 
mirrors to not have to worry about setting up access restrictions to prevent 
international people from downloading the US version.  If people from outside 
the US get PGP from a US site, the maintainer of that site could potentially 
be prosecuted for violating US Federal law.  Thus it is best to distribute 
both versions from a non-us site.

The difference between pgp-us and pgp-i is this.  PGP-us uses a different 
public-key encryption algorithm that pgp-i, although both algorithms are 
totally compatible and produce identical results (they just do it different 
ways).  In the US, there is a patent held that makes use of PGP-i potentially 
illegal, soo PGP-us uses code legal for use in the US.  PGP-i is supposed to 
be used outside the US.  (I think its code is faster or something...not sure, 
but there is a good reason <g>)

> 
>  Description: Public key encryption system (International version)
> 
> in their control file? (Or does the `us' in the package name refer to
> something different?)

I would say this is a bug.

But I can see why it could be confusing.  The latest "official" MIT PGP 
version is 2.6.2.  PGP-us is actually based on PGP 2.6.3i[a], the 
international PGP.  PGP-us has taken PGP2.6.3i and merged in the US-only code 
(for patent reasons) from PGP 2.6.2 to create a US version of PGP 2.6.3.  Thus 
it is based upon the "international" PGP code base, but is a US PGP version.

Whew...  Hope I'm making sense here.

But in any case, it is only confusing for the user and should be changed.

> If I remember right, the US version of pgp may _not_ be exported from the
> US.

This is correct.  It is because of an (outdated) US law.

The exception is that it may be exported to Canada.

-- 
John Goerzen          | Running Debian GNU/Linux (www.debian.org)
Custom Programming    | 
jgoerzen@complete.org | 


--
Please respect the confidentiality of material on the debian-private list.
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com