Closed Bug 1519803 Opened 6 years ago Closed 5 years ago

US Export restrictions: Are we allowed to add the libgcrypt crypto library to the comm-central repository?

Categories

(MailNews Core :: Security, enhancement)

enhancement
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: KaiE, Unassigned)

References

Details

Originally mentioned in bug 1518091, forked here as separate bug.

The libgcrypt page https://www.gnupg.org/software/libgcrypt/index.html
mentions "former U.S. export restrictions on cryptographic software".

We should clarify if those export restrictions are still a problem.
Are we allowed to import a copy of libgcrypt into the Thunderbird source repository that is hosted on U.S. servers, and also include it in the Thunderbird source distributions, which are hosted on U.S. servers?

Here's a copy of what I originall wrote in bug 1518091 comment 4:

In order to help the decision process regarding the status of US export control, here are some pointers.

I believe I found examples of libgcrypt already being hosted on US servers, for example:

unofficial mirror on github: https://github.com/gpg/libgcrypt
binary debian linux package:
http://http.us.debian.org/debian/pool/main/libg/libgcrypt20/libgcrypt20_1.7.6-2+deb9u3_amd64.deb
and source code:
http://http.us.debian.org/debian/pool/main/libg/libgcrypt20/libgcrypt20_1.7.6.orig.tar.bz2

The download server for Mozilla currently contains the following note at
https://ftp.mozilla.org/pub/security/export-notice

"Firefox and NSS are publicly available software not subject to the Export Administration Regulations (EAR) per EAR 734.3(b) and 734.7. Because Firefox is not subject to the EAR it does not have an Export Control Classification Number (ECCN). Mozilla has completed the notification for Firefox and NSS publicly available encryption source code per EAR 742.15(b)."

I am not a lawyer, but according to
https://www.law.cornell.edu/cfr/text/15/734.7
libgcrypt might be considered a library that is open and available to the public, and from which the public can obtain tangible or intangible documents, which has been public disseminated, including posting on Internet sites available to the public.

It would be good to get confirmation that this interpretation is correct, that hosting the libgcrypt source code and binary code on Mozilla download servers is permissible (like it's apparently considered permissible to host the NSS code).

Also, it should be clarifed if Mozilla needs to perform any additional steps, like notifications, which are mentioned in the quoted export notice.

Blocks: 1519804

Philipp, any idea on who in Mozilla Foundation we'd put this question through?

Flags: needinfo?(philipp)

Magnus, did you get confirmation that we need to resolve this through MoFo? If so we'd probably get in touch with Josh, who would either involve legal or find someone in MoFo that has license expertise.

Flags: needinfo?(philipp)

No, but since this is a legal question, I assume so. Let's see if anyone from the email (you also got) has any suggestions.

Blocks: 1518164

Looks like this is blocked on Philipp/Magnus (and maybe an email they got). If MoFo lawyers don't have time, can we use outside counsel?

Flags: needinfo?(philipp)
Flags: needinfo?(mkmelin+mozilla)

Yes, this is being handled by outside counsel. Ryan should have the latest news, I haven't heard anything new on the thread though.

Flags: needinfo?(philipp)
Flags: needinfo?(mkmelin+mozilla)

Maybe adding additional crypto libraries is considered fine, nowadays?

For example, besides NSS, the following crypto modules have been added during the previous years to the Mozilla tree:

There might be more.

Does the above confirm that it's fine to add additional cryptographic code to Mozilla Firefox?

If yes, is it fine to add additional cryptographic for Thunderbird, too?

(Thunderbird is based on the Firefox code.
All code that is added to Firefox, is automatically being used by Thunderbird, too! )

I have gotten clarification. This is allowed - Mozilla will comply with the notification requirements.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED

(In reply to Ryan Sipes from comment #7)

I have gotten clarification. This is allowed - Mozilla will comply with the notification requirements.

Awesome news! Thanks for following up with this!

You need to log in before you can comment on or make changes to this bug.