<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Mon, Apr 18, 2016 at 4:12 PM, Mojca Miklavec <span dir="ltr"><<a href="mailto:mojca@macports.org" target="_blank">mojca@macports.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Apparently USA export<br>
restrictions forbid exporting software that does cryptography</blockquote><div><br></div><div>Umm, ITAR's had an OSS exemption for years. Are you reading old information?</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> (and<br>
some other countries might have import restrictions).<br></blockquote><div><br></div><div>Sadly still true.</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I have a problem understanding those rules because we are not dealing<br>
with encrypted information, but merely use the same algorithms to<br>
verify authenticity of the packages.<br></blockquote><div><br></div><div>The law is often a blunt object, especially when formulated by those who do not understand the thing being regulated.</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
My main question is: what options do we have (if any) to make package<br>
verifications work out of the box (and without violating any<br>
import/export restrictions) on Mac OS X? (The code signing is done on<br>
Linux.)<br></blockquote><div><br></div><div>It's nigh impossible to keep up with all relevant laws worldwide; the best you can do is obey the laws in the jurisdiction(s) providing the software and warn potential users that they must check their appropriate local regulations --- then try to help them on a case by case basis. </div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
By glimpsing through some parts of the source code in MacPorts I see<br>
mention of "productsign" and "openssl" to do the job, but I didn't yet<br>
</blockquote><div><br></div><div>productsign is used in creating signed OS X installer packages, and you simply can't do that sensibly on Linux.</div><div><br></div></div>-- <br><div class="gmail_signature"><div dir="ltr"><div>brandon s allbery kf8nh sine nomine associates</div><div><a href="mailto:allbery.b@gmail.com" target="_blank">allbery.b@gmail.com</a> <a href="mailto:ballbery@sinenomine.net" target="_blank">ballbery@sinenomine.net</a></div><div>unix, openafs, kerberos, infrastructure, xmonad <a href="http://sinenomine.net" target="_blank">http://sinenomine.net</a></div></div></div>
</div></div>