PGV blocked in Cuba, Syria, etc.

Greg Roach
2010-02-10
2013-05-30
1 2 3 > >> (Page 1 of 3)
  • Greg Roach
    Greg Roach
    2010-02-10

    Since 7th February 2010, it is not possible to download PhpGedView in Cuba, Iran, North Korea, Sudan, and Syria and other desgnated countries.

    Sourceforge have imposed IP address blocks, preventing access to those countries.  I don't know how my users we have (or used to have) in those countries.

    As project admin, I have the option to undo this block.  I would have to make a declaration to the US government that PGV contains nothing that might be illegal.

    Could the image-watermarking be counted as steganography?  Does the PDF library allow the create of "protected" documents?  Does the use of password salting count as a "cryptographic technique"?

    I don't like blocking.  I don't like extradition/jail.

    What to do……

     
  • kiwi_pgv
    kiwi_pgv
    2010-02-10

    Move away from Source Forge ??

     
  • Veit
    Veit
    2010-02-10

    To Google Code ??? You will find the same situation on most of the major platforms, because they are situated in the US or have subsidiaries there. This is also nothing new, the new thing is that sourceforge makes it configurable.

    I also don't like this blocking policy, but to be on the safe side for the project admins I would suggest to let the default (blocked) as it is.
    If not, you would have to check each peace of code commited during the development to fullfill the export restrictions.

     
  • Greg Roach
    Greg Roach
    2010-02-10

    I've looked again at the rules.  They are very loosely worded, and include "calls to encryption in the operating system or underlying platform".  PGV uses MD5 (a cryptographic hash function) to encrypt user passwords, amongst other things.

    We have users in these countries, who are now blocked.

    Most of PGV's developers are outside the US.  There is nothing in my local laws to stop me sending (my own!) code to, for example, Cuba, and nothing in Cuba's law that prevents them from receiving it.

    I realise that this only affects a very small fraction of our users, but it only takes the stroke of a presidential pen to add other countries to the list.

    SourceForge has been pretty good to us over the years, but this has been forced on them, and now it is forced on us.

    While I am waiting for the rest of the development team to give their opinions, I would like to consider other hosting options.

    As Veit says, most of the major platforms are based/hosted/owned in the US, which narrows down the options.  We are also quite resource intensive:

    According to the site statistics, PGV generates 2.5 GB/day downloads (rising to 250 GB/day in the week after new releases) and 10000 hits/day on the website.  I don't know the size of the SVN repository, but I'd guess 100-500 MB.  We also have a MySQL server to support the wiki.

    So, I'm looking for suggestions.  Free "bullet-proof" hosting in Switzerland would be very nice. And if it has a forum that handles plain-text, so much the better ;-)

     
  • kiwi_pgv
    kiwi_pgv
    2010-02-10

    At one point, on the last discussion about SF (https://sourceforge.net/projects/phpgedview/forums/forum/185165/topic/3426639) you suggested

    Free is one option. While I was waiting for SF's SVN server to respond, I was googling config options for a PowerEdge R410 and CoLo costs at my local data-centre. :-)

    I was thinking maybe persuade a couple of dozen PGV users to club together. We'd have a kick-ass server with enough spare grunt to host SVN, Forums, wiki, etc….. Just leave downloads on SF. Bandwidth costs money, and the reason SF does downloads so well is that they delegate it to mirrors.

    Is that still practical, with the addition of downloading now? There were a number of "willing takers" who offered to help fund it.

    Nigel

     
  • Greg Roach
    Greg Roach
    2010-02-10

    <<There were a number of "willing takers" who offered to help fund it.>>

    IIRC, the number was 4 or 5.

     
  • Brian Holland
    Brian Holland
    2010-02-10

    Greg,

    I repeat my offer to help fund this.
    Am really fed up of this "silly" editor.
    Also I do not like restrictions you refer to being placed when they do not consider risk assessment ramifications.

    Brian

     
  • Lou Hurst
    Lou Hurst
    2010-02-10

    I'll chip in too.

    Also, what would it take to be a mirror?

    Lou

     
  • Gerry Kroll
    Gerry Kroll
    2010-02-12

    Add me to the list of people who'd be willing to chip in.

    We might even be willing to host the forums, but not the SVN repository.  We can't afford that much traffic.

     
  • Laie Techie
    Laie Techie
    2010-02-12

    IANAL, so the following are my own thoughts and opinions.

    Export laws have not changed. If it is now illegal to export PGV because we use MD5, then it was always illegal to do  so. What has changed is the decision to enforce export law on FOSS sites like Source Forge.

    I don't think PGV uses anything which is regulated by export law. MD5 is quite old, and Sun / Oracle can export 128-bit strength encryption in Java (they have a separate download for unlimited strength, which is only available within the USA).

     
  • Greg Roach
    Greg Roach
    2010-02-12

    What has changed is the decision to enforce export law

    What has changed is the decision to transfer responsibility from SF management to project administrators.

    MD5 is quite old

    I am not a lawyer either, but I did read the article.  It just says "encryption".  It doesn't say "strong encryption", "new encryption", etc.

     
  • Greg Roach
    Greg Roach
    2010-02-12

    launchpad.net

    Owned by Canonical (i.e. Ubuntu Linux), and hosted/registered/based in the UK.

    Seems to offer everything we want - except Subversion.  Instead it uses Bazaar.

    I like SVN (lots of nice client tools).  One option would appear to be that we could host our own SVN server somewhere (to provide read/write access to the dev team), and let Bazaar sync to it (to provide read-only access to the rest of the world).

    I'll look in more detail when I get some time.

     
  • Gerry Kroll
    Gerry Kroll
    2010-02-12

    We can probably host SVN access for developers ONLY.  I'll have to look into the ramifications.

    I don't think Canada is kowtowing to the Americans with regards to export controls - we have to look into this too.

     
  • Gerry Kroll
    Gerry Kroll
    2010-02-12

    Canada DOES have export controls similar to those in the USA (I guess we have kissed some American asses - probably horses' asses).

    However, section 1-5.A.2 of this document:
    http://www.international.gc.ca/controls-controles/assets/pdfs/documents/exportcontrols2007-en.pdf
    specifically permits the use of cryptography for the purpose of protecting passwords and for the purpose of preventing unauthorized access.

    I submit that PGV falls into this category and is therefore in compliance with the Canadian export controls.  I suspect that there is similar wording in the American version of the regulations.

     
  • Gerry Kroll
    Gerry Kroll
    2010-02-13

    I found the American regulations.  They're similar in intent to the Canadian ones, with MUCH more complicated words and a lot of cross references to other equally incomprehensible sections.

    I think we would be well advised to move off SourceForge and to avoid any sort of North American host altogether. 

    Don't forget that PGV incorporates a lot of other Open Source packages, all of which would have to be certified to be in compliance.  Frankly, I don't think the effort to do this is worth it.

    We will also have to be careful to avoid loading PGV's distribution file set onto any mirror site that has a location in North America.  Unfortunately, that rules out most mirror sites. 

    I could rant about the stupidity of certain government organizations, but that would be off-topic and counter-productive.

     
  • Im
    Im
    2010-02-13

    Just an awful law….

    There are always ways to get around these things. And offloading any mirror sites…

    Linux distros had the same problems but they not only moved (some) files from US mirrors but also using BitTorrent. I wouldn't mind to help distribute PGV as torrent files. Maybe even setting up one tracker, but just a tracker and not a complete web site. Beside a static IP, it's actually easier than it sounds :) Even Apache has a tracker module: mod_bt (never tried so don't ask)

    There are many torrent tracker sites that could be used to widen the number of tracker's, to announce a file. My favorite is of course http://thepiratebay.org

    A torrent file is just a 160 bit wide file, 10-15Kb. That can not be illegal in the US or Canada, can it? (I really don't know!)

    >>(rising to 250 GB/day in the week after new releases) and 10000 hits/day on the website

    Could this be useful?

    -Im

     
  • kiwi_pgv
    kiwi_pgv
    2010-02-13

    Im, I think using Bit Torrent might in itself cause problems. Undoubtedly only an issue of perception, but many people would imagine Bit Torrent to be only related to illegal downloading and file sharing.
    Then there is the issue, as I understand it, of needing to first install a Bit Torrent client. We have enough problems getting people to successfully download and install PGV!

     
  • Greg Roach
    Greg Roach
    2010-02-14

    I'm still looking at launchpad.net.  It is a reputable, well-funded, "heavy-duty" open-source host.

    It uses a very different set of tools to SF, and I'd like to experiment with them a while before deciding whether to recommend it, or keep looking for alternatives.

    It offers a very nice "sandbox" feature.  Every 24 hours, every project is copied to a sandbox, where you can do anything that you can do on live.

     
  • Veit
    Veit
    2010-02-14

    Have taken a look on launchpad.net. It's the company standing behind UBUNTU. They use Bazaar as version control. Don't like it.
    I like more berlios.de. They have nearly the same structure like sourceforge and you can decide to use subversion, git or mercurial as version control.
    Seems other popular sf projects like notepad++ evaluating it at the moment.

     
  • Im
    Im
    2010-02-14

    No doubt, the 'torrent' word has received bad reputation. And those who doesn't know what torrent is, can always download a zip file…

    But as I read trough this thread with this many users - that much bandwidth - mirror problems in what countries etc.. well, why not add an 'alternative' way of downloading beside of a zip file like many others does? A Bit Torrent client is necessary, yes. But once again, if some one don't know what torrent is then they shouldn't use it.

    Bit Torrent has always been popular and getting more popular by the day for it's cheaper/faster to share files between clients than pay the bills for mirror sites and bandwidth. And who share's in what country what piece of what file to what country…? :))

    Just keep this in mind as an optional way of downloading for those who knows what they are doing.

    If you think that torrent gives you problem, just wait for launchpad.net (with Bazaar) or berlios.de. Non of these sites seems to be very user friendly. Win some, loose some situation ….
    Bazaar…. why do people have the need to reinvent the wheel? :)

    -Im

     
  • Gerry Kroll
    Gerry Kroll
    2010-02-14

    Im:
    If the potential host sites you mention aren't particularly user-friendly, they can't be any worse than SourceForge!  SourceForge support STINKS, and their forums are almost unusable.  For instance, why on earth can't I edit/correct one of my posts?

     
  • Lester Caine
    Lester Caine
    2010-02-15

    A few points here …

    torrent is really only appropriate when you are handling big files, like a linux distribution, or a dvd copy. The smaller files we need for distribution are not really candidates for torent distribution, although they can handle it.

    I run a dedicated machine at 1and1 in Germany which has unlimited bandwidth, and a high speed pipe. This is running Apache, PHP and of cause Firebird, and I'm quite happy to add a PGV area if it will help. I'd prefer to keep the website side of things on bitweaver, but that provides wiki, blogs, news, forums - all integrated with a common on-line editor. I prefer simple html, but we can run a wiki format as well if people insist.

    I still prefer CVS, and bitweaver includes a CVS viewer, but it is a linux box, so running SVN is just a matter of getting some help from someone who has the knowledge. For backup, everything gets rsynced back to one of the machines here. Only an ADSL pipe, but usable in emergencies.

     
  • Greg Roach
    Greg Roach
    2010-02-15

    Thanks to isces and others who have volunteered various bits of hosting.  Whilst this is appreciated, it is not a good idea to have something as important as PGV dependent on a single individual.  What happens when that person is struck by lightening, goes to jail, etc. ?

    I've been talking to other project admins on SF, and our options appear to be launchpad and berlios.

    Launchpad is the more established, "heavy duty" option, but has a very different way of working and doesn't offer svn.
    Berlios offers all the features we currently use (svn, forums, trackers, wiki, website, etc.), but lacks "brand recognition".

    On balance, berlios would seem to be the better option.

    I'm still waiting for feedback from the rest of the development team.  Very few have expressed an opinion.  This could mean that the majority want to stay on SF, dispite the censorship.

     
  • Gerry Kroll
    Gerry Kroll
    2010-02-15

    Greg:
    "the majority want to stay on SF" : I don't think so.  Most of us are too ticked off at SourceForge to express our sentiment in words.  There's just no hope that SourceForge will improve or otherwise change their ways any time soon.

    It's possible that the developers who haven't said anything yet either have missed the discussion on the Developer forum, or don't understand the implications of the US military's paranoia.

    Why don't you send a direct e-mail to the developers who haven't as yet expressed an opinion one way or the other?

     
1 2 3 > >> (Page 1 of 3)