Menu
▾
▴
pyopenssl-list
|
From: Jean-Paul C. <ex...@di...> - 2009-07-23 14:32:59
|
Hey all, I've been working on making the Windows installation process for pyOpenSSL a bit simpler. At the bottom of <https://bugs.launchpad.net/pyopenssl/+bug/238658> there are links for exe, msi, and egg distributions of pyOpenSSL for Python 2.5 and Python 2.6. These should work on a Windows machine even if OpenSSL hasn't been installed separately. Any testing anyone can do of these would be much appreciated. Thanks, Jean-Paul |
|
From: M.-A. L. <ma...@eg...> - 2009-08-04 10:20:17
|
Jean-Paul Calderone wrote: > Hey all, > > I've been working on making the Windows installation process for pyOpenSSL > a bit simpler. > > At the bottom of <https://bugs.launchpad.net/pyopenssl/+bug/238658> there > are links for exe, msi, and egg distributions of pyOpenSSL for Python 2.5 > and Python 2.6. These should work on a Windows machine even if OpenSSL > hasn't been installed separately. > > Any testing anyone can do of these would be much appreciated. I wonder why you are going through the same cycles we have in order to package pyOpenSSL instead of just using our installers. http://www.egenix.com/products/python/pyOpenSSL/ If all that's missing are egg files to install, we can add those as well (and we don't need setuptools for that, so you can continue working with your usual unhacked distutils setup). Note that uploading pyOpenSSL eggs to PyPI could result in legal problems for the PSF due to export restrictions. I'm not sure that's such a good idea. In any case, you'd have to let the PSF know in advance. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Aug 04 2009) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ |
|
From: Zooko Wilcox-O'H. <zo...@zo...> - 2009-08-04 14:55:32
|
On Tuesday,2009-08-04, at 3:49 , M.-A. Lemburg wrote: > Note that uploading pyOpenSSL eggs to PyPI could result in legal > problems for the PSF due to export restrictions. I'm not sure > that's such a good idea. In any case, you'd have to let the PSF > know in advance. A quick glance at the results of a search for "crypt" suggest that pypi already hosts dozens of crypto packages. I think that the crypto export regulations from the USA are now routinely ignored by more or less everyone on the Internet, which is how it should be. Also, they changed the regulations last year and I still haven't gotten around to reading about the new rules, so for all I know what PSF is currently doing is legal. Or maybe it is even more illegal than it was before. Who cares? Regards, Zooko |
|
From: M.-A. L. <ma...@eg...> - 2009-08-04 18:04:37
|
Zooko Wilcox-O'Hearn wrote: > On Tuesday,2009-08-04, at 3:49 , M.-A. Lemburg wrote: > >> Note that uploading pyOpenSSL eggs to PyPI could result in legal >> problems for the PSF due to export restrictions. I'm not sure that's >> such a good idea. In any case, you'd have to let the PSF know in advance. > > A quick glance at the results of a search for "crypt" suggest that pypi > already hosts dozens of crypto packages. I think that the crypto export > regulations from the USA are now routinely ignored by more or less > everyone on the Internet, which is how it should be. > > Also, they changed the regulations last year and I still haven't gotten > around to reading about the new rules, so for all I know what PSF is > currently doing is legal. Or maybe it is even more illegal than it was > before. Who cares? Whether export regulations are good or bad is not the question and we're not the ones making the laws. However, the PSF runs PyPI and as legal entity it has to follow the rules whatever they are. PyPI itself is hosted in the Netherlands, so the EU regulations apply for things being downloaded from PyPI: http://www.ez.nl/english/Subjects/Exportcontrols These are based on the Wassenaar Arrangement: http://www.wassenaar.org/ There's a GENERAL SOFTWARE NOTE in the the EU regulations that applies to all software "in the public domain", but this term is not very well defined. The GSN basically removes such software from being controlled http://ec.europa.eu/trade/issues/sectoral/industry/dualuse/index_en.htm I don't know whether the Netherlands have any extra requirements. The current regulations for the US require filing a notification of all exported and re-exported OSS crypto software (including any crypto software being uploaded to PyPI from the US): http://www.bis.doc.gov/encryption/pubavailencsourcecodenofify.html -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Aug 04 2009) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ |
|
From: Zooko Wilcox-O'H. <zo...@zo...> - 2009-08-04 18:48:49
|
On Tuesday,2009-08-04, at 12:04 , M.-A. Lemburg wrote: > Whether export regulations are good or bad is not the question and > we're not the ones making the laws. I'm a bit confused -- I never said anything about making laws. I said that no open source programmer, as far as I can tell, is spending the time and effort to obey the laws, and that I approved. My advice to JP Calderone is to upload crypto to the Net without first notifying the US Bureau of Export Controls, and then see if he gets arrested. That's what I've been doing -- http://pypi.python.org/ pypi/pycryptopp -- and I haven't gotten arrested yet. > However, the PSF runs PyPI and as legal entity it has to follow the > rules whatever they are. How does this impact JP Calderone's decision to upload or not upload pyOpenSSL? If the PSF wants to make sure that all of the packages hosted on PyPI are legal, then they have a heck of a research job to do -- there are how many packages? Tens of thousands? And nobody from PSF has ever examined them for legality. If the PSF wants all uploaders to first make sure that their uploads are legal, then they have a heck of a user education job to do, because currently it looks like dozens of people at least have uploaded crypto to PyPI, and I'm willing to bet not one of them has notified the BXA. And, just to be clear, this makes me happy. Not because I think that I'm the one making the laws, but because I think it is a good thing that this law is being widely violated. Regards, Zooko Wilcox-O'Hearn |
|
From: M.-A. L. <ma...@eg...> - 2009-08-04 19:32:45
|
Zooko Wilcox-O'Hearn wrote: > On Tuesday,2009-08-04, at 12:04 , M.-A. Lemburg wrote: > >> Whether export regulations are good or bad is not the question and >> we're not the ones making the laws. > > I'm a bit confused -- I never said anything about making laws. I said > that no open source programmer, as far as I can tell, is spending the > time and effort to obey the laws, and that I approved. My advice to JP > Calderone is to upload crypto to the Net without first notifying the US > Bureau of Export Controls, and then see if he gets arrested. That's > what I've been doing -- http://pypi.python.org/pypi/pycryptopp -- and I > haven't gotten arrested yet. You're missing the point: The PSF can get into trouble for making crypto code available via their website without complying to existing laws and regulations. >> However, the PSF runs PyPI and as legal entity it has to follow the >> rules whatever they are. > > How does this impact JP Calderone's decision to upload or not upload > pyOpenSSL? If the PSF wants to make sure that all of the packages > hosted on PyPI are legal, then they have a heck of a research job to do > -- there are how many packages? Tens of thousands? And nobody from PSF > has ever examined them for legality. If the PSF wants all uploaders to > first make sure that their uploads are legal, then they have a heck of a > user education job to do, because currently it looks like dozens of > people at least have uploaded crypto to PyPI, and I'm willing to bet not > one of them has notified the BXA. The PSF has been careful about these things in the past and we did notify the BIS (formerly BXA) of the fact that the Python distribution included crypto code and some installers ship with OpenSSL. We haven't done that for the things on PyPI because last time we did check, PyPI did not host any crypto code or only bindings for it. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Aug 04 2009) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ |
|
From: Zooko Wilcox-O'H. <zo...@zo...> - 2009-08-04 20:03:05
|
On Tuesday,2009-08-04, at 13:32 , M.-A. Lemburg wrote: > You're missing the point: The PSF can get into trouble for making > crypto code available via their website without complying to > existing laws and regulations. I'm sorry if I am being obtuse, but I really don't understand what this has to do with Jean-Paul's decisions. You originally raised this issue when you wrote in an earlier mail: > Note that uploading pyOpenSSL eggs to PyPI could result in legal > problems for the PSF due to export restrictions. I'm not sure > that's such a good idea. In any case, you'd have to let the PSF > know in advance. Do you have any specific reason to believe that this could result in legal problems for the PSF? Your earlier note suggested that maybe PSF would be in the clear if the relevant laws about "software in the public domain" applied to open source software like pyOpenSSL, and if the Netherlands (which has jurisdiction over the PyPI servers) didn't have some other laws that we're unaware of which would make it illegal. So as far as anyone has stated in this discussion, there is no reason to believe that it is a legal problem for the PSF. And why would JP have to let the PSF know in advance? Do you mean that he "ought" to let the PSF know in advance in order to be polite to them? I didn't let the PSF know in advance when I uploaded pycryptopp to PyPI, and I don't think that I had to nor that I ought to. Regards, Zooko Wilcox-O'Hearn |
|
From: M.-A. L. <ma...@eg...> - 2009-08-04 20:35:31
|
Zooko Wilcox-O'Hearn wrote: > On Tuesday,2009-08-04, at 13:32 , M.-A. Lemburg wrote: > >> You're missing the point: The PSF can get into trouble for making >> crypto code available via their website without complying to existing >> laws and regulations. > > I'm sorry if I am being obtuse, but I really don't understand what this > has to do with Jean-Paul's decisions. You originally raised this issue > when you wrote in an earlier mail: > >> Note that uploading pyOpenSSL eggs to PyPI could result in legal >> problems for the PSF due to export restrictions. I'm not sure that's >> such a good idea. In any case, you'd have to let the PSF know in advance. > > Do you have any specific reason to believe that this could result in > legal problems for the PSF? Well, yes, otherwise I wouldn't have mentioned them: PyPI doesn't restrict downloads from countries on the UN embargo list, nor does it ask for compliance with export regulations. > Your earlier note suggested that maybe PSF > would be in the clear if the relevant laws about "software in the public > domain" applied to open source software like pyOpenSSL, and if the > Netherlands (which has jurisdiction over the PyPI servers) didn't have > some other laws that we're unaware of which would make it illegal. So > as far as anyone has stated in this discussion, there is no reason to > believe that it is a legal problem for the PSF. I can't say whether there is a problem or not. The PSF will have to ask a lawyer about these things and, of course, has to get a chance to do so prior to accepting such uploads. It's well possible that there is no problem, or that the PSF would have to file a notice with the BIS to get things cleared for open source releases like pyOpenSSL. I'm not aware of a previous attempt to get this cleared up for the PSF, so now is a good chance to get these questions sorted out. eGenix has gone through a clearing procedure for our pyOpenSSL distribution as well as our products using pyOpenSSL. The German authorities gave us green light based on the GSN clause. Things may be different in the US, though. > And why would JP have to let the PSF know in advance? Do you mean that > he "ought" to let the PSF know in advance in order to be polite to them? PyPI is a service provided by the PSF, so if you know that an upload could cause trouble for the PSF, it's only fair to inform them first. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Aug 04 2009) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X