anonymous CVS access?

Frank Cusack fcusack at
Fri Mar 28 14:06:59 EST 2003

On Fri, Mar 28, 2003 at 11:40:16AM -0600, Steve Langasek wrote:
> On Fri, Mar 28, 2003 at 09:16:35AM -0800, Frank Cusack wrote:
> > Fill out some paperwork?  You must mean internal paperwork, to the best
> > of my understanding there is no government red tape to go through.
> Filing a notification with the government constitutes "paperwork".  Given
> the high stakes if the right persons in the government were to frown upon
> MIT Kerberos, and the density of the governmentese export regs in
> question (regs which I believe Sam is familiar with even if he's not
> empowered to act on them wrt MIT Kerberos), I think it is not an
> insignificant amount of paperwork, and I don't fault MIT's legal
> department for being cautious in this instance (even though I wish they
> were able to give solving this a higher priority).

The amount of paperwork is zilch, you need only send an email to
crypt at, there's not even a form to fill out.  "Hi, I'm
exporting source code, it's at URL".  You don't even need to worry
about the 7 terrorist states.

See the section "Global Exports of Unrestricted Encryption Source Code".

Also, krb5 is certainly a retail product (under the BXA definition) and
so probably "no reporting is required if the product is exported via free
or anonymous download".  But since the reporting requirement is soo
easily met, there's no reason not to report.

(That doc talks about the 7 hostile states, but that has been changed,
to the best of my knowledge.  I.e., no measures need to be taken to
verify that the importer is not from one of those states.)



More information about the krbdev mailing list