Subject: Re: restricting the use of open source software
From: Chuck Swiger <chuck@codefab.com>
Date: Mon, 28 Mar 2005 14:22:27 -0500

On Mar 28, 2005, at 1:44 PM, Steve Quinn wrote:
> I'm not sure anyone is understanding my point.  And yet, it is also 
> possible that there is nothing to worry about anyway...  But, I still 
> think that unless my license contains a clause similar to that of 
> Intel's license, I could be in violation of US export law and not even 
> know it as soon as someone from an embargoed state downloads and uses 
> my software.  And yet I have no control over this.

You are exactly correct that you have no control over what other people 
do; you are also not responsible for their actions, unless you interact 
with them knowingly.  If you were to write a cryptographic program 
using AES-256, and tried to sell that as a product to people in 
US-embargoed countries, in this hypothetical case you would be 
violating the law deliberately and bad things would presumably happen 
to you.

If you were to write a bland, generic open-source program which did not 
involve stuff which is governed by export controls, and you published 
it to the world, and make no effort to do business with someone you 
knew to be from an embargo'ed country, then you've got nothing special 
to worry about.  You don't need to list all of the laws and regulations 
which might apply into every legal document you create, nor is it 
especially useful for the OSI to separately approve the BSD license + 
2000 US export restrictions, the BSD license + 2001 restrictions, 
etc....

DJB's site has extensive discussion on this subject: 
http://cr.yp.to/export.html

-- 
-Chuck

PS: IANAL, but then even someone who is may not be able to guarantee a 
clear resolution to your concerns-- the regulations have changed over 
time and even the experts (either in cryptography or in law) don't seem 
to know exactly what is permitted or not:

http://cr.yp.to/export/dishonesty.html