I thought the whole problem was that it's very hard to distribute
   source for DES-based password hashing in a way that isn't trivial to
   turn into full-fledged DES.

That's not the issue.  Apparently the only issue is whether it can be
used that way *as shipped*.  The US Govarmint is even stupider than we
all suspected.