> From what I've heard it seems to be okay to _import_ crypto software
> to USA, so it would be okay to add pgpi or SSLeay to packages.

> Am I right ?

Disclaimer: IANAL, least of all a crypto lawyer.  This is all based on
bits and pieces gleaned from various sources, and may be out-of-date or
just plain wrong.

That said....you're partially right.

I think it is technically against ITAR to export *or import* restricted
software without the appropriate license.  It's just that nobody ever
prosecutes import violations, so in practice it amounts to OK.

I'm not sure what the point would be, though, because they couldn't be
exported again.  (Of course, if {ftp,sup}.netbsd.org were moved to
machines in the free world, this wouldn't be an issue.)

It's also not entirely clear what could happen if, say, someone in
Finland or the Czech Republic were to check something like IDEA into
(or out of) the NetBSD source tree.  Who would be liable for the ITAR
violation?  I don't know - I don't think anyone does - and I'm not
inclined to make NetBSD a test case. :-(

Yet another reason ... no, this isn't the place for political rants.

					der Mouse

			       mouse@rodents.montreal.qc.ca
		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B