tech-pkg: A proposal to mitigate the restriction on crypto binary packages

Subject: A proposal to mitigate the restriction on crypto binary packages
To: None <tech-pkg@NetBSD.ORG>
From: Frederick Bruckman <fb@enteract.com>
List: tech-pkg
Date: 09/07/2000 11:54:28
It's the case that, since the U.S. restrictions on the export of
cryptography have been loosened, much software whose focus is not
cryptography now includes some crypto code. E.g. "libwww" and "xpdf"
have integrated code that was formerly distributed separately; "lynx"
still maintains the separation (though the NetBSD package pulls the
https and snews patches in), though it's probably only a matter of
time before that changes, too. Besides that, there are several
popular, even essential packages that have included crypto all along
(ssh, openssh). All together, this leaves big holes in NetBSD's binary
packages collection.

Pkgsrc has failed to keep up with the crypto integration in the main
tree. This is especially ironic, because the new export regulations,
as I understand them, are even less restrictive for non-original
software (no notification requirement), that is, software that can
already be downloaded from somewhere else (like "pkgsrc" software).

I suggest that the present policy, of setting RESTRICTED=Crypto on all
such packages, is way too restrictive. "RESTRICTED" is recognized by
the pkg tools, and remains useful for commercial software and such
that cannot be packaged and distributed under any circumstances. I
would replace that, in the crypto packages, with a "CRYPTO" setting
that's recognized by the build system (but not by the package tools).

In short, my proposed state of affairs, in pkgsrc, mirrors the present
situation in the main tree. A user who sets MKCRYPTO=no in
/etc/mk.conf should be able to do a build without getting any of these
packages -- but the offered binaries will be hopelessly "contaminated".

Unless there are strong objections, I will commit the following on
Saturday, and proceed to modify all the other affected packages.

Index: mk/bsd.pkg.mk
===================================================================
RCS file: /cvsroot/pkgsrc/mk/bsd.pkg.mk,v
retrieving revision 1.566
diff -c -r1.566 bsd.pkg.mk
*** mk/bsd.pkg.mk	2000/09/07 15:26:52	1.566
--- mk/bsd.pkg.mk	2000/09/07 16:53:01
***************
*** 20,25 ****
--- 20,28 ----
  ##### Include any preferences, if not already included, and common definitions
  .include "../../mk/bsd.prefs.mk"
  
+ ##### Build crypto packages by default.
+ MKCRYPTO?=		YES
+ 
  ##### Some overrides of defaults below on a per-OS basis.
  .if (${OPSYS} == "NetBSD")
  LOCALBASE?=		${DESTDIR}/usr/pkg
***************
*** 967,972 ****
--- 970,978 ----
  # Don't build a package if it's restricted and we don't want to
  # get into that.
  #
+ # Don't build any package that utilizes strong cryptography, for
+ # when the law of the land forbids it.
+ #
  # Don't attempt to build packages against X if we don't have X.
  #
  # Don't build a package if it's broken.
***************
*** 990,995 ****
--- 996,1006 ----
  .if (defined(RESTRICTED) && defined(NO_RESTRICTED))
  IGNORE+= "${PKGNAME} is restricted:" \
  	 "    "${RESTRICTED:Q}
+ .endif
+ .if !(${MKCRYPTO} == "YES" || ${MKCRYPTO} == yes)
+ .  if (defined(CRYPTO) || defined(USE_SSL))
+ IGNORE+= "${PKGNAME} may not be built, because it utilizes strong cryptography"
+ .  endif
  .endif
  .if ((defined(USE_IMAKE) || defined(USE_MOTIF) || \
  	defined(USE_X11BASE) || defined(USE_X11)) && \
Index: mk/mk.conf.example
===================================================================
RCS file: /cvsroot/pkgsrc/mk/mk.conf.example,v
retrieving revision 1.152
diff -c -r1.152 mk.conf.example
*** mk/mk.conf.example	2000/09/07 02:29:43	1.152
--- mk/mk.conf.example	2000/09/07 16:53:04
***************
*** 29,34 ****
--- 29,39 ----
  # gzip manual pages at installation time
  # Possible: defined, not defined
  # Default: not defined
+ 
+ #MKCRYPTO= no
+ # If not YES or yes, don't fetch, build or install crypto packages.
+ # Possible: anything
+ # Default: YES or yes
  
  #OBJMACHINE=
  # use machine-specific object directories, e.g.  work.i386, work.sparc
Index: security/openssl/Makefile
===================================================================
RCS file: /cvsroot/pkgsrc/security/openssl/Makefile,v
retrieving revision 1.19
diff -c -r1.19 Makefile
*** security/openssl/Makefile	2000/08/27 02:46:06	1.19
--- security/openssl/Makefile	2000/09/07 16:53:05
***************
*** 10,20 ****
  HOMEPAGE=		http://www.openssl.org/
  
  CONFLICTS=		SSLeay-* ssleay-*
  
  USE_PERL5=		# defined
- 
- RESTRICTED=		"Crypto; export-controlled"
- NO_SRC_ON_FTP=	${RESTRICTED}
  
  # matches what's in `Configure' (except sparc64)
  ONLY_FOR_PLATFORM=	NetBSD-*-alpha NetBSD-*-arm32 NetBSD-*-i386 \
--- 10,18 ----
  HOMEPAGE=		http://www.openssl.org/
  
  CONFLICTS=		SSLeay-* ssleay-*
+ CRYPTO=			# defined
  
  USE_PERL5=		# defined
  
  # matches what's in `Configure' (except sparc64)
  ONLY_FOR_PLATFORM=	NetBSD-*-alpha NetBSD-*-arm32 NetBSD-*-i386 \