Hey guys! We are trying to get x2go added to our approved software list within Verizon, and in order to do so, I need to provide them with an ECCN. Do you have, or can you provide me with the ECCN tied to your software?
On Tue, Sep 9, 2014 at 11:36 AM, Mullaley, Patrick S <patrick.mullaley@verizon.com> wrote:
Hey guys! We are trying to get x2go added to our approved software list within Verizon, and in order to do so, I need to provide them with an ECCN. Do you have, or can you provide me with the ECCN tied to your software?
Hi Patrick,
(I am actually a Verizon FiOS customer at my home. I prefer to to use GMail account for email though.)
I think it is safe to assume the answer is "no".
I'm reading the wikipedia article on ECCN. It sounds like it might be difficult for X2Go to obtain an ECCN because we use SSH and SSL for encryption. https://en.wikipedia.org/wiki/Export_Administration_Regulations
Often we do use the Linux distro's provided SSH and SSL packages. But often (primarily on Windows and Mac) we do ship SSH and SSL libraries.
Of course, lots of open-source software uses and/or includes SSL libraries. This page seems to have useful advice. http://hecker.org/mozilla/eccn
I am open to suggestions.
Also, note that X2Go infrastructure such as http://code.x2go.org/releases/ (where the Windows client's binaries are downloaded from) is hosted in Germany.
-Mike#2
Thanks Mike. I appreciate the time and effort. I am sure you saw the email from Stefan on the subject as well.
-----Original Message----- From: Michael DePaulo [mailto:mikedep333@gmail.com] Sent: Wednesday, September 10, 2014 7:31 AM To: Mullaley, Patrick S Cc: x2go-dev@lists.x2go.org Subject: Re: [X2Go-Dev] Looking for your ECCN
On Tue, Sep 9, 2014 at 11:36 AM, Mullaley, Patrick S <patrick.mullaley@verizon.com> wrote:
Hey guys! We are trying to get x2go added to our approved software list within Verizon, and in order to do so, I need to provide them with an ECCN. Do you have, or can you provide me with the ECCN tied to your software?
Hi Patrick,
(I am actually a Verizon FiOS customer at my home. I prefer to to use GMail account for email though.)
I think it is safe to assume the answer is "no".
I'm reading the wikipedia article on ECCN. It sounds like it might be difficult for X2Go to obtain an ECCN because we use SSH and SSL for encryption. https://en.wikipedia.org/wiki/Export_Administration_Regulations
Often we do use the Linux distro's provided SSH and SSL packages. But often (primarily on Windows and Mac) we do ship SSH and SSL libraries.
Of course, lots of open-source software uses and/or includes SSL libraries. This page seems to have useful advice. http://hecker.org/mozilla/eccn
I am open to suggestions.
Also, note that X2Go infrastructure such as http://code.x2go.org/releases/ (where the Windows client's binaries are downloaded from) is hosted in Germany.
-Mike#2
Right.
As someone who contributes to X2Go in my free time, I am not opposed to spending a small to moderate amount of my time and effort on obtaining an ECCN.
Note that on http://hecker.org/mozilla/eccn , it makes it sound like that you could possibly request an ECCN for X2Go. If so, I'd be happpy to provide you with the technical details you need to know (e.g., which exact encryption libraries/executables we use and for what purpose.)
-Mike
On Wed, Sep 10, 2014 at 7:55 AM, Mullaley, Patrick S <patrick.mullaley@verizon.com> wrote:
Thanks Mike. I appreciate the time and effort. I am sure you saw the email from Stefan on the subject as well.
-----Original Message----- From: Michael DePaulo [mailto:mikedep333@gmail.com] Sent: Wednesday, September 10, 2014 7:31 AM To: Mullaley, Patrick S Cc: x2go-dev@lists.x2go.org Subject: Re: [X2Go-Dev] Looking for your ECCN
On Tue, Sep 9, 2014 at 11:36 AM, Mullaley, Patrick S <patrick.mullaley@verizon.com> wrote:
Hey guys! We are trying to get x2go added to our approved software list within Verizon, and in order to do so, I need to provide them with an ECCN. Do you have, or can you provide me with the ECCN tied to your software?
Hi Patrick,
(I am actually a Verizon FiOS customer at my home. I prefer to to use GMail account for email though.)
I think it is safe to assume the answer is "no".
I'm reading the wikipedia article on ECCN. It sounds like it might be difficult for X2Go to obtain an ECCN because we use SSH and SSL for encryption. https://en.wikipedia.org/wiki/Export_Administration_Regulations
Often we do use the Linux distro's provided SSH and SSL packages. But often (primarily on Windows and Mac) we do ship SSH and SSL libraries.
Of course, lots of open-source software uses and/or includes SSL libraries. This page seems to have useful advice. http://hecker.org/mozilla/eccn
I am open to suggestions.
Also, note that X2Go infrastructure such as http://code.x2go.org/releases/ (where the Windows client's binaries are downloaded from) is hosted in Germany.
-Mike#2
Hi Mike#2, hi Stefan, hi Patrick,
On Mi 10 Sep 2014 14:00:14 CEST, Michael DePaulo wrote:
Right.
As someone who contributes to X2Go in my free time, I am not opposed to spending a small to moderate amount of my time and effort on obtaining an ECCN.
Note that on http://hecker.org/mozilla/eccn , it makes it sound like that you could possibly request an ECCN for X2Go. If so, I'd be happpy to provide you with the technical details you need to know (e.g., which exact encryption libraries/executables we use and for what purpose.)
-Mike
Thanks to Mike#2 and Stefan for digging into the jungle of
jurisdiction... Patrick, if you are willing to deploy X2Go in your
business, I'd be happy if you (and your legal) can support Stefan and
Mike#2 getting the information you need.
If everything works out, I'd be happy to welcome Verizon on our list
of sponsors for the upcoming X2Go Gathering in Essen, Germany [1].
Thanks+Greets, Mike
[1] http://permalink.gmane.org/gmane.linux.terminal-server.x2go.announce/125
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
(Patrick, please subscribe to X2Go-Dev, so you get to see all the replies and not only the ones CC'ed to your inbox. Instructions on how to subscribe are in the e-mail I sent you off-list.)
Am 09.09.2014 um 17:36 schrieb Mullaley, Patrick S:
Hey guys! We are trying to get x2go added to our approved software list within Verizon, and in order to do so, I need to provide them with an ECCN. Do you have, or can you provide me with the ECCN tied to your software?
Note that this is not legal advice, only the result of my findings after looking up the terms on Wikipedia and Google:
http://en.wikipedia.org/wiki/Export_Administration_Regulations explains what an ECCN is. http://en.wikipedia.org/wiki/Wassenaar_Arrangement explains what this is all about: export limitations on dual-use technology.
X2Go is a software that was originally coded in Germany (with parts relying on other freely available code, including, but not limited to, the GPL'ed parts of what the Italian-based company NoMachine offered for their NX product, or the free X server for Windows, VcXsrv) and whose web and download servers are hosted in Germany.
So, for those software parts actually created by the X2Go developers, my understanding is that German law applies. Things might be a little more complicated with code contributions that we receive from foreign (=non-German) nationals. If this is relevant to the issue at hand, we'd have to investigate further.
Now, the Wassenaar Arrangement has been turned into EU law (which, in turn, is binding for Germany): "COUNCIL REGULATION (EC) No 428/2009 of 5 May 2009 setting up a Community regime for the control of exports, transfer, brokering and transit of dual-use items", available here: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:134:0001:026... (English) http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:134:0001:026... (same in German)
The General Software Note (GSN), on Page 14, states, in a nutshell, that Software that is generally available or in the public domain is exempt from this regulation.
According to the definitions in this regulation, a software is "generally available" if it is:
- Sold from stock at retail selling points, without restriction, by means of: a. Over-the-counter transactions; b. Mail order transactions; c. Electronic transactions; or d. Telephone order transactions; and
- Designed for installation by the user without further substantial support by the supplier
While GPL software isn't "public domain", it *can* legally be sold, as the last paragraph of "TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION", section 1 of the GPL 2, states "You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee." And of course, this is possible in the ways described in "1."
Regarding "2.", double-clicking a setup.exe and hitting "Continue/Next" buttons until finished or running the package installation tol of your Linux distribution of choice clearly qualifies as "Designed for installation by the user without further substantial support by the supplier".
So, we do not have an ECCN, and we do not need one - that is my take on the situation.
-Stefan
Alright. Thank you for your reply. I will see what our legal team has to say. Wish me luck.
-----Original Message----- From: Stefan Baur [mailto:x2go-ml-1@baur-itcs.de] Sent: Wednesday, September 10, 2014 7:40 AM To: x2go-dev@lists.x2go.org; x2go-dev@lists.x2go.org Cc: Michael DePaulo; Mullaley, Patrick S Subject: Re: [X2Go-Dev] Looking for your ECCN
(Patrick, please subscribe to X2Go-Dev, so you get to see all the replies and not only the ones CC'ed to your inbox. Instructions on how to subscribe are in the e-mail I sent you off-list.)
Am 09.09.2014 um 17:36 schrieb Mullaley, Patrick S:
Hey guys! We are trying to get x2go added to our approved software list within Verizon, and in order to do so, I need to provide them with an ECCN. Do you have, or can you provide me with the ECCN tied to your software?
Note that this is not legal advice, only the result of my findings after looking up the terms on Wikipedia and Google:
http://en.wikipedia.org/wiki/Export_Administration_Regulations explains what an ECCN is. http://en.wikipedia.org/wiki/Wassenaar_Arrangement explains what this is all about: export limitations on dual-use technology.
X2Go is a software that was originally coded in Germany (with parts relying on other freely available code, including, but not limited to, the GPL'ed parts of what the Italian-based company NoMachine offered for their NX product, or the free X server for Windows, VcXsrv) and whose web and download servers are hosted in Germany.
So, for those software parts actually created by the X2Go developers, my understanding is that German law applies. Things might be a little more complicated with code contributions that we receive from foreign (=non-German) nationals. If this is relevant to the issue at hand, we'd have to investigate further.
Now, the Wassenaar Arrangement has been turned into EU law (which, in turn, is binding for Germany): "COUNCIL REGULATION (EC) No 428/2009 of 5 May 2009 setting up a Community regime for the control of exports, transfer, brokering and transit of dual-use items", available here: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:134:0001:026... (English) http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:134:0001:026... (same in German)
The General Software Note (GSN), on Page 14, states, in a nutshell, that Software that is generally available or in the public domain is exempt from this regulation.
According to the definitions in this regulation, a software is "generally available" if it is:
- Sold from stock at retail selling points, without restriction, by means of: a. Over-the-counter transactions; b. Mail order transactions; c. Electronic transactions; or d. Telephone order transactions; and
- Designed for installation by the user without further substantial support by the supplier
While GPL software isn't "public domain", it *can* legally be sold, as the last paragraph of "TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION", section 1 of the GPL 2, states "You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee." And of course, this is possible in the ways described in "1."
Regarding "2.", double-clicking a setup.exe and hitting "Continue/Next" buttons until finished or running the package installation tol of your Linux distribution of choice clearly qualifies as "Designed for installation by the user without further substantial support by the supplier".
So, we do not have an ECCN, and we do not need one - that is my take on the situation.
-Stefan
-
Michael DePaulo -
Mike Gabriel -
Mullaley, Patrick S -
Stefan Baur