[PYTHON-CRYPTO] Crypto code on PyPI

M.-A. Lemburg mal at EGENIX.COM
Tue Dec 1 11:55:28 CET 2009 

Some time ago we discussed the possibility and implications of
uploading crypto code to PyPI.

I had asked the PSF board for their view on this. Below is the reply
I received yesterday.

The two paragraphs Martin is talking about can be found on the
web-site at http://www.python.org/about/legal/:

"""
Third-Party Content

The Python Software Foundation (“PSF”) does not claim ownership of any third-party code or content
(“third party content”) placed on the web site and has no obligation of any kind with respect to
such third party content. Any third party content provided in connection with this web site is
provided on a non-confidential basis. The PSF is free to use or disseminate such content on an
unrestricted basis for any purpose, and third party content providers grant the PSF and all other
users of the web site an irrevocable, worldwide, royalty-free, nonexclusive license to reproduce,
distribute, transmit, display, perform, and publish such content, including in digital form.

Third party content providers represent and warrant that they have obtained the proper governmental
authorizations for the export and reexport of any software or other content contributed to this web
site by the third-party content provider, and further affirm that any United States-sourced
cryptographic software is not intended for use by a foreign government end-user. Individuals and
organizations subject to United States law are advised that this website is hosted in the
Netherlands, and uploading packages to PyPI containing United States-sourced cryptographic software
is strictly forbidden without compliance with United States export controls under the Export
Administration Regulations.
"""

In summary, it's up to the uploader of crypto code to deal with the
export regulations based on the fact that the python.org servers
are located in the Netherlands.

This could mean that the uploader has to fulfill extra notification
requirements (e.g. if uploading from the US) or other regulations
imposed by the country of origin.

Note that in addition to the US export rules, crypto code may not be
intended for foreign government end-users (see second paragraph above).

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Dec 01 2009)
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::


   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/


-------- Original Message --------
Subject: Re: [PSF-Board] Crypto code on PyPI
Date: Mon, 30 Nov 2009 17:04:10 +0100
From: "Martin v. Löwis" <martin at v.loewis.de>
To: M.-A. Lemburg <mal at egenix.com>
CC: Python Board <psf-board at python.org>

> What's the PSF's point of view on this ?

We have now implemented our lawyers' advice on this matter, which
led to the inclusion of two paragraphs into

http://www.python.org/about/legal/

Van Lindberg writes:

"""
The PSF hosts a web site (PyPI) located in the Netherlands to which
programmers are able to upload software modules that work with Python,
which is a publicly available programming language.  Some of these
uploaded software modules may contain encryption components of varying
algorithms and key-lengths, including those in excess of 56-bits. In
this regard, PyPI acts as a search engine or directory for code
contributed by other individuals; the contents of individual packages on
PyPI are not created, owned, or uploaded by the PSF itself or anyone
acting as an agent of the PSF. Some of the package download links point
to packages on PSF-hosted servers; others point to servers outside the
control of the PSF. The contents of packages downloaded from PyPI may be
downloaded interactively (by a person) or by an automated software agent
(such as easy_install).

With reference to PyPI, the export of encryption source or object code
is actually performed by the person uploading the package to PyPI, and
not by the PSF itself. This export takes place when a package containing
United States-sourced encryption is uploaded to the PyPI server in the
Netherlands. The individual or entity that uploads U.S.-origin
encryption software is responsible for obtaining the necessary U.S.
government classification and licensing prior to the software being
uploaded to the PSF web site.
"""

Regards,
Martin

More information about the python-crypto mailing list