Hi Rob,

I'm not a lawyer but I think you are ok on squeaksource.com.  You could register your code on github but you should discuss it with a lawyer.  The issue is that if you make cryptography code available to the public you are not able to guarantee that hostile state actors do not download the code. That is a violation of US Law. There is an exception in the law that says if the code is available as part of an open source project and it is properly registered we can make the code publically available on the internet.  

squeaksource.com is properly registered and part of an open source project.  If you like we can work to find a solution for your java code.  There are also exceptions for weak encryption short key lengths etc.  We would have to spend some time to figure it all out again to see if we can find a solution for your other code.

By the way, squeakSSL is another interesting exception.  Since we use OS modules instead of using our own crypto code in the plugin (unlike Pharo that has decided to include OpenSSL in their plugin) it is not really exporting cryptography.  Including openSSL and exporting it is also not a good idea unless that plugin's location is also registered in the USA.

People that download and use the code are responsible to make sure that their products are not exported to any countries on the list of countries that are prohibited.  

All the best,

Ron Teitelbaum

On Fri, May 29, 2020 at 5:04 PM Robert Withers <robert.withers@pm.me> wrote:

Thanks for the heads up and clarification. Would you think that that applies to a protocol like ParrotTalk-Smalltalk/ParrotTalk-Swift (the code I put on github). Shoot, do you think my Java code for ASN1 and ParrotTalk is a violation? I am going to go ahead an delete, nobody uses it and shouldn't. It is no where near the latest.

What would you say about my duplicate project on squeaksource, named Oceanside? I have ALL the Crypto there as a sort of backup. Paranoia will destroy you!!  Duh, Duh-Duh, Duh, Duh-Duh, Duh-Duh!

K, r

On 5/29/20 4:58 PM, Ron Teitelbaum wrote:
Hi all,

I've tried to work with the Pharo group but they keep kicking me out of their mailing list.  I've already mentioned this a number of times to the Pharo group but nobody seems to care.  

BOLD BOLD BOLD PLEASE TAKE THIS SERIOUSLY  BOLD BOLD BOLD

I am not a lawyer but we used very good lawyers to make the squeaksource repository a safe place to do cryptography work.  If you are working on cryptography DO NOT POST your code anywhere except squeaksource.  Especially if you are in the USA.  The ONLY repository that is approved to host our cryptography code in the USA and therefore not subject to criminal violations is squeaksource.  It is a CRIME in the USA to move code and make it available on the internet for everyone to download!  It must be hosted on squeaksoruce.com or another location that is also properly registered. 

IF YOU COPIED CRYPTOGRAPHY CODE TO ANOTHER REPOSITORY THAT IS NOT REGISTERED I would recommend you delete it immediately.

END BOLD!  

Please feel free to post this to the Pharo mailing list because they apparently do not want to hear from me!

All the best,

Ron Teitelbaum



On Thu, May 28, 2020 at 9:59 PM Robert Withers via Squeak-dev <squeak-dev@lists.squeakfoundation.org> wrote:
Hey Ron, since you spent serious time in making our Cryptography project
an official Crypto site, is there any possibility/usefulness in
reporting this violation to the organization you achieved our legitimacy
from? As the code has been ripped out and republished elsewhere, beyond
our controls.

K, r

On 5/28/20 9:37 PM, Robert Withers wrote:
>
> On 5/28/20 7:40 PM, Levente Uzonyi wrote:
>> On Thu, 28 May 2020, tim Rowledge wrote:
>>
>>>> On 2020-05-28, at 4:04 PM, Paul DeBruicker <pdebruic@gmail.com> wrote:
>>>>
>>>> Uhh.  Hmmm.  Which version of that Blowfish code are you using?
>>> The version included in the cryptology package on squeaksource, within the Cryptology-Ciphers package. Ron mentioned recently that we have to be very careful about where this stuff gets published.
>>>
>>>
>>>> I think his version is here:
>>>> http://www.smalltalkhub.com/#!/~Cryptography/Cryptography
>>> Seems to be a more or less innaccessible site these days? I haven't been able to get to it in ages.
>> It was announced to be shut down and replaced with a static site[1], but
>> only on the Pharo list because who cares about other users.
> How unfortunate. I wanted to comment on the insular nature of their
> larceny. Cryptography can only be published in the squeak source
> repository. A lot of work went into it. Add it to the list...
>
> K, r
>
>> I suppose the migration[2] was not successful. The website complains about
>> jquery not being loaded.
>> Anyway, with some url mangling, the listing is available here:
>> http://www.smalltalkhub.com/mc/Cryptography/Cryptography/main
>>
>>
>> Levente
>> [1] http://forum.world.st/ANN-SmalltalkHub-Deprecation-Notice-td5114407.html
>> [2] http://forum.world.st/ANN-Smalltalkhub-Readonly-Migration-tuesday-8hs-server-maintenance-migration-td5116817.html
>>
>>> tim
>>> --
>>> tim Rowledge; tim@rowledge.org; http://www.rowledge.org/tim
>>> Hardware: The parts of a computer system that can be kicked.