[squeak-dev] Undeclared 'nanos' in Cryptology extension to DateAndTime

Ron Teitelbaum ron at usmedrec.com
Fri May 29 21:42:23 UTC 2020


Hi Rob,

I'm not a lawyer but I think you are ok on squeaksource.com.  You could
register your code on github but you should discuss it with a lawyer.  The
issue is that if you make cryptography code available to the public you are
not able to guarantee that hostile state actors do not download the code.
That is a violation of US Law. There is an exception in the law that says
if the code is available as part of an open source project and it is
properly registered we can make the code publically available on the
internet.

squeaksource.com is properly registered and part of an open
source project.  If you like we can work to find a solution for your java
code.  There are also exceptions for weak encryption short key lengths
etc.  We would have to spend some time to figure it all out again to see if
we can find a solution for your other code.

By the way, squeakSSL is another interesting exception.  Since we use OS
modules instead of using our own crypto code in the plugin (unlike Pharo
that has decided to include OpenSSL in their plugin) it is not really
exporting cryptography.  Including openSSL and exporting it is also not a
good idea unless that plugin's location is also registered in the USA.

People that download and use the code are responsible to make sure that
their products are not exported to any countries on the list of countries
that are prohibited.

All the best,

Ron Teitelbaum

On Fri, May 29, 2020 at 5:04 PM Robert Withers <robert.withers at pm.me> wrote:

> Thanks for the heads up and clarification. Would you think that that
> applies to a protocol like ParrotTalk-Smalltalk/ParrotTalk-Swift (the code
> I put on github). Shoot, do you think my Java code for ASN1 and ParrotTalk
> is a violation? I am going to go ahead an delete, nobody uses it and
> shouldn't. It is no where near the latest.
>
> What would you say about my duplicate project on squeaksource, named
> Oceanside? I have ALL the Crypto there as a sort of backup. *Paranoia
> will destroy you!!  Duh, Duh-Duh, Duh, Duh-Duh, Duh-Duh!*
>
> *K, r*
> On 5/29/20 4:58 PM, Ron Teitelbaum wrote:
>
> Hi all,
>
> I've tried to work with the Pharo group but they keep kicking me out of
> their mailing list.  I've already mentioned this a number of times to the
> Pharo group but nobody seems to care.
>
> BOLD BOLD BOLD PLEASE TAKE THIS SERIOUSLY  BOLD BOLD BOLD
>
> I am not a lawyer but we used very good lawyers to make the squeaksource
> repository a safe place to do cryptography work.  If you are working on
> cryptography DO NOT POST your code anywhere except squeaksource.
> Especially if you are in the USA.  The ONLY repository that is approved to
> host our cryptography code in the USA and therefore not subject to criminal
> violations is squeaksource.  It is a CRIME in the USA to move code and make
> it available on the internet for everyone to download!  It must be hosted
> on squeaksoruce.com or another location that is also properly registered.
>
> IF YOU COPIED CRYPTOGRAPHY CODE TO ANOTHER REPOSITORY THAT IS NOT
> REGISTERED I would recommend you delete it immediately.
>
> END BOLD!
>
> Please feel free to post this to the Pharo mailing list because they
> apparently do not want to hear from me!
>
> All the best,
>
> Ron Teitelbaum
>
>
>
> On Thu, May 28, 2020 at 9:59 PM Robert Withers via Squeak-dev <
> squeak-dev at lists.squeakfoundation.org> wrote:
>
>> Hey Ron, since you spent serious time in making our Cryptography project
>> an official Crypto site, is there any possibility/usefulness in
>> reporting this violation to the organization you achieved our legitimacy
>> from? As the code has been ripped out and republished elsewhere, beyond
>> our controls.
>>
>> K, r
>>
>> On 5/28/20 9:37 PM, Robert Withers wrote:
>> >
>> > On 5/28/20 7:40 PM, Levente Uzonyi wrote:
>> >> On Thu, 28 May 2020, tim Rowledge wrote:
>> >>
>> >>>> On 2020-05-28, at 4:04 PM, Paul DeBruicker <pdebruic at gmail.com>
>> wrote:
>> >>>>
>> >>>> Uhh.  Hmmm.  Which version of that Blowfish code are you using?
>> >>> The version included in the cryptology package on squeaksource,
>> within the Cryptology-Ciphers package. Ron mentioned recently that we have
>> to be very careful about where this stuff gets published.
>> >>>
>> >>>
>> >>>> I think his version is here:
>> >>>> http://www.smalltalkhub.com/#!/~Cryptography/Cryptography
>> >>> Seems to be a more or less innaccessible site these days? I haven't
>> been able to get to it in ages.
>> >> It was announced to be shut down and replaced with a static site[1],
>> but
>> >> only on the Pharo list because who cares about other users.
>> > How unfortunate. I wanted to comment on the insular nature of their
>> > larceny. Cryptography can only be published in the squeak source
>> > repository. A lot of work went into it. Add it to the list...
>> >
>> > K, r
>> >
>> >> I suppose the migration[2] was not successful. The website complains
>> about
>> >> jquery not being loaded.
>> >> Anyway, with some url mangling, the listing is available here:
>> >> http://www.smalltalkhub.com/mc/Cryptography/Cryptography/main
>> >>
>> >>
>> >> Levente
>> >> [1]
>> http://forum.world.st/ANN-SmalltalkHub-Deprecation-Notice-td5114407.html
>> >> [2]
>> http://forum.world.st/ANN-Smalltalkhub-Readonly-Migration-tuesday-8hs-server-maintenance-migration-td5116817.html
>> >>
>> >>> tim
>> >>> --
>> >>> tim Rowledge; tim at rowledge.org; http://www.rowledge.org/tim
>> >>> Hardware: The parts of a computer system that can be kicked.
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squeakfoundation.org/pipermail/squeak-dev/attachments/20200529/7f594550/attachment.html>


More information about the Squeak-dev mailing list