Debian or Arch or Ubuntu never ask for my confirmation ?
Example :
You acknowledge that openSUSE Leap 15.3 is subject to the U.S. Export Administration Regulations (the “EAR”) and you agree to comply with the EAR. You will not export or re-export openSUSE Leap 15.3 directly or indirectly, to: (1) any countries that are subject to US export restrictions; (2) any end user who you know or have reason to know will utilize openSUSE Leap 15.3 in the design, development or production of nuclear, chemical or biological weapons, or rocket systems, space launch vehicles, and sounding rockets, or unmanned air vehicle systems, except as authorized by the relevant government agency by regulation or specific license; or (3) any end user who has been prohibited from participating in the US export transactions by any federal agency of the US government. By downloading or using openSUSE Leap 15.3, you are agreeing to the foregoing and you are representing and warranting that You are not located in,under the control of, or a national or resident of any such country or on any such list. In addition, you are responsible for complying with any local laws in Your jurisdiction which may impact Your right to import, export or use openSUSE Leap 15.3. Please consult the Bureau of Industry and Security web page www.bis.doc.gov before exporting items subject to the EAR. It is your responsibility to obtain any necessary export approvals.
This has to do with encryption protocols. Offhand my assumption is either they are trying to be extra cautious as the rules are incredibly complex, or they have a different algorithm included by default that would be subject to those rules.
It is my limited understanding that encryption beyond a certain level is illegal to export from the US. For example one of the positives of OpenBSD being based in Canada
wasis the ability to include crypto at a level that that the US wouldn’t permit to export.From https://www.openbsd.org/crypto.html
Edit: tense
It hasn’t been illegal for a while now. Encryption is protected under free speech. (The Ninth Circuit Court of Appeals ruled in our favor)
Wouldn’t at the time. A lot of the restrictions on encryption algorithms themselves were loosened in the 90s after successful court cases ruling that source code was free speech.
Huh, TIL… That’s cool!
deleted by creator
There are no legal restrictions on cryptography in the US as software is protected under free speech.
That’s not what a quick search and Wikipedia says. To be fair, I didn’t fact check all their references:
https://en.m.wikipedia.org/w/index.php?title=Export_of_cryptography_from_the_United_States
https://www.eff.org/cases/bernstein-v-us-dept-justice
https://en.wikipedia.org/wiki/Bernstein_v._United_States
It helps to actually read the wikipedia pages.
I did, that doesn’t change anything
SuSE and RH have their own legal teams who have combed through all of this and have decided not to chance it. Personally, I wouldn’t base a significant part of the foundation of any product on something as fickle as a Supreme Court ruling, especially when the product is something major from a group like SuSE or RH.
There isn’t much to “chance”. The Ninth Circuit Court of Appeals has the authority in the matter.
Some organizations just don’t take no for an answer
Cryptography is protected under the first amendment
A while back the NSA tried to argue it was a weapon and subject to weapons export restrictions but that was shot down in court
Out of curiosity, would they be subject to these laws/protocols/regulations if they are (developers or organization) based in the US, but offer releases hosted elsewhere in the world AND/OR develop the product with code hosted elsewhere in the world?
It’s one of those bureacratic things. You could download OpenSUSE in a restricted country and install it, but if you were in the USA and transfered the data to a restricted country you would be in violation of ETAR restrictions, even without the EULA