[PROPOSAL] Release ldb with Samba on the 6-montly release cycle

Fri May 3 06:55:38 UTC 2019

On pe, 03 touko 2019, Andrew Bartlett via samba-technical wrote:
> > >   I've
> > > tested and the independent ldb build works from the Samba tarball.
> > > Can
> > > you spell out your specific concerns here a bit more?
> > If you are distributing ldb source (for example because they have to
> > given our license requires it) as a dependency you want to do just
> > that, of course people can make the tarball themselves but then you
> > risk having messy, unofficial tarballs around. 
> 
> Does anybody do that?
> 
> I'm serious, can you show me someone other than a linux distributor who
> already has to distribute Samba, who distributes ldb, or even a
> consumer other than sssd and the late openchange?
I have a bit of tangential answer but I think this is actually a valid
argument:

When a vendor has to deal with export compliance, even for opensource or
free software, you need to perform export compliance checks for each
software component. It means if ldb tarball is effectively samba
tarball, it is subject to addtional cryptography export compliance
checkes, at least for US-based companies.

Whether such vendor would be distributing ldb alone or with samba being
present in the same commercial product is irrelevant -- it is going to
amount to additional work. Debian's opinion on it is
https://www.debian.org/legal/cryptoinmain.en.html and it has this
particular point:

"Under the new US Regulations, not only the open source, but also the
compiled executable software derived from open source, is eligible for
export under the same conditions as the open source itself, provided
that the compiled executable is available without restriction and free
of charge. Unfortunately, if you include the compiled executable
software into a product that you distribute for a fee, then the
resulting product is subject to all of the rules that apply to
commercial software programs. For example, they must be submitted to BXA
and NSA for a one-time technical review, described above."

However, it is going to be a substantial effort to review libldb and
samba archives even if libldb archive is a copy of samba archive -- I
can only guess but at BXA/NSA sides this would amount to a separate
investigation in each case (and would force a vendor to file a tracking
record for libldb tarball shipping crypto implementations even if it is
not used anywhere inside of the complied code of libldb).

Basically, my personal opinion is that this situation is pushing more
unjustified work into hands of our downstream consumers (vendors). I'm
not talking about it on behalf of my employer, it is purely my own
opinion, but I can see this an additional overhead for some.

-- 
/ Alexander Bokovoy