binary distribution subject to export restrictions?

[stefan-guggisberg]

subtask of #127

[stefan-guggisberg]

scenario:

the binary distribution of helix-cli is built with nodec, packaging Node runtime, helix-cli and all dependencies into a single, self-contained binary executable.

both Node and libgit2 (a helix-cli transitive dependency) statically link openssl, to the best of my understanding.

the final self-contained executable is wrapped in a self-extractable shell script which can be downloaded from a public url.

question:

would this deployment be subject to US encryption controls or other export restrictions?

related discussion: https://discuss.atom.io/t/isnt-electron-subject-to-us-export-control-laws/32136

[stevengill]

@adobe/open-source-office lets chat with our legal council about this.

[royfielding]

As mentioned, check with Adobe legal -- we have folks who know exactly what and when we need to do EAR notifications. Big software companies often negotiate that directly with the agencies, so I have no idea how to do it right for Adobe.

[stevengill]

I've sent an email to David Moore from Adobe legal asking for guidance. Cc'ed @stefan-guggisberg on the email.

[stevengill]

I'm meeting with David Moore tomorrow about this issue. Will report back.

[stevengill]

I had a good chat with David Moore from the trade compliance team.

A few follow up questions:

• The encryption in node.js, is it accessible through the binary? Or is it dormant?
• Do we know how node.js uses the crypto library?

David suggested we go through a legal sprint for this so they can properly classify it and clear it. Thoughts?

[stefan-guggisberg]

Thanks, @stevengill.

The encryption in node.js, is it accessible through the binary? Or is it dormant?

the hlx binary embeds node.js runtime and the helix-cli node app. hlx up runs some local code in the current directory (e.g. src/html.pre.js). so, theoretically, local code could do require('crypto'). OTOH that's no different than node.js itself which can be downloaded (AFAIU without restrictions) and which exposes the crypto builtin module to client code.

Do we know how node.js uses the crypto library?

node.js includes the crypto builtin module. To my best understanding in the helix-cli app the crypto module is only used by the git-server dependency for computing md5 and sha1 hashes.

David suggested we go through a legal sprint for this so they can properly classify it and clear it. Thoughts?

I don't know what a legal sprint encompasses. Unless it would require a huge effort i'd say yes. let's do it.

[trieloff]

@stevengill do you know if there have been updates to this from legal?

[stevengill]

@trieloff I just pinged them today for an update

[stefan-guggisberg]

@stevengill Any updates on this?

[stefan-guggisberg]

obsolete, binary hlx distribution has been retired #696