Problem serving one-click installer to Syria

On 15/06/2010 06:15 ?, Bruce Momjian wrote:

M. Bashir Al-Noimi wrote:

What's going on!
http://downforeveryoneorjustme.com/ gave me the following stupid message:
------------------------------------------------------------------------
downforeveryoneorjustme error message

Forbidden

Your client does not have permission to get URL |/| from this server.
(Client IP address: 213.178.224.178)

You are accessing this page from a forbidden country.
------------------------------------------------------------------------
and enterprisedb.com<http://enterprisedb.com&gt; still unavailable!

Now I wondering does postgresql forbids my country or not?, is it open
source or something else?

I suppose we are going to have to guess your country; this web site,
http://www.ip-adress.com/ip_tracer/213.178.224.178, says it is Syria.

Certainly Postgres is available for everyone, but it seems EnterpriseDB
(and http://downforeveryoneorjustme.com/) are not able to serve that IP
block, which is a problem.

I have moved this email to the Postgres www list, and changed the
subject line. We should have more information for you soon.

Thanks, I'm waiting for your reply.

--
Best Regards
Muhammad Bashir Al-Noimi
My Blog: http://mbnoimi.net

On Tue, Jun 15, 2010 at 06:15, Bruce Momjian <bruce@momjian.us> wrote:

M. Bashir Al-Noimi wrote:

What's going on!
http://downforeveryoneorjustme.com/ gave me the following stupid message:
------------------------------------------------------------------------
downforeveryoneorjustme error message

  Forbidden

Your client does not have permission to get URL |/| from this server.
(Client IP address: 213.178.224.178)

You are accessing this page from a forbidden country.
------------------------------------------------------------------------
and enterprisedb.com <http://enterprisedb.com&gt; still unavailable!

Now I wondering does postgresql forbids my country or not?, is it open
source or something else?

I suppose we are going to have to guess your country;  this web site,
http://www.ip-adress.com/ip_tracer/213.178.224.178, says it is Syria.

Certainly Postgres is available for everyone, but it seems EnterpriseDB
(and http://downforeveryoneorjustme.com/) are not able to serve that IP
block, which is a problem.

I have moved this email to the Postgres www list, and changed the
subject line.  We should have more information for you soon.

This is the second report of this issue this week, the previous one
being a user in South Korea. It was fixed by Dave that time - but I'm
detecting a pattern here :-) We don't want to get tihs stuff fixed on
a case by case basis - can we verify that there is no generic block in
place, please?

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

Magnus Hagander wrote:

On Tue, Jun 15, 2010 at 06:15, Bruce Momjian <bruce@momjian.us> wrote:

M. Bashir Al-Noimi wrote:

What's going on!
http://downforeveryoneorjustme.com/ gave me the following stupid message:
------------------------------------------------------------------------
downforeveryoneorjustme error message

Forbidden

Your client does not have permission to get URL |/| from this server.
(Client IP address: 213.178.224.178)

You are accessing this page from a forbidden country.
------------------------------------------------------------------------
and enterprisedb.com <http://enterprisedb.com&gt; still unavailable!

Now I wondering does postgresql forbids my country or not?, is it open
source or something else?

I suppose we are going to have to guess your country; this web site,
http://www.ip-adress.com/ip_tracer/213.178.224.178, says it is Syria.

Certainly Postgres is available for everyone, but it seems EnterpriseDB
(and http://downforeveryoneorjustme.com/) are not able to serve that IP
block, which is a problem.

I have moved this email to the Postgres www list, and changed the
subject line. We should have more information for you soon.

This is the second report of this issue this week, the previous one
being a user in South Korea. It was fixed by Dave that time - but I'm
detecting a pattern here :-) We don't want to get tihs stuff fixed on
a case by case basis - can we verify that there is no generic block in
place, please?

yeah - We really can't discriminate against some of our users in that
way(and we are not doing that on any of our other sites). If we cannot
get this fixed in a generic way we really need to look into alternative
ways - at least for people being affected by that - to get to the
one-click installer.

Stefan

On Tue, Jun 15, 2010 at 7:58 AM, Stefan Kaltenbrunner
<stefan@kaltenbrunner.cc> wrote:

yeah - We really can't discriminate against some of our users in that
way(and we are not doing that on any of our other sites). If we cannot get
this fixed in a generic way we really need to look into alternative ways -
at least for people being affected by that - to get to the one-click
installer.

Well South Korea would have been obviously just a mistake. But I would
expect it to be an issue for any US company to server IPs in Syria,
North Korea, Cuba, Iran, or Burma/Myanmar. Actually I don't know what
restrictions there would be for a product that isn't being sold but I
wouldn't be surprised if they wanted to be conservative and just not
serve those IPs at all.

For the community it might be tricky to solve since many of the
servers are hosted or sponsored by US organizations. Having some
servers with different rules than others might complicate matters
significantly.

--
greg

On Tue, 2010-06-15 at 13:16 +0100, Greg Stark wrote:

Actually I don't know what restrictions there would be for a product
that isn't being sold

Maybe encryption related issues?
--
Devrim GÜNDÜZ
PostgreSQL Danışmanı/Consultant, Red Hat Certified Engineer
PostgreSQL RPM Repository: http://yum.pgrpms.org
Community: devrim~PostgreSQL.org, devrim.gunduz~linux.org.tr
http://www.gunduz.org Twitter: http://twitter.com/devrimgunduz

On Tue, Jun 15, 2010 at 14:16, Greg Stark <gsstark@mit.edu> wrote:

On Tue, Jun 15, 2010 at 7:58 AM, Stefan Kaltenbrunner
<stefan@kaltenbrunner.cc> wrote:

yeah - We really can't discriminate against some of our users in that
way(and we are not doing that on any of our other sites). If we cannot get
this fixed in a generic way we really need to look into alternative ways -
at least for people being affected by that - to get to the one-click
installer.

Well South Korea would have been obviously just a mistake. But I would
expect it to be an issue for any US company to server IPs in Syria,
North Korea, Cuba, Iran, or Burma/Myanmar. Actually I don't know what
restrictions there would be for a product that isn't being sold but I
wouldn't be surprised if they wanted to be conservative and just not
serve those IPs at all.

If that is so, there needs to be a mirror that's not excluding these countries.

For the community it might be tricky to solve since many of the
servers are hosted or sponsored by US organizations. Having some
servers with different rules than others might complicate matters
significantly.

The community doesn't host the mirrors, we just point to them. Aside
from what some poeple want it to be, linking is still legal AFAIK. It
is up to each individual mirror what they want to distribute. We've
never had issues with that before, and AFAIK nothing has changed
around this for many years.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

On Tue, Jun 15, 2010 at 12:16 PM, Greg Stark <gsstark@mit.edu> wrote:

On Tue, Jun 15, 2010 at 7:58 AM, Stefan Kaltenbrunner
<stefan@kaltenbrunner.cc> wrote:

yeah - We really can't discriminate against some of our users in that
way(and we are not doing that on any of our other sites). If we cannot get
this fixed in a generic way we really need to look into alternative ways -
at least for people being affected by that - to get to the one-click
installer.

Well South Korea would have been obviously just a mistake. But I would
expect it to be an issue for any US company to server IPs in Syria,
North Korea, Cuba, Iran, or Burma/Myanmar. Actually I don't know what
restrictions there would be for a product that isn't being sold but I
wouldn't be surprised if they wanted to be conservative and just not
serve those IPs at all.

For the community it might be tricky to solve since many of the
servers are hosted or sponsored by US organizations. Having some
servers with different rules than others might complicate matters
significantly.

Greg is entirely correct. We cannot export or facilitate the export of
cryto code to embargoed countries, such as Syria due to US export
laws. This doesn't just apply to EnterpriseDB of course, it applies to
the community as well, either where our servers are in the US, or the
people working on them are in the US. The penalties for ignoring this
are *extremely* harsh.

The situation is ridiculous I know - it's easy to get OpenSSL from any
number of places of course. As of this morning, we have people looking
into the legal issues to see if there is a way that we (EnterpriseDB
and the community) can make all our downloads available universally
without putting anyone at risk of prosecution. We're also talking to
other large organisations involved in Open Source to see if/how they
deal with this within the projects they work on.

--
Dave Page
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise Postgres Company

On Tue, Jun 15, 2010 at 15:28, Dave Page <dpage@postgresql.org> wrote:

On Tue, Jun 15, 2010 at 12:16 PM, Greg Stark <gsstark@mit.edu> wrote:

On Tue, Jun 15, 2010 at 7:58 AM, Stefan Kaltenbrunner
<stefan@kaltenbrunner.cc> wrote:

yeah - We really can't discriminate against some of our users in that
way(and we are not doing that on any of our other sites). If we cannot get
this fixed in a generic way we really need to look into alternative ways -
at least for people being affected by that - to get to the one-click
installer.

Well South Korea would have been obviously just a mistake. But I would
expect it to be an issue for any US company to server IPs in Syria,
North Korea, Cuba, Iran, or Burma/Myanmar. Actually I don't know what
restrictions there would be for a product that isn't being sold but I
wouldn't be surprised if they wanted to be conservative and just not
serve those IPs at all.

For the community it might be tricky to solve since many of the
servers are hosted or sponsored by US organizations. Having some
servers with different rules than others might complicate matters
significantly.

Greg is entirely correct. We cannot export or facilitate the export of
cryto code to embargoed countries, such as Syria due to US export
laws. This doesn't just apply to EnterpriseDB of course, it applies to
the community as well, either where our servers are in the US, or the
people working on them are in the US. The penalties for ignoring this
are *extremely* harsh.

Well, it only applies to the US, so all our mirrors outside of the US
should be fine, AFAIK. Nor does it apply to community members outside
the US, however they'd do anything about that.

The situation is ridiculous I know - it's easy to get OpenSSL from any
number of places of course. As of this morning, we have people looking
into the legal issues to see if there is a way that we (EnterpriseDB
and the community) can make all our downloads available universally
without putting anyone at risk of prosecution. We're also talking to
other large organisations involved in Open Source to see if/how they
deal with this within the projects they work on.

AFAIK, open source *communities* don't generally do anything at all
about this. We can restrict access to any of our servers that run in
the US, but as long as there are mirrors and the licence is open,
anybody outside the US can just redistribute it. So it sounds like th
easy fix is to just mirror it onto the community mirror network.

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/

Magnus Hagander wrote:

On Tue, Jun 15, 2010 at 15:28, Dave Page <dpage@postgresql.org> wrote:

On Tue, Jun 15, 2010 at 12:16 PM, Greg Stark <gsstark@mit.edu> wrote:

On Tue, Jun 15, 2010 at 7:58 AM, Stefan Kaltenbrunner
<stefan@kaltenbrunner.cc> wrote:

yeah - We really can't discriminate against some of our users in that
way(and we are not doing that on any of our other sites). If we cannot get
this fixed in a generic way we really need to look into alternative ways -
at least for people being affected by that - to get to the one-click
installer.

Well South Korea would have been obviously just a mistake. But I would
expect it to be an issue for any US company to server IPs in Syria,
North Korea, Cuba, Iran, or Burma/Myanmar. Actually I don't know what
restrictions there would be for a product that isn't being sold but I
wouldn't be surprised if they wanted to be conservative and just not
serve those IPs at all.

For the community it might be tricky to solve since many of the
servers are hosted or sponsored by US organizations. Having some
servers with different rules than others might complicate matters
significantly.

Greg is entirely correct. We cannot export or facilitate the export of
cryto code to embargoed countries, such as Syria due to US export
laws. This doesn't just apply to EnterpriseDB of course, it applies to
the community as well, either where our servers are in the US, or the
people working on them are in the US. The penalties for ignoring this
are *extremely* harsh.

Well, it only applies to the US, so all our mirrors outside of the US
should be fine, AFAIK. Nor does it apply to community members outside
the US, however they'd do anything about that.

exactly - and other large projects (like debian) who used to do a
"non-US" mirror set stopped doing that ages ago (around the release of
Sarge - 3.1)

The situation is ridiculous I know - it's easy to get OpenSSL from any
number of places of course. As of this morning, we have people looking
into the legal issues to see if there is a way that we (EnterpriseDB
and the community) can make all our downloads available universally
without putting anyone at risk of prosecution. We're also talking to
other large organisations involved in Open Source to see if/how they
deal with this within the projects they work on.

AFAIK, open source *communities* don't generally do anything at all
about this. We can restrict access to any of our servers that run in
the US, but as long as there are mirrors and the licence is open,
anybody outside the US can just redistribute it. So it sounds like th
easy fix is to just mirror it onto the community mirror network.

yeah that seems like a very simple solution, just upload the stuff to
the mirror network and provide an "if the above link to download fails
with an error try here" on the main website.

Stefan

On Tue, Jun 15, 2010 at 6:57 AM, Magnus Hagander <magnus@hagander.net> wrote:

The situation is ridiculous I know - it's easy to get OpenSSL from any
number of places of course. As of this morning, we have people looking
into the legal issues to see if there is a way that we (EnterpriseDB
and the community) can make all our downloads available universally
without putting anyone at risk of prosecution. We're also talking to
other large organisations involved in Open Source to see if/how they
deal with this within the projects they work on.

AFAIK, open source *communities* don't generally do anything at all
about this. We can restrict access to any of our servers that run in
the US, but as long as there are mirrors and the licence is open,
anybody outside the US can just redistribute it. So it sounds like th
easy fix is to just mirror it onto the community mirror network.

+1

I'm going to ping Eben Moglen (lawyer at the software freedom law
center) about this on our behalf. The few people I've talked to who
have had to deal with similar issues think that crypto built from open
standards no longer are subject to prosecution, and whether the
software originated in the US or not, we are free to redistribute.

-selena

--
http://chesnok.com/daily - me

On Tue, Jun 15, 2010 at 8:25 AM, Selena Deckelmann
<selenamarie@gmail.com> wrote:

I'm going to ping Eben Moglen (lawyer at the software freedom law
center) about this on our behalf. The few people I've talked to who
have had to deal with similar issues think that crypto built from open
standards no longer are subject to prosecution, and whether the
software originated in the US or not, we are free to redistribute.

I've sent a message to Eben, and looked up a few things:

http://sourceforge.net/blog/clarifying-sourceforgenets-denial-of-site-access-for-certain-persons-in-accordance-with-us-law/
http://www.softwarefreedom.org/blog/2010/mar/12/new-export-rules-promote-internet-freedom/

Will forward if I get an answer back from SFLC.

-selena

--
http://chesnok.com/daily - me

Stefan Kaltenbrunner wrote:

AFAIK, open source *communities* don't generally do anything at all
about this. We can restrict access to any of our servers that run in
the US, but as long as there are mirrors and the licence is open,
anybody outside the US can just redistribute it. So it sounds like th
easy fix is to just mirror it onto the community mirror network.

yeah that seems like a very simple solution, just upload the stuff to
the mirror network and provide an "if the above link to download fails
with an error try here" on the main website.

First, to clarify, this only applies to the one-click installers because
they embed the OpenSSL library into the installer, unlike, for example,
the RPMs which use the operating system copy of OpenSSL.

We have managed to avoid all this in the past because the community only
distributed the software (not binaries) for years, but the one-click
installer is forcing us to address this issue.

Second, the one-click installers are produced by a USA company
(EnterpriseDB), which means the company cannot facilitate distribution
of the one-click installers to embargoed countries, and US citizens and
people working for US companies cannot either. That severely limits our
options because I assume USA companies must also prevent their software
from being placed on servers that allow downloads from embargoed
countries, and US citizens cannot facilitate this either.

Now, if the binaries were created in Sweden (and assume Sweden has no
embargoes), we could place the binaries on all the servers _except_ USA
servers. However, since the binaries were created by a USA company, I
don't think we have that option.

--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ None of us is going to be here forever. +

On 15/06/2010 02:16 ?, Greg Stark wrote:

On Tue, Jun 15, 2010 at 7:58 AM, Stefan Kaltenbrunner
<stefan@kaltenbrunner.cc> wrote:

yeah - We really can't discriminate against some of our users in that
way(and we are not doing that on any of our other sites). If we cannot get
this fixed in a generic way we really need to look into alternative ways -
at least for people being affected by that - to get to the one-click
installer.

Well South Korea would have been obviously just a mistake. But I would
expect it to be an issue for any US company to server IPs in Syria,
North Korea, Cuba, Iran, or Burma/Myanmar.

This issue found in some cases not all, for example we can buy from
Microsoft products and many other websites where we can't download or
contribute in MySQL, sf.net, OpenOffice or even reading specific
articles at IBM although there are some old contributors from Syria and
the other blacklisted countries in many open source projects and many
many projects owned by non-American people or even Americans believe in
freedom and don't agree with forbidding policy for open source stuffs.

Actually I don't know what
restrictions there would be for a product that isn't being sold but I
wouldn't be surprised if they wanted to be conservative and just not
serve those IPs at all.

OK if they wanted to be conservative why they accept payments from these
IPs? why they allow users of theses IPs to use US e-mail services? why
they allow us to use facebook or Twitter where don't for scientific
articles? where they don't allow us to just read a non-atomic article?

OOOH I got, this is the modern democracy! Thanks a lot Mr. Obama & Mrs.
Clinton they want to liberate us from communist or socialistic dictators
where they didn't worst than them.

For the community it might be tricky to solve since many of the
servers are hosted or sponsored by US organizations. Having some
servers with different rules than others might complicate matters
significantly.

No I think the problem can be solved easily just make mirrors outside US.

For example before moving some open source projects we asked Launchpad
<https://launchpad.net/&gt; admins if they apply US rule for blacklist
counties and they answered No the open source must be opened for the
humanity not for specific peoples this is clear principle (their servers
in UK). Same answer I got from BerliOS <http://developer.berlios.de/&gt;
(in Germany). For that many open source projects decided to move outside
sf.net (US server) to GNA (French), Launchpad <https://launchpad.net/&gt;,
BerliOS <http://developer.berlios.de/&gt; and many other open source
hosting services.

--
Best Regards
Muhammad Bashir Al-Noimi
My Blog: http://mbnoimi.net

On 15/06/2010 03:18 م, Devrim GÜNDÜZ wrote:

On Tue, 2010-06-15 at 13:16 +0100, Greg Stark wrote:

Actually I don't know what restrictions there would be for a product
that isn't being sold

Maybe encryption related issues?

Yes Devrim

--
Best Regards
Muhammad Bashir Al-Noimi
My Blog: http://mbnoimi.net

On 15/06/2010 03:28 م, Dave Page wrote:

On Tue, Jun 15, 2010 at 12:16 PM, Greg Stark<gsstark@mit.edu> wrote:

On Tue, Jun 15, 2010 at 7:58 AM, Stefan Kaltenbrunner
<stefan@kaltenbrunner.cc> wrote:

yeah - We really can't discriminate against some of our users in that
way(and we are not doing that on any of our other sites). If we cannot get
this fixed in a generic way we really need to look into alternative ways -
at least for people being affected by that - to get to the one-click
installer.

Well South Korea would have been obviously just a mistake. But I would
expect it to be an issue for any US company to server IPs in Syria,
North Korea, Cuba, Iran, or Burma/Myanmar. Actually I don't know what
restrictions there would be for a product that isn't being sold but I
wouldn't be surprised if they wanted to be conservative and just not
serve those IPs at all.

For the community it might be tricky to solve since many of the
servers are hosted or sponsored by US organizations. Having some
servers with different rules than others might complicate matters
significantly.

Greg is entirely correct. We cannot export or facilitate the export of
cryto code to embargoed countries, such as Syria due to US export
laws. This doesn't just apply to EnterpriseDB of course, it applies to
the community as well, either where our servers are in the US, or the
people working on them are in the US. The penalties for ignoring this
are *extremely* harsh.

I want to ask you a tiny question, do you agree with this policy? if yes
go ahead and forbid your projects but not others projects (my friend
from Spain be came crazy when I told him that I can access the SVN
because US blocked my IP).

The situation is ridiculous I know - it's easy to get OpenSSL from any
number of places of course. As of this morning, we have people looking
into the legal issues to see if there is a way that we (EnterpriseDB
and the community) can make all our downloads available universally
without putting anyone at risk of prosecution. We're also talking to
other large organisations involved in Open Source to see if/how they
deal with this within the projects they work on.

Thanks a lot for your efforts.

--
Best Regards
Muhammad Bashir Al-Noimi
My Blog: http://mbnoimi.net

On 15/06/2010 05:25 م, Selena Deckelmann wrote:

On Tue, Jun 15, 2010 at 6:57 AM, Magnus Hagander<magnus@hagander.net> wrote:

The situation is ridiculous I know - it's easy to get OpenSSL from any
number of places of course. As of this morning, we have people looking
into the legal issues to see if there is a way that we (EnterpriseDB
and the community) can make all our downloads available universally
without putting anyone at risk of prosecution. We're also talking to
other large organisations involved in Open Source to see if/how they
deal with this within the projects they work on.

AFAIK, open source *communities* don't generally do anything at all
about this. We can restrict access to any of our servers that run in
the US, but as long as there are mirrors and the licence is open,
anybody outside the US can just redistribute it. So it sounds like th
easy fix is to just mirror it onto the community mirror network.

+1

I'm going to ping Eben Moglen (lawyer at the software freedom law
center) about this on our behalf. The few people I've talked to who
have had to deal with similar issues think that crypto built from open
standards no longer are subject to prosecution, and whether the
software originated in the US or not, we are free to redistribute.

-selena

Nice guys, that's good news

--
Best Regards
Muhammad Bashir Al-Noimi
My Blog: http://mbnoimi.net

Hi!

On Tue, Jun 15, 2010 at 10:35 AM, M. Bashir Al-Noimi <admin@mbnoimi.net> wrote:

OOOH I got, this is the modern democracy!

While I sympathize with expressions of sarcasm around this issue --
let's keep this particular discussion on the topic of whether or not
the 1-click installers can be mirrored.

Using a Bcc to reduce the impulse to respond other than directly to individuals.

-selena

--
http://chesnok.com/daily - me

M. Bashir Al-Noimi wrote:

Greg is entirely correct. We cannot export or facilitate the export of
cryto code to embargoed countries, such as Syria due to US export
laws. This doesn't just apply to EnterpriseDB of course, it applies to
the community as well, either where our servers are in the US, or the
people working on them are in the US. The penalties for ignoring this
are *extremely* harsh.

I want to ask you a tiny question, do you agree with this policy? if yes
go ahead and forbid your projects but not others projects (my friend
from Spain be came crazy when I told him that I can access the SVN
because US blocked my IP).

To clarify, the source code can be downloaded from anywhere. It is only
the one-click installer that embeds OpenSSL that is a problem.

Technically the non-source code distributions of Postgres are produced
by external groups. The community only distributes the source code,
though we provide links to the external groups, and we are working with
those groups to see if we can come up with a solution.

--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ None of us is going to be here forever. +

Magnus Hagander wrote:

For the community it might be tricky to solve since many of the
servers are hosted or sponsored by US organizations. Having some
servers with different rules than others might complicate matters
significantly.

The community doesn't host the mirrors, we just point to them. Aside
from what some poeple want it to be, linking is still legal AFAIK. It
is up to each individual mirror what they want to distribute. We've
never had issues with that before, and AFAIK nothing has changed
around this for many years.

I don't think we want to be pushing embargoed data to mirrors and tell
them them have to worry about it; that might lead to us losing mirrors
and mirrors hosters feeling abused by the community. We would need to
contact every mirror where this might be a problem, explain the issue,
and let them decide if they want those files.

But again, does a USA company have to try to prevent or report such
mirrors --- I have no idea.

--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ None of us is going to be here forever. +