Originally mentioned in bug 1518091, forked here as separate bug.
The libgcrypt page https://www.gnupg.org/software/libgcrypt/index.html
mentions "former U.S. export restrictions on cryptographic software".
We should clarify if those export restrictions are still a problem.
Are we allowed to import a copy of libgcrypt into the Thunderbird source repository that is hosted on U.S. servers, and also include it in the Thunderbird source distributions, which are hosted on U.S. servers?
Here's a copy of what I originall wrote in bug 1518091 comment 4:
In order to help the decision process regarding the status of US export control, here are some pointers.
I believe I found examples of libgcrypt already being hosted on US servers, for example:
unofficial mirror on github: https://github.com/gpg/libgcrypt
binary debian linux package:
and source code:
The download server for Mozilla currently contains the following note at
"Firefox and NSS are publicly available software not subject to the Export Administration Regulations (EAR) per EAR 734.3(b) and 734.7. Because Firefox is not subject to the EAR it does not have an Export Control Classification Number (ECCN). Mozilla has completed the notification for Firefox and NSS publicly available encryption source code per EAR 742.15(b)."
I am not a lawyer, but according to
libgcrypt might be considered a library that is open and available to the public, and from which the public can obtain tangible or intangible documents, which has been public disseminated, including posting on Internet sites available to the public.
It would be good to get confirmation that this interpretation is correct, that hosting the libgcrypt source code and binary code on Mozilla download servers is permissible (like it's apparently considered permissible to host the NSS code).
Also, it should be clarifed if Mozilla needs to perform any additional steps, like notifications, which are mentioned in the quoted export notice.