The encryption export control notices on the various *.mozilla.org sites are inconsistent and out of date. For example, some notices refer to countries like Afghanistan or Iraq that are no longer subject to the same export control treatment as North Korea, etc. All such notices should be updated to a single standard notice to the maximum extent possible. The notice to be used will be based on that given in note 2 of <http://www.steptoe.com/publications/EncryptionChart.pdf>: This hardware/software is subject to the U.S. Export Administration Regulations and other U.S. law, and may not be exported or re-exported to certain countries (currently Cuba, Iran, Libya, North Korea, Sudan and Syria) or to persons or entities prohibited from receiving U.S. exports (including those (a) on the Bureau of Industry and Security Denied Parties List or Entity List, (b) on the Office of Foreign Assets Control list of Specially Designated Nationals and Blocked Persons, and (c) involved with missile technology or nuclear, chemical or biological weapons). (The words "hardware/software" will be changed as necessary to reflect the particular item to which the notice applies.)
Grepping the www.mozilla.org source for 're-export' gives the following files that apparently have copies of the notice: html/mirroring.html html/projects/seamonkey/releases/1.0.html html/projects/seamonkey/releases/1.0a.html html/projects/seamonkey/releases/1.0b.html html/projects/seamonkey/releases/index.html html/projects/security/pki/nss/faq.html html/projects/security/pki/src/download.html html/releases/index.html html/releases/mozilla1.0.1.html html/releases/mozilla1.0.2.html html/releases/mozilla1.0.html html/releases/old-releases-0.9.2-1.0rc3.html html/releases/old-releases-1.1-1.4rc3.html html/releases/old-releases.html
Is this bug only for www.mozilla.org or for all *.mozilla.[org|com] sites?
It's for all *.mozilla.org sites, but excludes mozilla.com sites controlled by the Mozilla Corporation. Those will need to be fixed too, but the notice may be slightly different, and I won't be the person making the changes. My plan is to first fix all the references on www.mozilla.org, and then look at the other *.mozilla.org sites. I'll fix what I can, and then we can either open up a new bug or (re)assign this one to someone else.
Created attachment 220471 [details] [diff] [review] Patch to update www.mozilla.org for new export control notice Here are all the patches that should be needed for www.mozilla.org, for all the files referenced above. I've double-checked all the generated pages and they look OK. Note that in many cases the previous notice referred to "source code" when it should have referred to "software"; I've updated the wording as appropriate.
I've updated the following pages on developer.mozilla.org where the encryption export control notice appears in English: http://developer.mozilla.org/en/docs/Download_Mozilla_Source_Code http://developer.mozilla.org/cn/docs/%E4%B8%8B%E8%BD%BDMozilla%E6%BA%90%E4%BB%A3%E7%A0%81 The following page has a translated notice that needs to be updated: http://developer.mozilla.org/fr/docs/T%C3%A9l%C3%A9chargement_du_code_source_de_Mozilla As far as I can tell this notice doesn't appear on developer.mozilla.org in any other language.
Comment on attachment 220471 [details] [diff] [review] Patch to update www.mozilla.org for new export control notice Frank, Do you have access to commit this yourself, or do you need one of the web monkeys to commit it for you?
I have commit access to www.mozilla.org. However I'm not going to check the changes in tonight because I want to go to bed and don't want to hang around to make sure the site gets updated properly. I'll check them in tomorrow.
The notice appears in at least two places on ftp.mozilla.org: http://ftp.mozilla.org/pub/mozilla.org/security/export-notice http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/export-notice (Thanks to Zak Greant who did some Google queries to track these pages down, as well as the pages on developer.mozilla.org.) I don't have write access to ftp.mozilla.org, so someone else will have to make the changes.
I've checked in the changes to www.mozilla.org (for all the files mentioned above) and have verified that the corresponding pages got updated correctly. Next task: Get ftp.mozilla.org updated.
(In reply to comment #8) > The notice appears in at least two places on ftp.mozilla.org: > > http://ftp.mozilla.org/pub/mozilla.org/security/export-notice > http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/export-notice Filed bug 336308 on the issue.
Now that bug 336308 is FIXED VERIFIED, this bug can be marked as FIXED as well. All changes to www.mozilla.org and developer.mozilla.org have been made and verified. The only other *.mozilla.org references appear to be historical references in the CVS logs.
Two more points: 1) I have already verified that the changes got made to www.mozilla.org and developer.mozilla.org, so I'm marking this bug VERIFIED as well. Also, although it wasn't within scope for this bug, I couldn't find any instances of the export notices on www.mozilla.com or indeed on any *.mozilla.com site. If anyone does find any please open up a new bug so we can get those fixed.