I just thought it was strange that the US Federal government have a server up (ftp.cis.fed.gov) that offers ssh, openssh, openssl to the world and we cannot have it on the CD's. It says on the fed.gov site that rpms and src.rpm are available "mainly RedHat and SuSE have been tested". Yes, they specifically mention our SuSE.
Legally those software packages cannot be re-exported outside the US or Canada. Currenbtly US crypto laws says: 64 bit and lower is ok (but no-one really uses <64 bit crypto). Export licenses are easier to get, especially for western europe/etc, but most opensource packages are done outside the US in the first place (Canada, Australia and Germany seem popular). Open Source crypto is supposedly exportable if you notify the BXA (Bureau of Export Administration), so in theory you can put PGP on a webpage as long as you tell them...... Your mileage may vary, and if you end up in federal prison don't blame me. As for the "Secure server", yes it is "off the shelf" software components you can get for free, but they RSA data component of OpenSSL is licensed. OpenSSL can also use RSAREF, which is slower and generally uglier then "proper" RSA. Legally in the US you cannot use RSA unless you license it, or use RSAREF (and RSAREF has a nasty license, you can't use it for anything that generates revenue, so for example universities cannot use it since they charge tuition which pays for network services). The patents should run out September 20th however at which point the rules change. The main problem is if you press the CD's in the US and put crypto on 'em you cannot export them outside US/Canada without some potential problems. Now I doubt the US would throw every US SuSE employee in federal prison if they did do crypto on the cd's, but OTOH I would advise you consult your lawyer first and make damn sure it's legal.
With Kind Regards,
-Kurt