Bug 1896 - (HTTP401-Iran) HTTP 401: Authorization Required for requests from Iran
(HTTP401-Iran)
: HTTP 401: Authorization Required for requests from Iran
Status: RESOLVED WONTFIX
Product: maemo.org Website
Repositories
: 4.1
: All Linux
: Low normal (vote)
: ---
Assigned To: repositories@maemo.bugs
:
:
:
:
:
  Show dependency tree
 
Reported: 2007-08-23 15:35 UTC by Behnam [:ZWNJ] Esfahbod
Modified: 2008-09-04 17:22 UTC (History)
6 users (show)

See Also:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description Behnam [:ZWNJ] Esfahbod (reporter) 2007-08-23 15:35:52 UTC
PRECONDITIONS: 

My IP: 213.207.210.231.


STEPS LEADING TO PROBLEM: 

All the following links return an HTTP 401 error, both from browser and
Application Manager on N800, and also from my laptop.

1. http://repository.maemo.org/dists/bora/free/binary-armel/Packages
2. http://repository.maemo.org/dists/bora/free/binary-armel/Packages.gz
3. http://repository.maemo.org/dists/bora/free/binary-armel/Release
4. http://repository.maemo.org/dists/bora/free/binary-armel/Packages.bz2

5. http://repository.maemo.org/extras/dists/3.2/install/microb-browser.install

6. http://repository.maemo.org/contrib/dists/bora/free/binary-armel/Release


FREQUENCY OF OCCURRENCE: 
Always, since 20 Mar 2007.
Comment 1 Behnam [:ZWNJ] Esfahbod (reporter) 2007-08-23 15:47:44 UTC
> FREQUENCY OF OCCURRENCE: 
> Always, since 20 Mar 2007.

I have no info about this problem, before this date.
Comment 2 Juha Kallioinen nokia 2007-08-23 15:51:37 UTC
I tested the given URIs from three different machines connected to different
networks and all of them do work. The only way I get something authentication
related (401 response) is if I use https:// URI schema.

So I don't know what to say other than 'works for me'.. but have you noticed
any other problems with your network after the 20th?

Cheers,
 Juha
Comment 3 Behnam [:ZWNJ] Esfahbod (reporter) 2007-08-23 16:22:43 UTC
(In reply to comment #2)
> So I don't know what to say other than 'works for me'.. but have you noticed
> any other problems with your network after the 20th?

No, it's definitely a server-side problem, as I have same problem from work,
which has a 194.225.x.y IP.  Note that I'm in Iran, and both of these IPs
belong to Iranian IRRs.
Comment 4 Quim Gil nokia 2007-10-23 07:44:52 UTC
Can this have a relation with https://bugs.maemo.org/show_bug.cgi?id=798 ?
Comment 5 Jake Kunnari 2007-11-19 12:26:47 UTC
*** Bug 2319 has been marked as a duplicate of this bug. ***
Comment 6 Paul Gear 2008-01-18 13:18:30 UTC
The maemo extras repository is constantly broken for me because of this bug. 
Please raise the priority!  Here is an example URL (from my squid server's
access.log):

1200654179.994     30 127.0.0.1 TCP_MISS/404 740 GET
http://repository.maemo.org/extras/dists/chinook/free/binary-armel/Packages.diff/Index
- DIRECT/203.206.139.72 text/html

Here is the DNS resolution from my system:
root@lamech:~# host repository.maemo.org
repository.maemo.org is an alias for repository.maemo.org.edgesuite.net.
repository.maemo.org.edgesuite.net is an alias for a515.g.akamai.net.
a515.g.akamai.net has address 203.206.139.71
a515.g.akamai.net has address 203.206.139.72

This happens from both my desktop and N800, and directly from my proxy server
with no proxy set.  akamai.net's geographically-dependent DNS stuff really gets
in the way with this, because there's no way to work around the a server.
Comment 7 Paul Gear 2008-01-29 22:35:15 UTC
This 401 Unauthorized problem started affecting other repositories the other
day.  Here are my squid logs to demonstrate:

1201422206.642    780 127.0.0.1 TCP_MISS/302 485 HEAD
http://tableteer.nokia.com/tableteer/os2008/index.xhtml - DIRECT/217.77.202.40
application/xhtml+xml
1201422209.892    392 127.0.0.1 TCP_MISS/302 485 GET
http://tableteer.nokia.com/tableteer/os2008/index.xhtml - DIRECT/217.77.202.40
application/xhtml+xml
1201422337.533   2088 127.0.0.1 TCP_MISS/401 773 GET
http://catalogue.tableteer.nokia.com/certified/dists/chinook/Release.gpg -
DIRECT/203.206.139.69 text/
html
1201422339.321   1656 127.0.0.1 TCP_MISS/401 773 GET
http://catalogue.tableteer.nokia.com/non-certified/dists/chinook/Release.gpg -
DIRECT/203.206.139.77 t
ext/html
1201422340.379    822 127.0.0.1 TCP_MISS/404 625 GET
http://catalogue.tableteer.nokia.com/updates/chinook/./Release.gpg -
DIRECT/203.206.139.69 text/html
1201422341.452   1043 127.0.0.1 TCP_MISS/401 773 GET
http://catalogue.tableteer.nokia.com/non-certified/dists/chinook/Release -
DIRECT/203.206.139.69 text/
html
1201422342.396    851 127.0.0.1 TCP_MISS/404 621 GET
http://catalogue.tableteer.nokia.com/updates/chinook/./Release -
DIRECT/203.206.139.77 text/html
1201422343.273    781 127.0.0.1 TCP_MISS/404 659 GET
http://catalogue.tableteer.nokia.com/certified/dists/chinook/user/binary-armel/Packages.diff/Index
- D
IRECT/203.206.139.77 text/html
1201422344.254    750 127.0.0.1 TCP_MISS/404 663 GET
http://catalogue.tableteer.nokia.com/non-certified/dists/chinook/user/binary-armel/Packages.diff/Index
 - DIRECT/203.206.139.77 text/html
1201422345.305    754 127.0.0.1 TCP_MISS/404 633 GET
http://catalogue.tableteer.nokia.com/updates/chinook/./Packages.diff/Index -
DIRECT/203.206.139.77 tex
t/html
1201422346.414    879 127.0.0.1 TCP_MISS/401 773 GET
http://catalogue.tableteer.nokia.com/certified/dists/chinook/user/binary-armel/Packages.gz
- DIRECT/20
3.206.139.77 text/html
1201422347.505    923 127.0.0.1 TCP_MISS/401 773 GET
http://catalogue.tableteer.nokia.com/non-certified/dists/chinook/user/binary-armel/Packages.gz
- DIREC
T/203.206.139.69 text/html
1201422348.434    897 127.0.0.1 TCP_MISS/401 773 GET
http://catalogue.tableteer.nokia.com/updates/chinook/./Packages.gz -
DIRECT/203.206.139.77 text/html
1201425427.981    771 127.0.0.1 TCP_MISS/200 472 HEAD
http://tableteer.nokia.com/rss/internettabletnews.xml - DIRECT/217.77.202.40
text/xml
1201425429.194    781 127.0.0.1 TCP_MISS/200 5788 GET
http://tableteer.nokia.com/rss/internettabletnews.xml - DIRECT/217.77.202.40
text/xml

PLEASE!!!! Do something about the web site hosting.  This is *NOT* a low
priority issue.
Comment 8 pepitoe 2008-01-30 17:25:38 UTC
I am getting the same problems when I try to access the repositories at my
work, ip 88.81.143.76.  

An nslookup currently gives...

Name: a515.g.akamai.net
Addresses:  84.53.134.51, 84.53.134.58
Aliases:  repository.maemo.org, repository.maemo.org.edgesuite.net
Comment 9 Paul Gear 2008-02-01 07:50:12 UTC
This is now affecting the recently released OS2008 video center as well!

1201831377.746   1549 127.0.0.1 TCP_MISS/401 796 GET
http://catalogue.tableteer.nokia.com/certified/dists/chinook/install/videocenter.install
- DIRECT/203.206.139.77 text/html
1201835540.726   1123 127.0.0.1 TCP_MISS/401 796 GET
http://catalogue.tableteer.nokia.com/certified/dists/chinook/install/videocenter.install
- DIRECT/203.206.139.77 text/html
Comment 10 Paul Gear 2008-03-26 21:56:14 UTC
What do we need to do to get some progress on this issue?  Does anyone actually
read the email account attached to this bug?  It is now affecting the following
repositories for me:

Nokia catalogue
Nokia catalogue (3rd party software)
Nokia system software updates
Maemo extras
Maemo

This is 100% consistent for me on sites which use squid proxy servers.  I think
it is probably the same as bug 798, and i can't see how it is low priority. 
Lots of us don't have a choice whether we go through a proxy server or not.
Comment 11 pepitoe 2008-03-27 18:18:29 UTC
This is still happening for me also, ISP Cable & Wireless Guernsey.

According to this page...
 https://garage.maemo.org/plugins/wiki/index.php?Website&id=106&type=g
bugs relating to repositories belong to Marcell Lengyel (marcell.lengyel at
nokia.com) so it would be good to get his input on this bug.
Comment 12 Marat Radchenko 2008-04-09 21:14:19 UTC
Same error here (100% reproducible):

user@n800 ~ $ traceroute repository.maemo.org
traceroute: Warning: repository.maemo.org has multiple addresses; using
217.212.246.59
traceroute to a515.g.akamai.net (217.212.246.59), 30 hops max, 40 byte packets
 1  192.168.0.1 (192.168.0.1)  4.882 ms  4.455 ms  4.577 ms
 2  10.11.163.1 (10.11.163.1)  7.630 ms 41-111-st.zelcom.ru (80.92.111.41)
5.982 ms  10.467 ms
 3  gw30.eth.zelcom.ru (80.92.96.30)  31.708 ms  9.613 ms  12.604 ms
 4  * * *
 5  * 212.45.2.25 (212.45.2.25)  4917.359 ms  1805.329 ms
 6  Ulyan-SR-69.comcor.ru (62.117.100.69)  167.816 ms  141.571 ms  116.119 ms 7
 sl-gw10-sto-12-1.sprintlink.net (80.77.97.241)  40.863 ms  38.574 ms *
 8  sl-bb20-sto-8-0-0.sprintlink.net (80.77.96.37)  43.854 ms  40.191 ms 29.999
ms
 9  s-b3-link.telia.net (213.248.67.93)  110.199 ms  88.379 ms  78.522 ms
10  s-hdn-i3-link.telia.net (80.91.249.69)  52.765 ms  52.918 ms  61.889 ms
11  217-212-246-59.customer.teliacarrier.com (217.212.246.59)  61.127 ms 
51.910 ms  72.021 ms
Comment 13 Marat Radchenko 2008-04-09 22:15:07 UTC
OK, i've made some testing and discovered...

1) I have squid installed on my n800. With untouched vanilla settings. It is
the only proxy on way from me to repository.maemo.org.
2) When I enable proxy settings in n800 control panel I get 401
3) When I disable proxy settings in n800 control panel I can happily download
files.
4) I can always wget files because (as far as I understand) control panel
setting doesn't affect it and wget always directly connects to your site.
5) The funny thing: console apt-get is always fully functional (does it bypass
proxy settings too?)
5) Request sent by wget:
GET /dists/bora/free/binary-armel/Packages.gz HTTP/1.0
User-Agent: Wget/1.10.2
Accept: */*
Host: repository.maemo.org
Connection: Keep-Alive

6) Request sent by squid:
GET /dists/bora/free/binary-armel/Packages.gz HTTP/1.0
Host: repository.maemo.org
User-Agent: Mozilla/5.0 (X11; U; Linux armv6l; ru-RU; rv:1.9a6pre)
Gecko/20071128 Firefox/3.0a1 Tablet browse
r 0.2.2 RX-34+RX-44_2008SE_2.2007.51-3
Accept:
text/xml,application/xml,application/atom+xml,application/rss+xml,application/xhtml+xml,text/html;q=0
.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: ru
Accept-Encoding: gzip,deflate
Keep-Alive: 300
Via: 1.1 n800 (squid/3.0.STABLE2)
X-Forwarded-For: 127.0.0.1
Cache-Control: max-age=259200
Connection: keep-alive

So. Your server becomes crazy when it sees one of those headers. Why? :)
Comment 14 Juha Kallioinen nokia 2008-04-10 11:10:53 UTC
Hi Marat, thanks for the detailed logs!

Looks like the X-Forwarded-For header is causing the 401 response from
somewhere. This could be the cause for Paul's problems too (he mentioned using
Squid).

The control panel proxy settings are not applied to the command line clients by
default, that's why using apt-get from xterm bypasses the proxy.
Comment 15 Marat Radchenko 2008-04-10 15:13:23 UTC
(In reply to comment #14)
> Hi Marat, thanks for the detailed logs!
> 
> Looks like the X-Forwarded-For header is causing the 401 response from
> somewhere. This could be the cause for Paul's problems too (he mentioned using
> Squid).
> 
> The control panel proxy settings are not applied to the command line clients by
> default, that's why using apt-get from xterm bypasses the proxy.
> 

I'll try today disabling additional headers one by one and will search for the
one that is causing troubles.
Comment 16 Juha Kallioinen nokia 2008-04-10 15:15:46 UTC
(In reply to comment #15)
> I'll try today disabling additional headers one by one and will search for the
> one that is causing troubles.

Sure, I just quickly tested by telnetting to repository.maemo.org 80 and
copy-pasteing your requests there. I noticed that if the ip address in the
X-Forwarded-For header is something else than 127.0.0.1 or the whole header is
missing, then the request works.
Comment 17 Marat Radchenko 2008-04-10 15:19:21 UTC
(In reply to comment #16)
> (In reply to comment #15)
> > I'll try today disabling additional headers one by one and will search for the
> > one that is causing troubles.
> 
> Sure, I just quickly tested by telnetting to repository.maemo.org 80 and
> copy-pasteing your requests there. I noticed that if the ip address in the
> X-Forwarded-For header is something else than 127.0.0.1 or the whole header is
> missing, then the request works.
> 

Oh, my :) I didn't thing about testing via telnet. Yes, the problem is in
X-Forwarded-For. Hope this knowledge will help to fix the problem. If any
additional testing will be required, just ask.
Comment 18 Behnam [:ZWNJ] Esfahbod (reporter) 2008-06-02 11:57:48 UTC
The problem exist yet.  Can I help with anything?
Comment 19 Juha Kallioinen nokia 2008-06-17 11:35:57 UTC
Hello,

there seem to be different kinds of issues that are causing these service
blockages. I'm sorry it has taken such a long time to come to some sort of a
conclusion.

The reason for this particular bug 1896 originally reported by Behnam is clear:

One of the main objectives of Nokia is to comply with any laws and regulations
that apply to the operations and/or businesses of Nokia. We are sure you can
understand that given the global nature of our operations and businesses, such
laws and regulations are multiple and complex.

As you have reported to us, you have repeatedly tried to download software from
the maemo.org repository, without success. The reason for this is that, based
on the applicable export control regulations, we have been forced to prevent
any download requests or attempts from certain countries, including Iran.

The other problems mentioned in this particular bug are a bit different.

Marat's problem: A proxy server on our end is refusing access if the
X-Forwarded-For header contains that particular localhost address. The header
is inserted by a proxy server running on your end and you can go around it by
reconfiguring the proxy so that it inserts a different address to the header.
I've presented a solution proposal in an earlier response (hint: the localhost
address space is not limited to 127.0.0.1). Unfortunately we can't change the
proxy server settings on our end.

What comes to Paul's or pepitoe's problem; based on the provided information
those could be similar to Marat's. Paul's squid log shows the address 127.0.0.1
but without seeing the actual traffic capture, it's hard to say if that's the
problem. 

pepitoe - it's hard to say what could cause this for you with the information
you have provided.

I'm inclining to resolve this as WONTFIX. The legal side is something we cannot
do anything about and the squid proxy issues can be resolved on the client's
end.
Comment 20 Lucas Maneos 2008-06-17 12:21:45 UTC
(In reply to comment #19)
> The reason for this is that, based
> on the applicable export control regulations, we have been forced to prevent
> any download requests or attempts from certain countries, including Iran.

I'm not in one of those countries and so can't see the exact server response,
but in the interest of eliminating confusion & user friendliness (not to
mention technical correctness), it would perhaps be more appropriate to return
a 403  along with a response body explaining the export control compliance
reasons.

Cf (RFC2616, 10.4.2 & 10.4.4):

401 Unauthorized

   The request requires user authentication.

vs

403 Forbidden

   The server understood the request, but is refusing to fulfill it.
   Authorization will not help and the request SHOULD NOT be repeated.
Comment 21 Behnam [:ZWNJ] Esfahbod (reporter) 2008-06-17 12:34:34 UTC
First, thanks Juha.

(In reply to comment #20)
> I'm not in one of those countries and so can't see the exact server response,
> but in the interest of eliminating confusion & user friendliness (not to
> mention technical correctness), it would perhaps be more appropriate to return
> a 403  along with a response body explaining the export control compliance
> reasons.

Yes, that would be a good enhancement.  Other download servers, ie. Google's
and Sun's, use 403, and it's clear what the problem is.  But 401 was so
confusing...
Comment 22 pepitoe 2008-06-17 12:41:45 UTC
My issue seemed to resolve itself around mid April after I contacted Nokia Care
about it (even though they didn't appear to understand the issue!) and has been
ok since then.
Comment 23 Juha Kallioinen nokia 2008-06-17 13:08:29 UTC
(In reply to comment #21)
> First, thanks Juha.
> 
> (In reply to comment #20)
> > I'm not in one of those countries and so can't see the exact server response,
> > but in the interest of eliminating confusion & user friendliness (not to
> > mention technical correctness), it would perhaps be more appropriate to return
> > a 403  along with a response body explaining the export control compliance
> > reasons.
> 
> Yes, that would be a good enhancement.  Other download servers, ie. Google's
> and Sun's, use 403, and it's clear what the problem is.  But 401 was so
> confusing...
> 

Yep, 403 would be a more appropriate response. I'll try to poke the right
people to change the response message.
Comment 24 Paul Gear 2008-06-17 14:29:14 UTC
If i may say so, WONTFIX seems like a real cop-out.  This is the *ONLY* web
site i have ever seen that works direct and doesn't work through squid.  If you
need me to provide packet captures or other information, i'm happy to do that. 
Surely *something* else can be done.
Comment 25 Juha Kallioinen nokia 2008-06-17 14:48:03 UTC
(In reply to comment #24)
> If i may say so, WONTFIX seems like a real cop-out.  This is the *ONLY* web
> site i have ever seen that works direct and doesn't work through squid.  If you
> need me to provide packet captures or other information, i'm happy to do that. 
> Surely *something* else can be done.

If you could send/check a log like in comment 13 where the HTTP headers are
visible when the request leaves your computer/device then we could see if the
X-Forwarded-For header is present. Furthermore if the header's value is
127.0.0.1 then we'd be sure the problem cause is the same for you as for Marat.
Comment 26 Loic Minier 2008-06-17 15:42:44 UTC
For the record: I'm behind squid, was suffering from this issue and don't seem
to be suffering from it anymore (from wget, firefox 3 using system proxy
settings, and GET from perl/lwp); I didn't have to change my squid setup, and I
guess I'm not affected by the localhost header issue described here.
Comment 27 Behdad Esfahbod 2008-06-17 20:27:23 UTC
(In reply to comment #19)
> Hello,

Hi,

This is behDaD, behNaM's brother here in Canada and a GNOME project developer.

> there seem to be different kinds of issues that are causing these service
> blockages. I'm sorry it has taken such a long time to come to some sort of a
> conclusion.
> 
> The reason for this particular bug 1896 originally reported by Behnam is clear:
> 
> One of the main objectives of Nokia is to comply with any laws and regulations
> that apply to the operations and/or businesses of Nokia. We are sure you can
> understand that given the global nature of our operations and businesses, such
> laws and regulations are multiple and complex.
> 
> As you have reported to us, you have repeatedly tried to download software from
> the maemo.org repository, without success. The reason for this is that, based
> on the applicable export control regulations, we have been forced to prevent
> any download requests or attempts from certain countries, including Iran.

May I ask which specific and exact export control regulations prevent Nokia
from serving downloads to Iran?  I ask because I'm a major copyright holder of
some components shipped in Maemo under the LGPL-2.1 license.  And LGPL says:

"""
  11. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License.  If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Library at all.  For example, if a patent
license would not permit royalty-free redistribution of the Library by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Library.
"""


It also later says:

"""
  12. If the distribution and/or use of the Library is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Library under this License
may add an explicit geographical distribution limitation excluding those
countries, so that distribution is permitted only in or among
countries not thus excluded.  In such case, this License incorporates
the limitation as if written in the body of this License.
"""

Note that it only says "the original copyright holder".  Which I assume it
means, for those components, me, not Nokia.  Which by extension means if Nokia
is shipping maemo, it is obligated by the license to at least point the users
to upstream sources of the components used, and only for the Nokia-owned
components it may add such geographical distribution limitations.  However,
such geographically limited licenses are not compatible with unmodified
GPL/LGPL licenses of the upstream components I guess, making the derivative
work unlicenses.

To summarize, I'm not a lawyer, but I reserve my rights, as both copyright
holder of software shipped in maemo (granted to me by the copyright law) and as
recipient of maemo software licensed under GPL and LGPL (granted by the
(L)GPL), and want to see Nokia fully comply with the licenses, or if there is a
legally permitted reason they do not comply, see those reasons.

Regards,

Behdad Esfahbod
Comment 28 timeless 2008-06-17 20:58:46 UTC
um, afaik gpl/lgpl/whatever do not entitle you to updates.

they do entitle you to a way to ask for sources, and the official way for you
to ask for sources is by mail.

http://hsivonen.iki.fi/maemo-src/

shows an example of someone who figured out how to follow the instructions to
request the sources.

repository.maemo.org is an optional value adding service (along w/
tableteer.nokia.com) designed to provide binaries.

also note that the proper way to contact lawyers is via mail, not via Bugzilla.

I've adjusted the summary.

Note that in my testing, the 401 for X-Forwarded-For seems fixed. but if
someone can find that it has returned, please file a new bug and then add a
comment here with its bug number. for convenience, here's a link:
https://bugs.maemo.org/enter_bug.cgi?product=Website&version=4.1&component=Repositories&rep_platform=All&op_sys=All&priority=Low&bug_severity=major&target_milestone=---&bug_status=NEW&alias=&bug_file_loc=&short_desc=X-Forwarded-For%3A%20127.0.0.1%20triggers%20401%20instead%20of%20403&cc=maemo%40gear.dyndns.org&cc=slonopotamusorama%40gmail.com&cc=juha.kallioinen%40nokia.com&cc=lool%40dooz.org&comment=

your comment should include commands like:
telnet repository.maemo.org 80
...

which show that adding / removing the X-Forwarded-To: line triggers the
problem.
Comment 29 Behdad Esfahbod 2008-06-17 21:05:01 UTC
I'm (In reply to comment #28)
> um, afaik gpl/lgpl/whatever do not entitle you to updates.
> 
> they do entitle you to a way to ask for sources, and the official way for you
> to ask for sources is by mail.
> 
> http://hsivonen.iki.fi/maemo-src/
> 
> shows an example of someone who figured out how to follow the instructions to
> request the sources.

Good point.

> repository.maemo.org is an optional value adding service (along w/
> tableteer.nokia.com) designed to provide binaries.
> 
> also note that the proper way to contact lawyers is via mail, not via Bugzilla.

I'm not contacting lawyers.  It was pointed out that export control regulations
are causing this bug, and I asked for details.
Comment 30 timeless 2008-06-17 21:16:29 UTC
for people curious about export restrictions, the following urls are probably
worth reading (and yes, i know there's a note about it being out of date):
http://developer.mozilla.org/en/docs/Mozilla_Crypto_FAQ
http://www.bis.doc.gov/licensing/exportingbasics.htm
http://www.cdt.org/crypto/admin/000112commercefactsheet.shtml

The product, its updates, and the files on repository.maemo.org  do include
cryptography which is regulated according to those urls.

the fact sheet seems to cover this fairly well:

-Global exports to individuals, commercial firms or other non-government
end-users-
Any encryption commodity or software, including components, of any key length
can now be exported under a license exception after a technical review to any
non-government end-user in any country except for the seven state supporters of
terrorism.

-Global exports of retail products-
A new category of products called "Retail encryption commodities and software"
can now be exported to any end user (except in the seven state supporters of
terrorism).

Finding the right url which explains that Iran is one of the 7 (or whatever the
current number is) is probably hard, but here's a not too out of date url:
http://www.ustreas.gov/press/releases/hp644.htm

which seems to indicate that relatively recently it wasn't labeled in some
other manner....

http://www.fas.org/irp/threat/terror_90/sponsored.html lists the section so you
could find it.

now, it's probably possible for Nokia to make updates available which don't
include the crypto modules (which I know are going to be updated in 4.1),
however testing and verifying this would be costly, and officially the device
is not sold in Iran. Now before you think Iran's special wrt support, I don't
think it's sold in Russia, and I know it isn't sold in China or India.

Note that this is merely a review of technical details and does not represent
official policy of Nokia, or any national government. (It's not even my
personal opinion, I'm merely summarizing facts that you could and should have
been able to look up for yourself.)
Comment 31 Behdad Esfahbod 2008-06-17 21:27:19 UTC
(In reply to comment #30)
> for people curious about export restrictions, the following urls are probably
> worth reading (and yes, i know there's a note about it being out of date):
> http://developer.mozilla.org/en/docs/Mozilla_Crypto_FAQ
> http://www.bis.doc.gov/licensing/exportingbasics.htm
> http://www.cdt.org/crypto/admin/000112commercefactsheet.shtml
> 
> The product, its updates, and the files on repository.maemo.org  do include
> cryptography which is regulated according to those urls.

That's totally irrelevant as Nokia is not restricted by US government
regulations.  If it was, it couldn't do business to Iran because of US-Iran
sanctions, but as it stands now, Nokia officially sells millions of devices in
Iran every year.  It is actually in the process of running a cell network in
Iran.
Comment 32 Behdad Esfahbod 2008-06-17 21:31:21 UTC
(In reply to comment #30)

> I'm merely summarizing facts that you could and should have
> been able to look up for yourself.)

I've been doing my homework regarding US-Iran export control issues and how
various software companies react to it for the past couple of years.
Comment 33 Ryan Abel maemo.org 2008-06-17 21:46:29 UTC
(In reply to comment #31)
> That's totally irrelevant as Nokia is not restricted by US government
> regulations.  If it was, it couldn't do business to Iran because of US-Iran
> sanctions, but as it stands now, Nokia officially sells millions of devices in
> Iran every year.  It is actually in the process of running a cell network in
> Iran.
> 

No, but akamai is.
Comment 34 Lucas Maneos 2008-06-17 23:50:54 UTC
More importantly, the US gov is not the only authority restricting export of
cryptographic technology - Finland is a participating state of the Wassenaar
Arrangement which kinda ties Nokia's hands in this matter :-(
Comment 35 Marcell Lengyel maemo.org 2008-06-18 09:37:01 UTC
I am not a lawyer for Nokia, just a sw engineer but here is what I have heard
on US export restrictions: selling phones in restricted countries might be ok
under certain conditions. If Nokia can proove that in the process of creating
that phone no US work or materials were used (or less then 10%) then it is ok
to do whatever with that product. Emphasis on "can proove". If Nokia (or any
other company doing business in restricted countries) can not proove that no US
work or materials were used then it is assumed that more than 10% is US origin
so restriction rules are applied.
Again, I am speaking for myself in this comment, this is not a company
statement, etc.
Comment 36 Andre Klapper maemo.org 2008-06-18 12:56:15 UTC
*** Bug 3029 has been marked as a duplicate of this bug. ***
Comment 37 sam 2008-06-18 21:37:25 UTC
nokia please open my country ip!  :(
Comment 38 timeless 2008-06-23 11:33:10 UTC
these urls are for my own research (for some other purpose), but since i've
already collected most of the urls I intend to use in this bug, I figure I'll
continue to deposit urls here ...
http://en.wikipedia.org/wiki/Restrictions_on_the_Import_of_Cryptography
http://rechten.uvt.nl/koops/cryptolaw/cls2.htm#iran

marcell: nokia *can't* prove that. We ship NSS which was developed by Netscape
in California. I can find a map for people if necessary.
Comment 39 Juha Kallioinen nokia 2008-06-24 15:10:41 UTC
(In reply to comment #27)
> (In reply to comment #19)
> > Hello,
> 
> Hi,
> 
> This is behDaD, behNaM's brother here in Canada and a GNOME project developer.
...
> May I ask which specific and exact export control regulations prevent Nokia
> from serving downloads to Iran?  I ask because I'm a major copyright holder of
> some components shipped in Maemo under the LGPL-2.1 license.  And LGPL says:
...

Hi behDaD,

I'm not a lawyer either and I don't know if I can give you a comprehensive
answer. I've been told that the US EAR [1] and US Treasury OFAC sanctions [2]
are international treaties that also bind Nokia since an unknown amount of US
originated code is part of the product and the software packages offered
through maemo.org.

[1] http://www.access.gpo.gov/bis/ear/ear_data.html

[2] http://www.treas.gov/offices/enforcement/ofac/programs/iran/iran.shtml
Comment 40 sam 2008-07-06 20:13:43 UTC
WOW
Finally The problem is Solved In Iran

I Connected To http://repository.maemo.org............ Today and Updated My
Apps

:D

Thank U Nokia!  :D
Comment 41 Quim Gil nokia 2008-07-19 16:01:22 UTC
Behnam, can you confirm whether the problem is fixed also for you?
Comment 42 Behnam [:ZWNJ] Esfahbod (reporter) 2008-07-20 11:43:29 UTC
(In reply to comment #41)
> Behnam, can you confirm whether the problem is fixed also for you?

I though it's a temporary situation. Yes, it's fixed.

Thank you guys. :)
Comment 43 Farzad 2008-08-29 19:23:10 UTC
(In reply to comment #42)
> (In reply to comment #41)
> > Behnam, can you confirm whether the problem is fixed also for you?
> 
> I though it's a temporary situation. Yes, it's fixed.
> 
> Thank you guys. :)
> 
i have same problem (in iran).
i have bought N810 3days ago . so far i could not download any program from
maemo & nokia catalogues.
is problem fixed?!
Comment 44 sam 2008-08-29 20:12:49 UTC
(In reply to comment #43)
> (In reply to comment #42)
> > (In reply to comment #41)
> > > Behnam, can you confirm whether the problem is fixed also for you?
> > 
> > I though it's a temporary situation. Yes, it's fixed.
> > 
> > Thank you guys. :)
> > 
> i have same problem (in iran).
> i have bought N810 3days ago . so far i could not download any program from
> maemo & nokia catalogues.
> is problem fixed?!

Hi Farzad,Well Yes I Have This Problem Again! And For Maemo Extras!

You Can Try :

http://repository.maemo.org/extras-devel/ 
chinook | free   

and Add All Repo From http://gronmayer.com/it/ To Ur Tablet!

The Problem Is Back! Hope Nokia Can Improve It! Maemo Still Has It!
Comment 45 Andre Klapper maemo.org 2008-08-29 20:41:57 UTC
I still have not understood what exactly Nokia should do about it, and why
people insist on Nokia fixing something that is not even within Nokia's scope
or abilities. But maybe I'm getting something wrong here.
Comment 46 Behdad Esfahbod 2008-08-29 21:37:01 UTC
(In reply to comment #45)
> I still have not understood what exactly Nokia should do about it,

Nokia, if it wants to, can fix it.

> and why
> people insist on Nokia fixing something that is not even within Nokia's scope
> or abilities. But maybe I'm getting something wrong here.

What do you mean?  It's the ISP that Nokia has hired that is doing the
blocking.  Nokia, again, if they wanted to, can use a European ISP that does
not block Iranian IP addresses.
Comment 47 Farzad 2008-09-01 10:24:58 UTC
(In reply to comment #44)
> Hi Farzad,Well Yes I Have This Problem Again! And For Maemo Extras!
> 
> You Can Try :
> 
> http://repository.maemo.org/extras-devel/ 
> chinook | free   
> 
> and Add All Repo From http://gronmayer.com/it/ To Ur Tablet!
> 
> The Problem Is Back! Hope Nokia Can Improve It! Maemo Still Has It!
> 
thanks,but it didn't work.i want install maemo mapper which is only available
in maemo extas!
if you can visit this forum:
http://forum.p30world.com/showthread.php?t=247617&page=2
Comment 48 sam 2008-09-01 11:34:28 UTC
(In reply to comment #47)
> (In reply to comment #44)
> > Hi Farzad,Well Yes I Have This Problem Again! And For Maemo Extras!
> > 
> > You Can Try :
> > 
> > http://repository.maemo.org/extras-devel/ 
> > chinook | free   
> > 
> > and Add All Repo From http://gronmayer.com/it/ To Ur Tablet!
> > 
> > The Problem Is Back! Hope Nokia Can Improve It! Maemo Still Has It!
> > 
> thanks,but it didn't work.i want install maemo mapper which is only available
> in maemo extas!
> if you can visit this forum:
> http://forum.p30world.com/showthread.php?t=247617&page=2

well that's simple,u can install in offline,

1- active ur red pill mode:
http://maemo.org/community/wiki/ApplicationManagerRedPillMode/

2- download ur app tool (like maemo mapper) and move it to ur mcc's

3- install it with app manager!

:)
Comment 49 Andre Klapper maemo.org 2008-09-04 17:22:30 UTC
I know of efforts and attempts by Nokia to "workaround" this, but as far as I
have been told (I am not a Nokia employee) Nokia MUST use export control. It is
required by law. There is no way around this. Nokia is not selling the devices
in Iran or those countries.
Sorry that it's frustrating, but there is nothing going to happen here.
Hence closing as WONTFIX.