Sudo
GitHub Blog Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

Export Controls

Use of encryption

Prior to version 1.9.0, Sudo did not include support for encrypting data and was not subject to any export controls. However, starting with version 1.9.0, Sudo supports encrypted connections between the sudo_logsrvd daemon and the sudoers plugin. Specifically, TLS 1.2 or higher is used which supports strong encryption. The actual encryption algorithms used depend on the Sudo configuration as well as the version of OpenSSL or LibreSSL sudo is linked with (sudo does not include an implementation of any encryption algorithms itself). Some users may need to know whether Sudo is covered under U.S. export restrictions, specifically the Export Administration Regulations (EAR) and if so, what its Export Control Classification Number (ECCN) might be.

ECCN for Sudo

By the terms of Section 734.7(a)(4) of the EAR, Sudo is considered to be published software. To the best of my knowledge, this means that Sudo falls under ECCN 5D002.c.1 and, as published software, qualifies for License Exemption TSU (Technology and Software - Unrestricted). As such, there are no U.S. export restrictions that prohibit you from downloading Sudo.

Further reading

Frank Hecker has written a detailed explanation of Mozilla’s ECCN. It also applies to other open source software, including Sudo.

The University of Nevada, Reno has an easy to understand description of how export controls affect Open Source software.