export-controls: Clarify notification exemption conditions

Try to clarify when the notification requirements for use of cryptographic functionality apply. Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

export-controls: Clarify notification exemption conditions
80d5c414 · Emanuele Aina · 9435f57a · 80d5c414
Commit 80d5c414 authored 3 years ago by Emanuele Aina
--- a/content/concepts/export-controls.md
+++ b/content/concepts/export-controls.md
@@ -379,6 +379,12 @@ duly recognized international standards body (e.g., IEEE, IETF, ISO, ITU, ETSI,
 Accordingly to the Linux Foundation, this
 [removes the notification requirements for most products based on OSS projects](https://www.linuxfoundation.org/resources/publications/understanding-us-export-controls-with-open-source-projects/).

+On that ground, the assumption in this document is that any product based on
+Apertis is exempt from the notification requirement except for very uncommon
+scenarios where custom cryptography is used by the product itself. This also
+applies to downstreams rebuilding the Apertis sources, as long as they do
+not introduce custom cryptographic algorithms and proprietary implementations.
+
 # Sample export control compliance vendor process

 The goal with export compliance in Apertis is to focus on the following use-cases: