If you distribute Open Source software containing encryption from the United States, you are subject to US export controls, yes. But are there any real restrictions? The only thing that the law requires you to do (for Open Source) is send an email to email@example.com with the URL. So why do SourceForge and Google impose greater restrictions than the law requires? Anybody know?
UPDATE 8-Feb-2010: Good news! SourceForge has turned off blanket restrictions, and made it a per-project choice. Unfortunately, they default to blocking, so everyone login to SF and declare your project to be freely redistributable to all! If you think your software might be subject to export control, then send your SF.net URL to the email address listed above. CC a copy to export@ our domain name and I'll keep a copy forever, as evidence that you complied with the law.