apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: Proposed Crypto Notification process
Date Fri, 30 Jun 2006 11:28:03 GMT
Justin Erenkrantz wrote:
> On 6/30/06, Colm MacCarthaigh <colm@stdlib.net> wrote:
>> On Fri, Jun 30, 2006 at 07:30:04AM +0100, William A. Rowe, Jr. wrote:
>> > Notification solution;
>> >
>> > Post the following notice on our project-specific crypto notice page;
>> >
>> >   http://apr.apache.org/crypto.html
>>
>> My impression of our outcome at the BoF was that it would probably be
>> easier and preferred, if we maintained an ASF-wide list at;
>>
>>         http://www.apache.org/crypto.html
>>
>> or similar. Then once that's up, we send two BIS's, one for our
>> subversion repos, and one for all current and future releases of the
>> product, and that's it, we're done.
> 
> Yes.
> 
> We do not *need* to do a notice in the distribution - although that's
> a reasonable thing if we chose to do so.
> 
> The only thing Garrett should do is send the following email to BIS:
> 
> ---
> SUBMISSION TYPE: TSU
> SUBMITTED BY: Garrett
> SUBMITTED FOR: Apache Software Foundation
> POINT OF CONTACT: Garrett
> PHONE and/or FAX: {Colm's phone number *duck*}
> MANUFACTURER: The Apache Software Foundation
> PRODUCT NAME/MODEL #: Apache Portable Run-time Utility Library (APR-util)
> ECCN: 5D002
> NOTIFICATION: http://www.apache.org/crypto.html

Yes. but point at apr.apache.org/crypto.html that is maintained by the authors.

> SUBMISSION TYPE: TSU
> SUBMITTED BY: Garrett
> SUBMITTED FOR: Apache Software Foundation
> POINT OF CONTACT: Garrett
> PHONE and/or FAX: {Colm's phone number *duck*}
> MANUFACTURER: The OpenSSL Project
> PRODUCT NAME/MODEL #: OpenSSL
> ECCN: 5D002
> NOTIFICATION: http://www.apache.org/crypto.html

Nope.  We don't ship OpenSSL the product, we ship APR-util the product which
happens to link to OpenSSL, and therefore, ***APR.apache.org/crypto.html***
resolves to www.apache.org, and openssl.org/sources.  APR-util is the product
that creates a dependency/binding to openssl.

They will follow the chain of command.  In OpenSSL case we point to tarballs
(we aren't the developer, their current state of the code isn't exported by us)
while in our own sources case, we point to the SVN because the moment it's been
committed, it's been published.

apr.apache.org/crypto -> www.apache.org/crypto
                       -> svn.apache.org/repos/asf/apr/apr-util/trunk
                       -> openssl.org/dist

All inclusive by reference.

Bill

Mime
View raw message