apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Justin Erenkrantz" <jus...@erenkrantz.com>
Subject Re: Proposed Crypto Notification process
Date Fri, 30 Jun 2006 12:37:26 GMT
On 6/30/06, William A. Rowe, Jr. <wrowe@rowe-clan.net> wrote:
> Yes. but point at apr.apache.org/crypto.html that is maintained by the authors.

Once again - no.  PMC Chairs should generally have access to the
foundation site (if not, they can get it quite easily) and they should
just add those links and be done with it.  We explicitly discussed
this tradeoff last night at the BOF and all present agreed that a
central ASF-wide page makes more sense than having a disparate
collection of pages that each project owns.

> Nope.  We don't ship OpenSSL the product, we ship APR-util the product which
> happens to link to OpenSSL, and therefore, ***APR.apache.org/crypto.html***
> resolves to www.apache.org, and openssl.org/sources.  APR-util is the product
> that creates a dependency/binding to openssl.

Once again, incorrect.  We have to notify BIS that we are distributing
source code from a third-party product.  Therefore, the BIS guidelines
state that we have to notify that we are distributing OpenSSL (as part
of our binaries).

Note that this applies to anyone who uses APR-util downstream (log4j,
httpd, Subversion, etc.) - they now have to explicity submit a BIS
notice for APR-util on behalf of their own project.  (Lovely rules,

> They will follow the chain of command.  In OpenSSL case we point to tarballs
> (we aren't the developer, their current state of the code isn't exported by us)
> while in our own sources case, we point to the SVN because the moment it's been
> committed, it's been published.
> apr.apache.org/crypto -> www.apache.org/crypto
>                        -> svn.apache.org/repos/asf/apr/apr-util/trunk
>                        -> openssl.org/dist
> All inclusive by reference.

Once again, this is false.  OpenSSL is its own independent project and
we are shipping its libraries.  Therefore, we need to do two separate
notifications: one for APR-util and one for OpenSSL.  -- justin

View raw message