apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@gbiv.com>
Subject Re: Proposed Crypto Notification process
Date Fri, 30 Jun 2006 22:26:20 GMT
On Jun 30, 2006, at 5:37 AM, Justin Erenkrantz wrote:
> On 6/30/06, William A. Rowe, Jr. <wrowe@rowe-clan.net> wrote:
>> Nope.  We don't ship OpenSSL the product, we ship APR-util the  
>> product which
>> happens to link to OpenSSL, and therefore, ***APR.apache.org/ 
>> crypto.html***
>> resolves to www.apache.org, and openssl.org/sources.  APR-util is  
>> the product
>> that creates a dependency/binding to openssl.
>
> Once again, incorrect.  We have to notify BIS that we are distributing
> source code from a third-party product.  Therefore, the BIS guidelines
> state that we have to notify that we are distributing OpenSSL (as part
> of our binaries).

Please, let's not have this discussion again on APR when it has already
been resolved for httpd.  We just have to follow through with the docs.
I'll do that once I get the other procedural documentation crap off
my plate (OpenSolaris).

We do not distribute OpenSSL because it contains software that we
cannot distribute for reasons unrelated to export control.

We must notify the BIS for each distinct product that we distribute that
is under 5D002 export control for which we qualify for the TSU  
exception by
providing the complete source code along with that product.
Including an OpenSSL binary within another package does not create
a separate project -- it only creates an obligation to provide the  
source
with that product, which is kind of hard because OpenSSL cannot be
distributed by us in the form that is supplied by openssl.org.
That is why we don't distribute OpenSSL.

> Once again, this is false.  OpenSSL is its own independent project and
> we are shipping its libraries.  Therefore, we need to do two separate
> notifications: one for APR-util and one for OpenSSL.  -- justin

APR-util is not shipping OpenSSL.  In any case, we would only need
to do separate notifications if we distributed OpenSSL as a stand-alone
product with its own packaging.

....Roy

Mime
View raw message