apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@gbiv.com>
Subject Re: Proposed Crypto Notification process
Date Sat, 01 Jul 2006 09:03:11 GMT
On Jun 30, 2006, at 11:47 PM, Justin Erenkrantz wrote:

> On 6/30/06, Roy T. Fielding <fielding@gbiv.com> wrote:
>> We do not distribute OpenSSL because it contains software that we
>> cannot distribute for reasons unrelated to export control.
> I think we will end up distributing OpenSSL with our binaries.  I know
> that the Win32 binaries will certainly be including the appropriate
> OpenSSL DLLs.  I think what OtherBill's plan was to remove the
> patent-encumbered code from our OpenSSL builds we do - at least on
> Win32.  I'd expect the same for other platforms as well - especially
> since OpenSSL is usually bundled as a static library not a dynamic
> library.  (Some platforms ship it as a DSO, but that's only relatively
> recently.)
> Therefore, as Cliff indicated to us, we'll likely have to notify for
> OpenSSL.  -- justin

If we remove the patent-encumbered code from OpenSSL, then it isn't
OpenSSL and we cannot distribute it or anything built from it under
the TSU exception without distributing the source code exactly as built.
That means we have to distribute the modified OpenSSL library as  
else *not* called OpenSSL (because otherwise we are violating the  
license).  In any case, none of our users want a modified OpenSSL --  
can download the real thing on their own.  What we should be  
is a post-install DLL relinking tool so that they can link our windows
binary with whatever they install for SSL, but I have no idea how.

We have to understand that these regulations were not written for
software developers.  They were written for people inspecting crates
for things that blow people up.  The notice is for *our* product and
we are only allowed to export *our* product if the entire product is
available in source form at a single location where a customs inspector
can choose to examine its totality for tiny little terrorists hidden
between the 1s and 0s.  As dumb as it sounds, those are the rules.
The number of different identifiable products existing within a
single package is completely irrelevant to BIS -- we have to file a
notice for each type of package, not each thing within the package.


View raw message