apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: Proposed Crypto Notification process
Date Wed, 05 Jul 2006 00:54:21 GMT
Roy T. Fielding wrote:
> 
> I don't see any reason why apr-util would distribute OpenSSL in any
> form -- it needs to compile against the installed SSL library (perhaps
> a card) for the same reasons as httpd.

Again - you tout the perspective for an OS which is 'feature complete'
(e.g., includes the compiler tools.)  For OS's which rarely include
the compiler tools, binaries make sense.  There is no reason that the
APR project might not provide APR, APR-util binaries at some point, and
if that means there's a dependency on libcrypto.so/libssl.so, then perhaps
those two dependent files as well with appropriate notification.

FWIW, we have had requests for apr binaries.  Nobody's quite bothered yet
since in the 0.9 family we really didn't expect people to install 'apr'.
With 1.x we transition to an 'installed apr' model.  Perhaps by 2.0, we
will genuinely expect folks to obtain apr independent of the application
they are installing.

I'm mostly responding so that Cliff's aware that several alternatives exist.

> I think we are going in circles, largely because the wrong questions
> are being asked.  We do not distribute OpenSSL *today*.  If we *do*
> decide to distribute OpenSSL, then we need to file a notice for
> OpenSSL and point people to openssl.org in that notice.

I agree with you 90%.  The 10% is that pointing the product's notice that
ships openssl for that dependency can simply land in our ASF-product notice.
I think Justin's and my ping pong which just landed on Cliff's side of the
table should resolve this.

> Regardless, we also have to file a notice for httpd and another for apr-util.

Yes

> All of that has to wait until we have sufficient documentation in
> place, namely a "/licenses/export.html" page that includes the
> destination disclaimers and table of exported products/ECCN/source-link,

Yes

> and then a sources page for each project that describes the contents
> per version released.

Well, once a {tlp}.a.o/licenses/export.html exists, the master reference
of projects.a.o/licenses/export.html would bring this all full circle.  No
cart before the horse puzzle, the master collection can happen after APR-util
closes their notification requirement.



Mime
View raw message