apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Justin Erenkrantz" <jus...@erenkrantz.com>
Subject Re: Proposed Crypto Notification process
Date Tue, 04 Jul 2006 22:07:11 GMT
On 7/4/06, William A. Rowe, Jr. <wrowe@rowe-clan.net> wrote:
> That's my question... Cliff?  Is OpenSSL, in the context of being one component
> of the APR-util "product", or the Apache HTTP Server "product", its own,
> independent "product" that apr or httpd pmc's should be notifing the BIS of
> on its own?

I'm going to jump in here just to ensure that the rationale for my
current viewpoint is clear and - hopefully - can either be confirmed
or debunked.

My interpretation from Cliff is that OpenSSL is its own product and
that we have to perform notification for it since our product (be it
APR or HTTP Server) uses this other product that has crypto
functionalities.  We can include the BIS notice for OpenSSL in the one
email we send along with our notification.

Likewise, the issue, as I understood it, was that *all* downstream APR
developers (Subversion, log4j, etc.) will now have to notify BIS about
their own products whenever they release as they now have a dependency
upon BIS-notifiable code.  Hence, they have to notify BIS about their
own projects and APR-util and OpenSSL now too.  Yikes.

Of course, Cliff can (should!) reply too - but that's the impression I
got from him when talking about this during ApacheCon.  This is why I
mentioned in my earlier email that we'll need to notify regarding
OpenSSL too and why our downstream devs will have to do likewise.  I'd
*really* love to be wrong on this - so that we don't have to notify
for OpenSSL and that other projects don't have to notify for APR too;
but Cliff seemed pretty clear on this.

*shrug*  -- justin

View raw message