apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cliff Schmidt" <cliffschm...@gmail.com>
Subject Re: Proposed Crypto Notification process
Date Wed, 05 Jul 2006 00:17:42 GMT
I've seen my name mentioned a lot in this thread...hopefully the
"Crypto FAQ" that I just sent to this list will answer most of the
questions referred to me in this thread.  If not, I'll try to get to
the others.

BTW, I think David Reid's projects RDF idea is a great one.  I'll try
to follow up on his legal-discuss thread tomorrow.


On 7/4/06, Justin Erenkrantz <justin@erenkrantz.com> wrote:
> On 7/4/06, William A. Rowe, Jr. <wrowe@rowe-clan.net> wrote:
> > That's my question... Cliff?  Is OpenSSL, in the context of being one component
> > of the APR-util "product", or the Apache HTTP Server "product", its own,
> > independent "product" that apr or httpd pmc's should be notifing the BIS of
> > on its own?
> I'm going to jump in here just to ensure that the rationale for my
> current viewpoint is clear and - hopefully - can either be confirmed
> or debunked.
> My interpretation from Cliff is that OpenSSL is its own product and
> that we have to perform notification for it since our product (be it
> APR or HTTP Server) uses this other product that has crypto
> functionalities.  We can include the BIS notice for OpenSSL in the one
> email we send along with our notification.
> Likewise, the issue, as I understood it, was that *all* downstream APR
> developers (Subversion, log4j, etc.) will now have to notify BIS about
> their own products whenever they release as they now have a dependency
> upon BIS-notifiable code.  Hence, they have to notify BIS about their
> own projects and APR-util and OpenSSL now too.  Yikes.
> Of course, Cliff can (should!) reply too - but that's the impression I
> got from him when talking about this during ApacheCon.  This is why I
> mentioned in my earlier email that we'll need to notify regarding
> OpenSSL too and why our downstream devs will have to do likewise.  I'd
> *really* love to be wrong on this - so that we don't have to notify
> for OpenSSL and that other projects don't have to notify for APR too;
> but Cliff seemed pretty clear on this.
> *shrug*  -- justin

View raw message