apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cliff Schmidt" <cliffschm...@gmail.com>
Subject Re: Crypto FAQ
Date Fri, 07 Jul 2006 00:26:38 GMT
On 7/6/06, William A. Rowe, Jr. <wrowe@rowe-clan.net> wrote:
> Cliff Schmidt wrote:
> >
> > fair enough -- however, could you tell me if these comments come after
> > having read http://apache.org/dev/crypto.html?  I was kind of hoping
> > that page comes close to providing the background and list of what
> > steps must be taken.  I guess I think a rev of the current
> > cryppto.html page + a rev of this FAQ should be very close to the
> > needed docs.  Agree?
> Cliff; we need one ABSOLUTE STATEMENT out of you :-)
> "APR Project, if you ship an APR binary that includes libssl/libcrypto,
> you must:"
>     a. " produce an 'OpenSSL Product notification' seperately"
> or b. " add the 'OpenSSL source (e.g. openssl.org/dist/) to your notice for '
>          'APR-util Product' "

definitely b

> If you don't ship OpenSSL but provide the bindings to it, you must
>     a. " produce an 'OpenSSL Product notification' seperately as it's implied"
> or b. " add the 'OpenSSL source (e.g. openssl.org/dist/) to your notice for '
>          'APR-util Product' as it's implied"
> or c. " do nothing w.r.t. OpenSSL's source code."

definitely c

(of course, you'll have to point to APR-util source since it is crypto
due to its bindings to OpenSSL).

> Help?

I think the above answers are consistent with FAQ Q&A 9,10 -- however,
I think your questions above require an explicit Q&A for these two
situations.  The product is always the Apache product.  The
manufacturer is either the ASF or wherever the third-party crypto
comes from; in cases where the ASF product includes code from one or
more other manufacturers, there will likely be a need for more than
one notice for the same product.

> If you say any/either, I suggest rolling in OpenSSL source notification
> into the APR source notification (one notice, once, links at /crypto.html
> or whatever) is a low-maintenance, low-headache, simplest path.

Not sure if this is exactly what you are talking about, but take
another look at Q&A 9.  I should probably revise A9 since it gives too
many options and just list what I mention is the preferred option:
"However, the preference is to have one email with a  complete set of
required information for each crypto item in the product."  Anyone
prefer one of the other options?


View raw message