apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cliff Schmidt" <cliffschm...@gmail.com>
Subject Re: Crypto FAQ
Date Fri, 07 Jul 2006 01:26:24 GMT
On 7/6/06, William A. Rowe, Jr. <wrowe@rowe-clan.net> wrote:
> Cliff Schmidt wrote:
> >>
> >> -garrett (who has not been spending nearly as much time as he should
> >> following this thread, and is hoping that Cliff will rescue him with a
> >> nice "you need to do this, this, and this to keep us from breaking the
> >> law" kind of recipie soon ;-)
> >
> > fair enough -- however, could you tell me if these comments come after
> > having read http://apache.org/dev/crypto.html?  I was kind of hoping
> > that page comes close to providing the background and list of what
> > steps must be taken.
> As you notice from the OpenSSL question, Cliff, there are two strong
> positions.  One Says we notify BIS of our export of the "OpenSSL Product"
> under various circumstances.  The Other Says we would only do that if we
> offer a product called "OpenSSL", and if we distribute a binary including
> or linking to OpenSSL, it's a dependency and we just notify the BIS of the
> "APR-util Library Product".

The latter (the "Other") position is more correct.  Here's a few
guidelines that might help:

- The product is the name of the thing we (the ASF, as the notifier)
are distributing/exporting.
- The manufacture is the name of the individual/organization that
built the crypto item included in the product.
- The source code *notification* URL (whether directly in the email or
indirectly through an intermediate web page) should point to the
source code for the crypto item built by the listed *manufacturer*
that is distributed within the ASF *product*.
- If the *product* includes more than one crypto items, such as a
third-party item included within the product, in addition to original
code manufactured by the same distributor/notifier, either the email
or the web page that the email points to should list source locations
associated with each manufacturer-specific crypto item in that

Would it be helpful I put copied the above guidelines into the crypto.html page?

Also, how about I modify the form listed in
http://apache.org/dev/crypto.html#notify as follows:

"   MANUFACTURER:         {list of all origin of crypto code, e.g.
OpenSSL Project or Apache Software Foundation.  If product includes
multiple crypto items from different origins, list all origins}"


"   NOTIFICATION:         http://www.apache.org/legal/export.html

This page must list all applicable pairings of manufacture & source
code URL for the product that is the subject of the notification


I didn't follow what all the ideas were for the ASF-wide URL, but the
one above is what I was thinking (taking into account Roy's suggestion
for it to be export.html instead of crypto.html).  And, of course, now
the last thing we need to do is build the format for the page, based
on David Reid's ideas for the projects.a.o file.


View raw message