apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Garrett Rooney" <roo...@electricjellyfish.net>
Subject Re: APR Crypto Notification Questions
Date Wed, 25 Oct 2006 15:06:31 GMT
On 10/24/06, Cliff Schmidt <cliffs@apache.org> wrote:

> On 10/17/06, Garrett Rooney <rooneg@electricjellyfish.net> wrote:
> > Cliff, I'm looking at setting up the crypto notification stuff for
> > APR, and I was wondering if my rdf file was correct.  Keep in mind
> > that APR makes use of OpenSSL, but only in 1.3.0, which hasn't yet
> > been released.
>
> And just to be extra clear (if the doc I wrote isn't clear enough), it
> is only required to mention OpenSSL if you are actually distributing
> some part of that crypto.  If you are just linking to it when it is on
> the user's system or something like that, you only mention APR as
> being crypto (since it is specially designed to use other controlled
> cryptography).  So, if when you say "makes use of OpenSSL" above, you
> only mean links but doesn't include, then you don't need the
> <CryptoSrc/> element for it, just for the code that uses it.

Well, at the moment we don't have anything that actually ships OpenSSL
binaries, but that's more a function of the fact that we don't have
any released version of the code that uses it.  I expect that when we
do ship 1.3.x someone will build win32 binaries and will probably want
to ship OpenSSL DLLs with them.

> > I'm not clear if my link to the OpenSSL sources
> > directory is correct, since it's not linking to a specific tarball
> > like the bouncy castle links do for James, and I'm not sure if I
>
> Whether you link directly to the right source or specify the version
> number somewhere and link to a higher level page, there should be some
> way that a BIS admin/enforcement person can look at the information
> and find the source for all crypto that we are distributing.  So, in
> this case, I'm not sure why you wouldn't want to link directly to the
> source.

Well, primarily because I don't want to have to update the link every
time someone ships a build that bundles a new patch release of
OpenSSL.  If there's no way around that, fine, but it would be more
convenient to be able to just point to their source directory.

> > should be linking to the apr/apr-util directory in our svn tree, or if
> > I should just link to the top level apr directory on the off chance
> > that the crypto code migrates into APR itself at some point.
>
> If the project considers "APR itself" to be a separate product, you'd
> need to send out a separate email anyway, once that product is being
> distributed with crypto.  The unit of concern for notification is the
> product that an organization distributes, not a piece of code that
> could end up in multiple products.  So, given that, I think you should
> keep it to the top level of whatever you consider the product to be
> and label the name attribute of the Product element appropriately.

Ok, then I suppose that would be the APR-Util top level dir in svn.

Thanks,

-garrett

Mime
View raw message