apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Cliff Schmidt" <cli...@apache.org>
Subject Re: APR Crypto Notification Questions
Date Tue, 24 Oct 2006 06:30:41 GMT
Hi Garrett,

Sorry for the slow reply -- been on the road a lot since ApacheCon,
but I'm home now and catching up!

On 10/17/06, Garrett Rooney <rooneg@electricjellyfish.net> wrote:
> Cliff, I'm looking at setting up the crypto notification stuff for
> APR, and I was wondering if my rdf file was correct.  Keep in mind
> that APR makes use of OpenSSL, but only in 1.3.0, which hasn't yet
> been released.

And just to be extra clear (if the doc I wrote isn't clear enough), it
is only required to mention OpenSSL if you are actually distributing
some part of that crypto.  If you are just linking to it when it is on
the user's system or something like that, you only mention APR as
being crypto (since it is specially designed to use other controlled
cryptography).  So, if when you say "makes use of OpenSSL" above, you
only mean links but doesn't include, then you don't need the
<CryptoSrc/> element for it, just for the code that uses it.

> I'm not clear if my link to the OpenSSL sources
> directory is correct, since it's not linking to a specific tarball
> like the bouncy castle links do for James, and I'm not sure if I

Whether you link directly to the right source or specify the version
number somewhere and link to a higher level page, there should be some
way that a BIS admin/enforcement person can look at the information
and find the source for all crypto that we are distributing.  So, in
this case, I'm not sure why you wouldn't want to link directly to the

> should be linking to the apr/apr-util directory in our svn tree, or if
> I should just link to the top level apr directory on the off chance
> that the crypto code migrates into APR itself at some point.

If the project considers "APR itself" to be a separate product, you'd
need to send out a separate email anyway, once that product is being
distributed with crypto.  The unit of concern for notification is the
product that an organization distributes, not a piece of code that
could end up in multiple products.  So, given that, I think you should
keep it to the top level of whatever you consider the product to be
and label the name attribute of the Product element appropriately.


> <?xml version="1.0"?>
> <rdf:RDF xml:lang="en"
>          xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
> <!--
>   =======================================================================
>    Copyright (c) 2006 The Apache Software Foundation.
>    All rights reserved.
>   =======================================================================
> -->
>   <BISData>
>     <Contact>
>       <Project rdf:resource="http://apr.apache.org">
>         Apache Portable Runtime
>       </Project>
>       <Name>Garrett Rooney</Name>
>     </Contact>
>     <Product name="Apache Portable Runtime">
>       <Distribution versions="development">
>         <CryptoSrc manufacturer="The Apache Software Foundation"
>                    rdf:resource="http://svn.apache.org/repos/asf/apr/apr-util"/>
>         <CryptoSrc manufacturer="OpenSSL"
>                    rdf:resource="http://www.openssl.org/source/"/>
>       </Distribution>
>       <Distribution versions="v1.3.0-TO-latest">
>         <CryptoSrc manufacturer="The Apache Software Foundation"
>                    rdf:resource="http://archive.apache.org/dist/apr/"/>
>         <CryptoSrc manufacturer="OpenSSL"
>                    rdf:resource="http://www.openssl.org/source/"/>
>       </Distribution>
>     </Product>
>   </BISData>
> </rdf>

View raw message