Return-Path: Delivered-To: apmail-apr-dev-archive@www.apache.org Received: (qmail 11900 invoked from network); 26 Oct 2006 12:32:25 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 26 Oct 2006 12:32:25 -0000 Received: (qmail 2031 invoked by uid 500); 24 Oct 2006 06:31:15 -0000 Delivered-To: apmail-apr-dev-archive@apr.apache.org Received: (qmail 1897 invoked by uid 500); 24 Oct 2006 06:31:14 -0000 Mailing-List: contact dev-help@apr.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Id: Delivered-To: mailing list dev@apr.apache.org Received: (qmail 1839 invoked by uid 99); 24 Oct 2006 06:31:14 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 23 Oct 2006 23:31:14 -0700 X-ASF-Spam-Status: No, hits=0.5 required=10.0 tests=DNS_FROM_RFC_ABUSE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of cliffschmidt@gmail.com designates 66.249.82.231 as permitted sender) Received: from [66.249.82.231] (HELO wx-out-0506.google.com) (66.249.82.231) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 23 Oct 2006 23:31:02 -0700 Received: by wx-out-0506.google.com with SMTP id i27so2002775wxd for ; Mon, 23 Oct 2006 23:30:41 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=U0aHb+orkD8Z7Ystr8m8EWPJxbWvtknRi/1iJcOz6IWUY6v16kKHCIHs0EI1AYz3w5mOFPn8hUnSyO3oDASfUN96dUjpTuUErS4SPh+TYre7gIzSrlbpj0UOECAkWGaJyMudx4yz49k32210Szh4Rq5Kjj4BDD+UM3lKuZbVMw0= Received: by 10.70.29.7 with SMTP id c7mr2368290wxc; Mon, 23 Oct 2006 23:30:41 -0700 (PDT) Received: by 10.70.14.4 with HTTP; Mon, 23 Oct 2006 23:30:41 -0700 (PDT) Message-ID: Date: Mon, 23 Oct 2006 23:30:41 -0700 From: "Cliff Schmidt" Sender: cliffschmidt@gmail.com To: "Garrett Rooney" Subject: Re: APR Crypto Notification Questions Cc: "APR Development List" In-Reply-To: <7edfeeef0610171718if371beam47f05cfbe86bceef@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <7edfeeef0610171718if371beam47f05cfbe86bceef@mail.gmail.com> X-Google-Sender-Auth: 0474c98469c78ada X-Virus-Checked: Checked by ClamAV on apache.org Hi Garrett, Sorry for the slow reply -- been on the road a lot since ApacheCon, but I'm home now and catching up! On 10/17/06, Garrett Rooney wrote: > Cliff, I'm looking at setting up the crypto notification stuff for > APR, and I was wondering if my rdf file was correct. Keep in mind > that APR makes use of OpenSSL, but only in 1.3.0, which hasn't yet > been released. And just to be extra clear (if the doc I wrote isn't clear enough), it is only required to mention OpenSSL if you are actually distributing some part of that crypto. If you are just linking to it when it is on the user's system or something like that, you only mention APR as being crypto (since it is specially designed to use other controlled cryptography). So, if when you say "makes use of OpenSSL" above, you only mean links but doesn't include, then you don't need the element for it, just for the code that uses it. > I'm not clear if my link to the OpenSSL sources > directory is correct, since it's not linking to a specific tarball > like the bouncy castle links do for James, and I'm not sure if I Whether you link directly to the right source or specify the version number somewhere and link to a higher level page, there should be some way that a BIS admin/enforcement person can look at the information and find the source for all crypto that we are distributing. So, in this case, I'm not sure why you wouldn't want to link directly to the source. > should be linking to the apr/apr-util directory in our svn tree, or if > I should just link to the top level apr directory on the off chance > that the crypto code migrates into APR itself at some point. If the project considers "APR itself" to be a separate product, you'd need to send out a separate email anyway, once that product is being distributed with crypto. The unit of concern for notification is the product that an organization distributes, not a piece of code that could end up in multiple products. So, given that, I think you should keep it to the top level of whatever you consider the product to be and label the name attribute of the Product element appropriately. Cliff > > xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> > > > > > Apache Portable Runtime > > Garrett Rooney > > > > rdf:resource="http://svn.apache.org/repos/asf/apr/apr-util"/> > rdf:resource="http://www.openssl.org/source/"/> > > > rdf:resource="http://archive.apache.org/dist/apr/"/> > rdf:resource="http://www.openssl.org/source/"/> > > > > >