couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <Dirk-Willem.van.Gu...@BBC.co.uk>
Subject Re: export control notice - multiview
Date Thu, 29 Jul 2010 11:10:34 GMT

On 29 Jul 2010, at 04:55, Norman Barker wrote:

> I work for ITT VIS and we would really like to give this multiview for
> consideration by the community (as well as other patches)*. I have
> passed this to our legal dept and they would like us to follow
> http://www.apache.org/dev/crypto.html, I believe this has already been
> followed since Damien has his name on the XML below as PMC chair.

Have a look at:

	http://www.apache.org/licenses/exports/

> Whatever procedure Damien followed should be documented so that other
> US companies can contribute. I believe that all is sufficient is a

Please see
		http://www.apache.org/dev/crypto.html

> paper trail to show that the necessary govt depts have been notified
> about cryptography (in this case SSL) components in the software.

If the entry is there - 

		http://www.apache.org/licenses/exports/

you can be sure that the PMC followed the right path and that this is under the normal oversight
by the board of the foundation. And the board is to oversee that PMCs keep doing this right;
and PMCs are to ensure their area's are all doing the right things; and that each release
has its t's crossed and i's dotted.

Or in other words - you have confirmation that the legal entity responsible (the ASF) has,
and is, carrying out the right steps.

Every time a release is rolled - it is the PMCs tasks to oversee that - and specifically they
are expected to keep an eye on the correctness of above corporate records; and bring them
up to date if needed.

It is very good practice to alert the Dev community and the PMC when doing contributions such
as this; as the process described on

	http://www.apache.org/dev/crypto.html

titled 'Check the Export Control Classification Number (ECCN)' with regard to qualification
under 740.13(e) as ECCN 5D002 is not trivial (though it does over a large swath).

And if a project is particularly worried, say because it has a lot of small moving crypto,
you could simply add a step to your release process which says 're-evaluate ECCN qualification
if any crypto code was added or changed relative to prior releases'.

But in this case - the PMC seems to have this well under control and releases get their i's
dotted and t's crossed.

Thanks,

Dw.

*: I am skipping the usual verbiage on CCLA and/or iCLA being on file, etc.


Mime
View raw message