httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm MacCarthaigh <>
Subject Re: restructuring mod_ssl as an overlay
Date Wed, 07 Jun 2006 21:19:00 GMT
On Wed, Jun 07, 2006 at 03:53:51PM -0500, William A. Rowe, Jr. wrote:
> Before we take -any- action, we need to have one policy across the ASF.

*shrug*, this is dev@httpd, so I'm going to stick to httpd specifically
for now, and that can feed in or not to any policy the ASF desires to
later impose :-)

> Our research hopefully contributes substantially to that policy.  But
> we can't enable per-project balkanization when it comes to complying
> with US law.

Sure, but I don't have the legal advice, and I'm trying to ask some
targetted questions to see what other options there are. I've been
studying law, for my sins ;-) Anyway, I'm not taking responsibility
for monitoring any paralell discussions elsewhere within the ASF
and trying to ensure coherency.

> As I've said, I'm ok with two seperate (full) tarballs, e.g. two (full)
> corresponding binary distributions;  I'm ok with a core tarball and an
> add-on crypto component.  I'm not really ok with the status quo as there
> is no way to not download crypto in a restricted jurisdiction if one wants
> httpd, unless some party has retarred the release for us sans mod_ssl.

I'm fine with that too, it's a sensible pragmatic thing which makes life
easier for a lot of people. 

Re-organising our subversion tree and development practices seems a bit
extreme though, I mean do we also split out mod_auth_digest? Where do we

I don't want to have to RM, test or vote on two or three tarballs every
time we make what is really one release because of some dumb laws.

> >Is the mere legal registration of the ASF within US borders a solid
> >stumbling block here? As in, could the situation be remedied by
> >forbiding US-based distributors? (Similar to what Debian used to do with
> >it's non-US repositories).
> Dude, we are a Deleware, US foundation.

Sure, I realise that, and SPI is a New York, US foundation, but Debian
managed to distribute non-US for years. But I'm not privy to their legal
advice either.

So, I'm wondering how effective a liability shield it is for a US-based
corporation to export such content via non-US-based distributors. It
seems odd that this would work legally, but that SPI/Debian did it for
so long sparks my interest; maybe there is a path through.

Colm MacCárthaigh                        Public Key:

View raw message