httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <>
Subject Re: restructuring mod_ssl as an overlay
Date Thu, 08 Jun 2006 22:07:54 GMT

On 06/08/2006 11:47 PM, Roy T. Fielding wrote:
> Sorry, I did a poor job of explaining -- the binaries issue is about
> openssl.  The openssl issue is what required me to read the EAR

No reason to say sorry. Thanks for your work on this issue.

> The mere presence of mod_ssl source code appears to be sufficient to
> make the product as a whole covered by 5D002 export controls, which  means
> we can distribute both source and binaries under the TSU exception iff
> the binaries are built from a 100% open source package that we can point
> to with a URL.  That is no big deal.  The big deal is that 5D002
> classification also means that it is illegal for the ASF to knowingly
> allow anyone residing in, or a citizen of, the T-8 countries, or anyone
> on the "denied persons list", to even participate in our project,
> let alone download packages, since that participation would be a
> "deemed export".  That is why I suggested a separate (sub)project,
> so that the "httpd" product could exist separately and be completely
> open to participation and downloads.  Just making it a release-time
> build separation is not sufficient.

Many thanks for this clarification.

> However, if the group would prefer to keep mod_ssl within the package,
> then we have to take the appropriate actions in our documentation and
> committer policies.  I do not think we would be in any danger of the
> FBI making an example of us provided that we publish the same export
> guidelines as all the other software companies.
> So, I guess the real question is: do we follow the example of Mozilla
> et al and simply publish as 5D002 with the appropriate documentation,

Just to get it clear: This would be the option to leave mod_ssl where it is
and update the documentation of httpd in a way that we comply with US export laws, right?
And updating the documentation would (roughly speaking) lead to a situation where
we state that no one from the T-8 countries is allowed to download httpd
(not only binaries, but also the sources) or to take part in the project (which would
be hard to do anyway without sources :-)).

> or do we make an attempt to separate the products in a way that one
> half is unrestricted and the other is 5D002?

And that would be the option to move mod_ssl to a subproject with an appropriate
documentation that complies with US export laws and having the remaining core
httpd freed of all the restrictions and rules imposed by the US export laws, right?



View raw message