incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@gbiv.com>
Subject Re: podling BIS notifications
Date Thu, 22 Feb 2007 03:47:24 GMT
On Feb 20, 2007, at 10:55 PM, Cliff Schmidt wrote:
> +1 to everything above -- although, rather than saying a later notice
> needs to be sent out when the encryption functionality changes, I'd
> put it as, "a later notice needs to be sent when any information on
> the prior notice has changed"...but this would typically only be the
> case for changes in manufacturer to some included crypto component.
> See http://www.apache.org/dev/crypto.html#faq-additionalemails.

Yep, I oversimplified.

>> We don't know exactly where the line needs to be drawn, since
>> the BIS has been very lenient or very overloaded in the
>> past and never (to my knowledge) taken us to task for doing
>> it wrong.  Or maybe we always did it right.  Nevertheless, the EAR
>> is the law as far as the ASF is concerned, and has to be obeyed
>> even if we think the law is confusing and pointless.
>>
>> My guess is that ongoing development of source code bits within
>> subversion qualifies as an open conference, just like our mailing
>> lists, and thus not subject to the export controls.  It is only
>
> No -- the BIS folks consider open source development in between
> releases to be the same as beta releases.  There is a separate license
> just for betas, but the TSU one is simpler.  This is why we send the
> TSU notification prior to starting to commit encryption code to SVN.
> This is also covered in the FAQs:

Ah, rats, I was hoping that it wasn't classified as 5D002 until
the code was in functional form, since that is what the definitions
in 772 and 740 would indicate.  But you are right that what matters
more is what BIS folks consider.

> http://www.apache.org/dev/crypto.html#faq-firstnotification
> http://www.apache.org/dev/crypto.html#faq-public
>
> If any of these FAQs could be more clear, let me know.

Actually, I think it would be clearer as a step-by-step decision
process rather than a FAQ.  I'm not volunteering any more, though.

> ...although, speaking of the exports page, I noticed that there is now
> software with an ECCN of "EAR99".  I'm not aware of any software we
> distribute at Apache that meets this category.  Can anyone tell me
> what the rationale is for this?

Umm, my bad -- I read the definition on their summary page and followed
how it was used by other companies.  The definition in section 734

    (c) "Items subject to the EAR" consist of the
    items listed on the Commerce Control List (CCL)
    in part 774 of the EAR and all other items which
    meet the definition of that term.  For ease of
    reference and classification purposes, items
    subject to the EAR which are not listed on the
    CCL are designated as "EAR99."

is more clear.  So, our software would only be EAR99 if it were not
publicly available, since making non-5D002 software publicly
available means the items is not "subject to the EAR", so that is
only a concern for redistributors that distribute modified versions.
Not our problem.  I'll fix the page.  Damn spaghetti regs.

....Roy


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message