incubator-odf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <>
Subject Re: Ready for ODF Toolkit crypto declaration
Date Wed, 15 Feb 2012 22:47:52 GMT
On Wed, Feb 15, 2012 at 10:24 AM, Nick Burch <> wrote:
> On Wed, 15 Feb 2012, Rob Weir wrote:
>> What I don't see is anything that removes the old TSU exception for open
>> source.  It is one thing if the revision adds a new path, but keeps the old
>> option, versus a revision that eliminates TSU.
> The 5d002 route still exists, but it's possible that it doesn't apply to
> cases like ODF Toolkit. It certainly applies to things like Bouncy Castle,
> and probably to mod_ssl (it's based on a 5d002 library), but I'm not certain
> it applies to open source software that doesn't use open source crypto. That
> would need confirming if we did decide to ignore the new options, and just
> try to follow the old one
>> I have no background in US Federal trade regulations.  I assume this
>> is true of most of us.  Since this impacts all of ASF, not just this
>> podling, there must be a way to revise current policy at a
>> foundation-wide level.  In other words, ASF is the legal distributor
>> of the code, they claim the copyright on the aggregated code, so it is
>> ASF interest to get this right.  I'm happy to help, but this might be
>> a good area to get confirming advice from a competent source (e.g.,
>> not me, but an attorney), to sign off on what we think the regulation
>> says.
> I think last time, someone read up a lot on all the rules, had a chat with
> the BIS to clarify some things, and got a lawyer to confirm it looked fine
> afterwards. While Apache does have some volunteer legal resources, I don't
> think any of them are trade specialists, so a similar process will likely be
> needed again.
> If you have time to read up on it, it might be worth you ringing BIS. You'll
> need to have grasped the basics so you can ask the right questions, but I
> figure a call from a fellow American is likely to be better received than if
> some random Brit phoned them up... :)

So... I spent a good part of the morning going through the discussion
on legal-discuss and reading up on the EAR regulations.  I think we're
OK with the ODF Toolkit, based on the fact that our primary function
is not encryption.  So we don't even get past "flowchart 1".  We're
exempted from the regulation.  At least that's my reading.  I detailed
my analysis on the legal-discuss list.

However, I don't think this helps with the Apache-wide situation,
since other projects are in different situations, especially C++ ones
that might statically link to crypto, and therefore include it in
their binary packages.

So I think we're set in this podling, unless any objects to my
analysis on legal-discuss.  For the larger issues, it might make sense
to collect a list of them, on legal-discuss and the take those to the
next step.  Although I divided things a little differently than you
did, I liked the approach of trying to figure out the minimum number
of buckets we can use to sort all Apache projects into.  Three sounded
like a good number.


> Nick

View raw message