On Thu, Sep 1, 2011 at 9:35 PM, Dennis E. Hamilton
<dennis.hamilton@acm.org> wrote:
> Technically, this was to have been resolved before the code was put up on SVN. We need
to audit specifically for this rather quickly, and including the places that Rob also identified
(import-export filters and http TLS).
I definitely recommend a full crypto audit but IIRC it's not necessary
before sending the initial notification.
AIUI (from [1] and [2]) all that's needed is a list of the
cryptographic libraries used by OOo. If the results of the full audit
differ then we can just update the details and send an updated
notification.
Robert
[1] http://www.apache.org/dev/crypto.html#sources
[2] http://www.apache.org/licenses/exports/
|