incubator-ooo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Weir <robw...@apache.org>
Subject Re: Request dev help: Info for required crypto export declaration
Date Thu, 01 Sep 2011 23:12:05 GMT
On Thu, Sep 1, 2011 at 7:01 PM, Dennis E. Hamilton
<dennis.hamilton@acm.org> wrote:
> From <http://www.apache.org/dev/crypto.html> top of page, Overview, second paragraph:
>
> "PMCs considering including cryptographic functionality within their products or specially
designing their products to use other software with cryptographic functionality should take
the following steps *before* placing such code on any ASF server, including commits to subversion"
[*emphasis* mine]
>
> From <http://incubator.apache.org/guides/mentor.html#crypto-audit>
> "Before the code base is committed into an Apache repository, the contribution MUST be
checked and any restricted cryptography reported appropriately."
>

Yup.  We did this in the wrong order.  Nothing we can do about that now.

I hope to get to this soon, but probably not until the weekend at
earliest.  If you (or anyone else) have cycles earlier, feel free to
grab this task.   I don't mean to be sitting on it if someone else can
act sooner.


-Rob


> -----Original Message-----
> From: Robert Burrell Donkin [mailto:robertburrelldonkin@gmail.com]
> Sent: Thursday, September 01, 2011 14:01
> To: ooo-dev@incubator.apache.org
> Subject: Re: Request dev help: Info for required crypto export declaration
>
> On Thu, Sep 1, 2011 at 9:35 PM, Dennis E. Hamilton
> <dennis.hamilton@acm.org> wrote:
>> Technically, this was to have been resolved before the code was put up on SVN.  We
need to audit specifically for this rather quickly, and including the places that Rob also
identified (import-export filters and http TLS).
>
> I definitely recommend a full crypto audit but IIRC it's not necessary
> before sending the initial notification.
>
> AIUI (from [1] and [2]) all that's needed is a list of the
> cryptographic libraries used by OOo. If the results of the full audit
> differ then we can just update the details and send an updated
> notification.
>
> Robert
>
> [1] http://www.apache.org/dev/crypto.html#sources
> [2] http://www.apache.org/licenses/exports/
>
>

Mime
View raw message