Mailing-List: contact legal-discuss-help@apache.org; run by ezmlm
Precedence: bulk
Received-SPF: pass (herse.apache.org: domain of cliffschmidt@gmail.com
 designates 66.249.82.238 as permitted sender)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=oUb2FzvILAeJcU9QXYwg9i5qSiPlaWW6c/Wh7M7XkO4BKsC+cQCVGvXpHlTamI7cUZBf3vDu/5GUXO9WPqiOBmZ/6AUmb3n4AfuooZr4FN/9e6v0XBQMV13fQIo/L44Jdp4qmGXuQz/qmbitveNw9t3YYa+72pDJoP7wBNzOqiE=
Message-ID: <c5e632550610260015k6ab56b1aybc47e5adaf2eaca5@mail.gmail.com>
Date: Thu, 26 Oct 2006 00:15:43 -0700
From: "Cliff Schmidt" <cliffschmidt@gmail.com>
To: "Jean T. Anderson" <jta@apache.org>
Subject: Re: Requirements for projects that enable but don't include or
 implement crypto
Cc: legal-discuss@apache.org
In-Reply-To: <453D8E12.1090101@apache.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <453D8E12.1090101@apache.org>

On 10/23/06, Jean T. Anderson <jta@apache.org> wrote:
> http://www.apache.org/dev/crypto.html#faq says:
>
>    "If my project ships a binary that provides bindings to OpenSSL, but
> does not include its source or binaries, what notifications must be made?
>
>    The only required notification for an Apache project that is
> specially designed to use, but doesn't include, such crypto, is just the
> notification for the ASF product code."
>
> Somebody else asked a question about this in September [1]. From that
> thread I have the impression that projects that can enable crypto
> functionality but don't include or implement it need to do two things:
>
> 1) Provide info for the ASF export page [2] (create the RDF file and add
> an entry for it to licenses/exports/export-registry.xml)
>
> 2) Include a notice in the distribution's README [3]
>
> Is this correct?

You would need to do all the things listed on that page, which is the
two above plus the requirement to send the email notification as well.
 Maybe I need to reword that FAQ, but the idea was to say that you do
not need to do anything about the OpenSSL code at all, but you still
need to do all the steps for the *other* crypto code, which is the
Apache project that is specially designed to work with the OpenSSL
code.  In other words, anything that has a crypto-specific interface
is also considered to be crypto.  So, you still have to do all the
right things for *that* crypto as well, even if you don't distribute
the other crypto.

Make sense?

> Even though this doesn't appear to be a legal requirement [4] I'm
> working on adding this info to Derby and want to make sure I get it right.

The only part that isn't a legal requirement is sticking the text in
the README file; we require this as part of our crypto export policy,
because we think it is the appropriate thing to do for our users
(plus, many of them come bug us about it later if we don't give them
the info at the time).

HTH.

Cliff


> [1]
> http://mail-archives.apache.org/mod_mbox/www-legal-discuss/200609.mbox/%3cW1948815985110611157220467@webmail7%3e
> [2] http://www.apache.org/licenses/exports/
> [3] http://www.apache.org/dev/crypto.html#inform
> [4]
> http://mail-archives.apache.org/mod_mbox/www-legal-discuss/200605.mbox/%3c44610F0E.1050601@rowe-clan.net%3e

---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only.  Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF.  See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org