www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Burrell Donkin <rdon...@apache.org>
Subject Re: Cryptography in CouchDB
Date Wed, 19 Aug 2009 06:20:57 GMT
Hash: SHA512

Paul Davis wrote:
> Legal Heroes,
> Curt Arnold brought up on dev@couchdb.a.o that we may need to be
> checking into the process for cryptography exports. After reading [2]
> I found an interesting FAQ that almost seems to maybe affect us, but
> I'm not entirely certain.
> Quoting [2]:
>> If my project ships a binary that provides bindings to OpenSSL, but does not
>> include its source or binaries, what notifications must be made?
>> The only required notification for an Apache project that is specially designed
>> to use, but doesn't include, such crypto, is just the notification for the ASF
>> product code.
> There are two main spots of concern in CouchDB:
> Situation one:
> * We have a direct dependency on the Erlang crypto module [3]
> * The Erlang crypto module makes calls to OpenSSL
> * The only calls we make to crypto are, sha_mac, sha, rand_bytes and
> rand_uniform, none of which would appear to be cryptographic in
> nature.
> Situation two:
> * One of our dependencies uses the Erlang module priv_key [4]
> * priv_key is only available in the most recent versions of Erlang so
> we've disabled compiling that part of the dependency. (we prevent our
> dependency from compiling code that would call the priv_key module.)
> In general, the basic question is: What are the proper steps related
> to code that makes calls into a library that may or may not be calling
> OpenSSL? Does this constitute "providing bindings"? 

i'm not sure that's easy or safe to answer in general without legal
training. (if couchdb requires an opinion on this then it'll need to go
to legal internal.)

going by the summary on http://www.apache.org/dev/crypto.html, if you're
shipping your cryptography dependencies (either as part of the
distribution or through subversion) then you need to fill out the form.
if you're not then if you don't use restricted cryptographic functions
(see http://www.apache.org/dev/crypto.html) then you don't.

> If this does place
> restrictions on us, what are they and what should be done about them?

it's just a lightweight notification and including information for the
user. the details are given in http://www.apache.org/dev/crypto.html.

- - robert
Version: GnuPG v2.0.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message