www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Todd Lipcon <t...@apache.org>
Subject Definition of "provides bindings" for OpenSSL
Date Mon, 31 Oct 2016 19:47:34 GMT
Hi all,

In Apache Kudu we're adding some code that uses the OpenSSL library for the
following purposes:
- Encryption of network traffic using TLS
- Generation of RSA public/private key pairs
- Signing of data using public/private keys

We won't ship OpenSSL libraries or source code, but we will #include
<ssl/ssl.h> and friends, and will require OpenSSL development
libraries/headers to be on the system at build time and runtime.

Based on my reading of https://www.apache.org/dev/crypto.html this means we
need to go through the notification process as outlined on that page. Is
that correct? I was hoping the FAQ would address this, but I found the
wording confusing:

> IF MY PROJECT SHIPS A BINARY THAT PROVIDES BINDINGS TO OPENSSL, BUT DOES
NOT INCLUDE ITS SOURCE OR BINARIES, WHAT NOTIFICATIONS MUST BE MADE?

"provides bindings" to me sounds like a library like Apache Commons Crypto
whose main purpose it is to wrap OpenSSL and "provide bindings" to some
downstream user who wants to use cryptographic functionality. But, maybe
it's meant to be interpreted as "binds against OpenSSL" or "dynamically
links against OpenSSL" which describes what we are doing.

Could someone please clarify?

Thanks
-Todd

-- 
Todd Lipcon
Software Engineer, Cloudera

Mime
View raw message