Re: Crypto FAQ

Thu, 06 Jul 2006 17:26:59 -0700 

On 7/6/06, William A. Rowe, Jr. <[EMAIL PROTECTED]> wrote:

Cliff Schmidt wrote:
>
> fair enough -- however, could you tell me if these comments come after
> having read http://apache.org/dev/crypto.html?  I was kind of hoping
> that page comes close to providing the background and list of what
> steps must be taken.  I guess I think a rev of the current
> cryppto.html page + a rev of this FAQ should be very close to the
> needed docs.  Agree?

Cliff; we need one ABSOLUTE STATEMENT out of you :-)

"APR Project, if you ship an APR binary that includes libssl/libcrypto,
you must:"

    a. " produce an 'OpenSSL Product notification' seperately"
or b. " add the 'OpenSSL source (e.g. openssl.org/dist/) to your notice for '
         'APR-util Product' "


definitely b


If you don't ship OpenSSL but provide the bindings to it, you must

    a. " produce an 'OpenSSL Product notification' seperately as it's implied"
or b. " add the 'OpenSSL source (e.g. openssl.org/dist/) to your notice for '
         'APR-util Product' as it's implied"
or c. " do nothing w.r.t. OpenSSL's source code."


definitely c

(of course, you'll have to point to APR-util source since it is crypto
due to its bindings to OpenSSL).


Help?


I think the above answers are consistent with FAQ Q&A 9,10 -- however,
I think your questions above require an explicit Q&A for these two
situations.  The product is always the Apache product.  The
manufacturer is either the ASF or wherever the third-party crypto
comes from; in cases where the ASF product includes code from one or
more other manufacturers, there will likely be a need for more than
one notice for the same product.


If you say any/either, I suggest rolling in OpenSSL source notification
into the APR source notification (one notice, once, links at /crypto.html
or whatever) is a low-maintenance, low-headache, simplest path.


Not sure if this is exactly what you are talking about, but take
another look at Q&A 9.  I should probably revise A9 since it gives too
many options and just list what I mention is the preferred option:
"However, the preference is to have one email with a  complete set of
required information for each crypto item in the product."  Anyone
prefer one of the other options?

Cliff

Reply via email to