Colm MacCarthaigh wrote:
I think the best way to accomplish that is to separate mod_ssl into a
subproject that is capable of producing overlay releases for each
release of httpd.
yuck! -1
Before we take -any- action, we need to have one policy across the ASF.
Our research hopefully contributes substantially to that policy. But
we can't enable per-project balkanization when it comes to complying
with US law.
As I've said, I'm ok with two seperate (full) tarballs, e.g. two (full)
corresponding binary distributions; I'm ok with a core tarball and an
add-on crypto component. I'm not really ok with the status quo as there
is no way to not download crypto in a restricted jurisdiction if one wants
httpd, unless some party has retarred the release for us sans mod_ssl.
There's another gray point, without OpenSSL, mod_ssl is a noop, that is,
it does no crypto. There is more crypto in mod_auth_digest, util_md5 or
in apr-util than there is in mod_ssl.
Is the mere legal registration of the ASF within US borders a solid
stumbling block here? As in, could the situation be remedied by
forbiding US-based distributors? (Similar to what Debian used to do with
it's non-US repositories).
Dude, we are a Deleware, US foundation.
