Sorry, I did a poor job of explaining -- the binaries issue is about
openssl. The openssl issue is what required me to read the EAR
guidelines, but my response is based on what I learned about the
EAR in general.
The mere presence of mod_ssl source code appears to be sufficient to
make the product as a whole covered by 5D002 export controls, which
means
we can distribute both source and binaries under the TSU exception iff
the binaries are built from a 100% open source package that we can point
to with a URL. That is no big deal. The big deal is that 5D002
classification also means that it is illegal for the ASF to knowingly
allow anyone residing in, or a citizen of, the T-8 countries, or anyone
on the "denied persons list", to even participate in our project,
let alone download packages, since that participation would be a
"deemed export". That is why I suggested a separate (sub)project,
so that the "httpd" product could exist separately and be completely
open to participation and downloads. Just making it a release-time
build separation is not sufficient.
However, if the group would prefer to keep mod_ssl within the package,
then we have to take the appropriate actions in our documentation and
committer policies. I do not think we would be in any danger of the
FBI making an example of us provided that we publish the same export
guidelines as all the other software companies.
So, I guess the real question is: do we follow the example of Mozilla
et al and simply publish as 5D002 with the appropriate documentation,
or do we make an attempt to separate the products in a way that one
half is unrestricted and the other is 5D002?
Those are the two choices that *we* need to discuss (choosing to do
neither is not an option now that I have a vague understanding of EAR
and how larger institutions like Stanford U. have chosen to enforce it).
If anyone can think of another option, I'd like to hear it before
proposing a vote. Once we make a decision on the technical contents
of the project, Cliff and I can work out the legal requirements and
BIS notices in a way that can be applied across the ASF.
....Roy
