On 06/08/2006 11:47 PM, Roy T. Fielding wrote: > Sorry, I did a poor job of explaining -- the binaries issue is about > openssl. The openssl issue is what required me to read the EAR
No reason to say sorry. Thanks for your work on this issue. > The mere presence of mod_ssl source code appears to be sufficient to > make the product as a whole covered by 5D002 export controls, which means > we can distribute both source and binaries under the TSU exception iff > the binaries are built from a 100% open source package that we can point > to with a URL. That is no big deal. The big deal is that 5D002 > classification also means that it is illegal for the ASF to knowingly > allow anyone residing in, or a citizen of, the T-8 countries, or anyone > on the "denied persons list", to even participate in our project, > let alone download packages, since that participation would be a > "deemed export". That is why I suggested a separate (sub)project, > so that the "httpd" product could exist separately and be completely > open to participation and downloads. Just making it a release-time > build separation is not sufficient. Many thanks for this clarification. > > However, if the group would prefer to keep mod_ssl within the package, > then we have to take the appropriate actions in our documentation and > committer policies. I do not think we would be in any danger of the > FBI making an example of us provided that we publish the same export > guidelines as all the other software companies. > > So, I guess the real question is: do we follow the example of Mozilla > et al and simply publish as 5D002 with the appropriate documentation, Just to get it clear: This would be the option to leave mod_ssl where it is and update the documentation of httpd in a way that we comply with US export laws, right? And updating the documentation would (roughly speaking) lead to a situation where we state that no one from the T-8 countries is allowed to download httpd (not only binaries, but also the sources) or to take part in the project (which would be hard to do anyway without sources :-)). > or do we make an attempt to separate the products in a way that one > half is unrestricted and the other is 5D002? And that would be the option to move mod_ssl to a subproject with an appropriate documentation that complies with US export laws and having the remaining core httpd freed of all the restrictions and rules imposed by the US export laws, right? Regards Rüdiger
