http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5833
Summary: update ECCN status of SpamAssassin
Product: Spamassassin
Version: SVN Trunk (Latest Devel Version)
Platform: Other
OS/Version: other
Status: NEW
Severity: normal
Priority: P5
Component: Building & Packaging
AssignedTo: [email protected]
ReportedBy: [EMAIL PROTECTED]
> OK, so it turns out that we have been exporting software that falls under
> 5D002 classification (see http://www.apache.org/licenses/exports/ ,
> http://www.apache.org/dev/crypto.html ) for a while...
>
> - SpamAssassin optionally supports SSL-encrypted communication between
> spamc and spamd (I'd forgotten about this), so links against OpenSSL.
> This is already established to bring a 5D002 classification, going by
> httpd and APR.
>
> - as part of the SSL support, it also links against IO::Socket::SSL
> (http://search.cpan.org/dist/IO-Socket-SSL/), which in turn links
> against Net::SSLeay, which in turn links against OpenSSL. Since
> IO::Socket::SSL is expressly designed as an API to provide SSL
> encryption, I think this also brings 5D002 classification and needs to
> be called out in the BIS notice.
>
> - It also links against Mail::DKIM, which uses Crypt::OpenSSL::RSA to
> perform authentication using crypto but does not expose encryption.
> This appears to be fine.
>
> - We also use gpg, again for authentication (of sa-update packages) and
> not encryption. Again, ok.
>
> This thread discusses the "oops we just noticed" case --
>
http://mail-archives.apache.org/mod_mbox/www-legal-discuss/200710.mbox/ajax/[EMAIL
PROTECTED]
> -- so as long as we update soon we're fine, it seems.
I'll be doing the following:
- sending a notification to BIS
- adding text to the NOTICE file for b3_0, 3.1, 3.2 and trunk
- updating http://www.apache.org/licenses/exports/
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
