Stefano Mazzocchi wrote:
With my chair hat on, I have a hard time executing the above since I can't possibly be responsible of looking into every lab and hunt for crypto stuff. I'm not even a crypto expert, I wouldn't even know what to look for. I mean, is MD5 considered crypto? I wouldn't know.
Understandable, but you own the notice process as a project chair, and must subject each incoming lablet to scrutiny (simply asking if their code is subject to /dev/crypto policy, *before* the lab code is committed).
I can go ahead and apply the existing patch, sure, no problems. But I would like every single PI to tell me: yes, I've looked at it and it's for for me.
Deal with one at a time; yes get this patch committed please and the notice sent out, yesterday. This is not the subject of a vote, as an alternative Stefano would be happy to shutter the offending svn repositories. Get Stefano your patches. Thanks Vysper for following through. BadCA is a weird one, it plugs into an interface in APR to OpenSSL that is currently mothballed in a sandbox and looking for attention to get it ready to be reintegrated into trunk. But APR is still on the hook for providing notice (we already had) even though it lives in a sandbox. So if you simply copy APR's style of notice w.r.t. OpenSSL, BadCA should be covered. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
