Re: Proposed Crypto Notification process

[ping] Cliff; I realize you've done your best to create crystal clear answers to Justin's and my questions below at the http://www.apache.org/dev/crypto.html page. But your followup to this post would be most valuable so we can close this cycle and complete our notification. Call this a final sa

Re: Proposed Crypto Notification process

Cliff; I realize you've done your best to create crystal clear answers to Justin's and my questions below at the http://www.apache.org/dev/crypto.html page. But your followup to this post would be most valuable so we can close this cycle and complete our notification. Call this a final sanity che

Re: Proposed Crypto Notification process

I've seen my name mentioned a lot in this thread...hopefully the "Crypto FAQ" that I just sent to this list will answer most of the questions referred to me in this thread. If not, I'll try to get to the others. BTW, I think David Reid's projects RDF idea is a great one. I'll try to follow up o

Re: Proposed Crypto Notification process

Cliff Schmidt wrote: I've seen my name mentioned a lot in this thread...hopefully the "Crypto FAQ" that I just sent to this list will answer most of the questions referred to me in this thread. If not, I'll try to get to the others. BTW, I think David Reid's projects RDF idea is a great one. I

Re: Proposed Crypto Notification process

Roy T. Fielding wrote: I don't see any reason why apr-util would distribute OpenSSL in any form -- it needs to compile against the installed SSL library (perhaps a card) for the same reasons as httpd. Again - you tout the perspective for an OS which is 'feature complete' (e.g., includes the co

Re: Proposed Crypto Notification process

I am quite certain that the regulation is one notice per type of package we export (product name x crypto capabilities). What is unclear is the meaning of the "link to sources" within that notice. I think it is sufficient for the link to httpd's "sources" to include a link to OpenSSL's sources p

Re: Proposed Crypto Notification process

Justin Erenkrantz wrote: On 7/4/06, William A. Rowe, Jr. <[EMAIL PROTECTED]> wrote: That's my question... Cliff? Is OpenSSL, in the context of being one component of the APR-util "product", or the Apache HTTP Server "product", its own, independent "product" that apr or httpd pmc's should be no

Re: Proposed Crypto Notification process

On 7/4/06, William A. Rowe, Jr. <[EMAIL PROTECTED]> wrote: That's my question... Cliff? Is OpenSSL, in the context of being one component of the APR-util "product", or the Apache HTTP Server "product", its own, independent "product" that apr or httpd pmc's should be notifing the BIS of on its ow

Re: Proposed Crypto Notification process

Roy T. Fielding wrote: On Jun 30, 2006, at 11:47 PM, Justin Erenkrantz wrote: On 6/30/06, Roy T. Fielding <[EMAIL PROTECTED]> wrote: We do not distribute OpenSSL because it contains software that we cannot distribute for reasons unrelated to export control. I think we will end up distributin

Re: Proposed Crypto Notification process

Yup. See this list's archives over this past month. Mladen Turk wrote: ??? Can you point the discussion thread about that (Including OpenSSL to apr-util) ? Seems I miss something. Is there some plan already and API proposed? It's already in trunk.

Re: Proposed Crypto Notification process

William A. Rowe, Jr. wrote: APR-util library: Source Location http://svn.apache.org/repos/asf/apr/apr-util/trunk Includes the optional(1) use of the OpenSSL Cryptographic library to SSL encrypte socket communication using the apr_ssl_socket API. ??? Can you point t

Re: Proposed Crypto Notification process

On 01.07.2006 11:03, Roy T. Fielding wrote: > > > If we remove the patent-encumbered code from OpenSSL, then it isn't > OpenSSL and we cannot distribute it or anything built from it under I think we do not really *remove* this code, but just compile OpenSSL *without* this code (via configure o

Re: Proposed Crypto Notification process

On 7/1/06, Roy T. Fielding <[EMAIL PROTECTED]> wrote: If we remove the patent-encumbered code from OpenSSL, then it isn't OpenSSL and we cannot distribute it or anything built from it under the TSU exception without distributing the source code exactly as built. That means we have to distribute t

Re: Proposed Crypto Notification process

On Jun 30, 2006, at 11:47 PM, Justin Erenkrantz wrote: On 6/30/06, Roy T. Fielding <[EMAIL PROTECTED]> wrote: We do not distribute OpenSSL because it contains software that we cannot distribute for reasons unrelated to export control. I think we will end up distributing OpenSSL with our binar

Re: Proposed Crypto Notification process

On 6/30/06, Roy T. Fielding <[EMAIL PROTECTED]> wrote: We do not distribute OpenSSL because it contains software that we cannot distribute for reasons unrelated to export control. I think we will end up distributing OpenSSL with our binaries. I know that the Win32 binaries will certainly be in

Re: Proposed Crypto Notification process

On Jun 30, 2006, at 5:37 AM, Justin Erenkrantz wrote: On 6/30/06, William A. Rowe, Jr. <[EMAIL PROTECTED]> wrote: Nope. We don't ship OpenSSL the product, we ship APR-util the product which happens to link to OpenSSL, and therefore, ***APR.apache.org/ crypto.html*** resolves to www.apache.org

Re: Proposed Crypto Notification process

On 6/30/06, Justin Erenkrantz <[EMAIL PROTECTED]> wrote: On 6/30/06, Roy T. Fielding <[EMAIL PROTECTED]> wrote: > Please don't call it the "crypto" notice or the "crypto" page. > > They are export notices and a page about export classifications. > There are many other things besides crypto on the

Re: Proposed Crypto Notification process

On 6/30/06, Roy T. Fielding <[EMAIL PROTECTED]> wrote: Please don't call it the "crypto" notice or the "crypto" page. They are export notices and a page about export classifications. There are many other things besides crypto on the control list. The page will likely have a very long and painfu

Re: Proposed Crypto Notification process

On 6/30/06, William A. Rowe, Jr. <[EMAIL PROTECTED]> wrote: Yes. but point at apr.apache.org/crypto.html that is maintained by the authors. Once again - no. PMC Chairs should generally have access to the foundation site (if not, they can get it quite easily) and they should just add those link

Re: Proposed Crypto Notification process

On Jun 29, 2006, at 11:30 PM, William A. Rowe, Jr. wrote: Notification solution; Post the following notice on our project-specific crypto notice page; http://apr.apache.org/crypto.html And provide the BIS with a notice of the cryptographic export of the APR-util product "Apache Portability

Re: Proposed Crypto Notification process

david reid wrote: Actually, I think we should look at going a step further and have the email sent automatically as well. When a project creates/updates a file it can trigger a script to handle the email creation/submission - which would be a win/win for everyone and hopefully make the projects

Re: Proposed Crypto Notification process

Justin Erenkrantz wrote: On 6/30/06, Colm MacCarthaigh <[EMAIL PROTECTED]> wrote: On Fri, Jun 30, 2006 at 07:30:04AM +0100, William A. Rowe, Jr. wrote: > Notification solution; > > Post the following notice on our project-specific crypto notice page; > > http://apr.apache.org/crypto.html My i

Re: Proposed Crypto Notification process

Justin Erenkrantz wrote: On 6/30/06, Colm MacCarthaigh <[EMAIL PROTECTED]> wrote: On Fri, Jun 30, 2006 at 07:30:04AM +0100, William A. Rowe, Jr. wrote: > Notification solution; > > Post the following notice on our project-specific crypto notice page; > > http://apr.apache.org/crypto.html My i

Re: Proposed Crypto Notification process

Justin Erenkrantz wrote: On 6/30/06, *david reid* <[EMAIL PROTECTED] > wrote: Why not setup a system along the same lines as projects data? Each project maintains a small rdf file with the information, then we can aggregate at a project or global level with

Re: Proposed Crypto Notification process

On 6/30/06, Colm MacCarthaigh <[EMAIL PROTECTED]> wrote: On Fri, Jun 30, 2006 at 07:30:04AM +0100, William A. Rowe, Jr. wrote: > Notification solution; > > Post the following notice on our project-specific crypto notice page; > > http://apr.apache.org/crypto.html My impression of our outcome a

Re: Proposed Crypto Notification process

On 6/30/06, david reid <[EMAIL PROTECTED]> wrote: Why not setup a system along the same lines as projects data? Eachproject maintains a small rdf file with the information, then we canaggregate at a project or global level with very little effort. Thiswould seem (like projects) to fit in exactly wi

Re: Proposed Crypto Notification process

david reid wrote: Colm MacCarthaigh wrote: On Fri, Jun 30, 2006 at 09:20:10AM +0100, david reid wrote: I guess people didn't debate using a distributed solution for maintaining the list did they? That would seem to be an obvious way to go... We did, and I don't think there are any legal prob

Re: Proposed Crypto Notification process

david reid wrote: I guess people didn't debate using a distributed solution for maintaining the list did they? That would seem to be an obvious way to go... Nope - the idea of having a 'master list' is goodness (at www.apache.org/crypto) but in order to track specific things going on, it rea

Re: Proposed Crypto Notification process

Colm MacCarthaigh wrote: On Fri, Jun 30, 2006 at 09:20:10AM +0100, david reid wrote: I guess people didn't debate using a distributed solution for maintaining the list did they? That would seem to be an obvious way to go... We did, and I don't think there are any legal problems with it, so if

Re: Proposed Crypto Notification process

On Fri, Jun 30, 2006 at 09:20:10AM +0100, david reid wrote: > I guess people didn't debate using a distributed solution for > maintaining the list did they? That would seem to be an obvious way to go... We did, and I don't think there are any legal problems with it, so if we choose to have our ow

Re: Proposed Crypto Notification process

Colm MacCarthaigh wrote: On Fri, Jun 30, 2006 at 07:30:04AM +0100, William A. Rowe, Jr. wrote: Notification solution; Post the following notice on our project-specific crypto notice page; http://apr.apache.org/crypto.html My impression of our outcome at the BoF was that it would probably b

Re: Proposed Crypto Notification process

On Fri, Jun 30, 2006 at 07:30:04AM +0100, William A. Rowe, Jr. wrote: > Notification solution; > > Post the following notice on our project-specific crypto notice page; > > http://apr.apache.org/crypto.html My impression of our outcome at the BoF was that it would probably be easier and prefer