-Ursprüngliche Nachricht-
Von: Colm MacCarthaigh
After that, based on your excellent summary, I'm begining to see the
wisdom of a subproject - despite the overhead, maximising developer
involvement and the potential community size is much more important.
Just for my
-Ursprüngliche Nachricht-
Von: Roy T. Fielding
The sane solution would be to convince the US government to remove
encryption from the export control list, since that regulation has
been totally ineffective. That is not likely to happen during this
I totally agree, but I fear
On Thu, Jun 08, 2006 at 02:47:59PM -0700, Roy T. Fielding wrote:
to with a URL. That is no big deal. The big deal is that 5D002
classification also means that it is illegal for the ASF to knowingly
allow anyone residing in, or a citizen of, the T-8 countries, or anyone
on the denied persons
-Ursprüngliche Nachricht-
Von: Joe Orton [
Would only committers count as participating in the project
for this
purpose, do you think? Random people submitting patches would not?
Stupid question: How can someone who is not allowed to download the sources
can submit patches?
On Fri, Jun 09, 2006 at 12:29:06PM +0200, Plüm, Rüdiger, VF EITO wrote:
-Ursprüngliche Nachricht-
Von: Joe Orton [
Would only committers count as participating in the project
for this
purpose, do you think? Random people submitting patches would not?
Stupid question: How
On Jun 9, 2006, at 3:56 AM, Colm MacCarthaigh wrote:
On Fri, Jun 09, 2006 at 12:29:06PM +0200, Plüm, Rüdiger, VF EITO
wrote:
-Ursprüngliche Nachricht-
Von: Joe Orton [
Would only committers count as participating in the project
for this
purpose, do you think? Random people
On Thu, Jun 08, 2006 at 11:01:12AM +0100, Joe Orton wrote:
On Wed, Jun 07, 2006 at 02:03:33PM -0700, Roy T. Fielding wrote:
Okay, let me put it in a different way. The alternatives are
1) retain the status quo, forbid distributing ssl binaries, and
include in our documentation that
On Jun 7, 2006, at 4:03 PM, Roy T. Fielding wrote:
Given those constraints, I would prefer to separate the httpd releases
into a non-crypto package and a crypto overlay, similar to what most
of the packaging redistributors do (fink, apt, etc.).
Is the concern that we bundle mod_ssl with
On 6/8/06, Joe Orton [EMAIL PROTECTED] wrote:
Thanks for doing the research, Roy.
Ditto.
On Wed, Jun 07, 2006 at 02:03:33PM -0700, Roy T. Fielding wrote:
Okay, let me put it in a different way. The alternatives are
1) retain the status quo, forbid distributing ssl binaries, and
include
Sorry, I did a poor job of explaining -- the binaries issue is about
openssl. The openssl issue is what required me to read the EAR
guidelines, but my response is based on what I learned about the
EAR in general.
The mere presence of mod_ssl source code appears to be sufficient to
make the
On 06/08/2006 11:47 PM, Roy T. Fielding wrote:
Sorry, I did a poor job of explaining -- the binaries issue is about
openssl. The openssl issue is what required me to read the EAR
No reason to say sorry. Thanks for your work on this issue.
The mere presence of mod_ssl source code appears to
On Thu, Jun 08, 2006 at 02:47:59PM -0700, Roy T. Fielding wrote:
If anyone can think of another option, I'd like to hear it before
proposing a vote.
Another option is that we could ask the ASF to formally consider upping
roots and changing jurisdiction. I have little doubt over what the
answer
On 6/8/06, Colm MacCarthaigh [EMAIL PROTECTED] wrote:
Another option is that we could ask the ASF to formally consider upping
roots and changing jurisdiction. I have little doubt over what the
answer would be, but I'd prefer that we exhaust all of the alternative
options before doing anything
On Jun 8, 2006, at 3:38 PM, Colm MacCarthaigh wrote:
Another option is that we could ask the ASF to formally consider
upping
roots and changing jurisdiction. I have little doubt over what the
answer would be, but I'd prefer that we exhaust all of the alternative
options before doing anything
Roy T. Fielding wrote:
... The big deal is that 5D002
classification also means that it is illegal for the ASF to knowingly
allow anyone residing in, or a citizen of, the T-8 countries, or anyone
on the denied persons list, to even participate in our project,
let alone download packages,
Roy wrote...
The sane solution would be to convince the US government to remove encryption from the export control list, since that regulation has been totally ineffective. That is not likely to happen during this administration, though, and I don't think the ASF is allowed to lobby for it
On Wed, Jun 07, 2006 at 01:03:48PM -0700, Roy T. Fielding wrote:
c) each redistributor (re-exporter) of our packages must do the same
[I am unsure if that means every mirror is supposed to file as
well, but for now I am guessing that they don't];
They don't :)
e) people who are in
Roy T. Fielding wrote:
Thoughts? Anyone have any better ideas?
+1 to an overlay; I know you have - but for the rest of the participants, also
consider that it 'illegal' to have crypto in some jurisdictions (and actually
if you are traveling to some jurisdictions it's best to leave your ssl
Colm MacCarthaigh wrote:
I think the best way to accomplish that is to separate mod_ssl into a
subproject that is capable of producing overlay releases for each
release of httpd.
yuck! -1
Before we take -any- action, we need to have one policy across the ASF.
Our research hopefully
On Jun 7, 2006, at 1:30 PM, Colm MacCarthaigh wrote:
e) people who are in the banned set of countries and people in
countries that forbid encryption cannot legally download the
current
httpd-2 packages because they include mod_ssl even when it won't be
used.
I don't see how this can
On Wed, Jun 07, 2006 at 03:53:51PM -0500, William A. Rowe, Jr. wrote:
Before we take -any- action, we need to have one policy across the ASF.
*shrug*, this is [EMAIL PROTECTED], so I'm going to stick to httpd specifically
for now, and that can feed in or not to any policy the ASF desires to
Roy T. Fielding wrote:
Okay, let me put it in a different way. The alternatives are
1) retain the status quo, forbid distributing ssl binaries, and include
in our documentation that people in banned countries are not allowed
to download httpd 2.x.
Acutally - I'm still looking for
On Wed, Jun 07, 2006 at 02:03:33PM -0700, Roy T. Fielding wrote:
The point is that they may want to download a web server which doesn't
have that problem, and right now they are limited to 1.3.x. I consider
Web servers to be something we would want people in those countries
to be able to
On 06/07/2006 10:53 PM, William A. Rowe, Jr. wrote:
There's another gray point, without OpenSSL, mod_ssl is a noop, that is,
it does no crypto. There is more crypto in mod_auth_digest, util_md5 or
in apr-util than there is in mod_ssl.
I think this is an excellent point regarding the
Ruediger Pluem wrote:
A complete different question: Does anybody know how mozilla.org handles
these kind
of problems with firefox?
They appear to have a brief overview of their trials and tribulations on
the subject here:
http://www.mozilla.org/crypto-faq.html
On Wed, Jun 07, 2006 at 02:51:12PM -0700, Cliff Schmidt wrote:
Here's the page that I've put together right now:
http://apache.org/dev/crypto.html. Unfortunately, it needs a little
more detail.
Thank you very much, that's already answered a few of my questions and
given me some good
So, I'm wondering how effective a liability shield it is for a US-based
corporation to export such content via non-US-based distributors. It
seems odd that this would work legally, but that SPI/Debian did it for
so long sparks my interest; maybe there is a path through.
I have no idea what the
On Jun 7, 2006, at 1:39 PM, William A. Rowe, Jr. wrote:
On the T-8 prohibited countries list, note it is a crime to export
technologies
to them (it's hard for the US to define a crime to obtain said
technologies in
a foreign jurisdiction - let's not get into that debate). However,
as a
On Wed, Jun 07, 2006 at 04:02:01PM -0700, Roy T. Fielding wrote:
we would have to provide our own copy of the distribution or include
the source code directly in our product, just to comply with EAR.
My preference is to not distribute OpenSSL.
+1
--
Colm MacCárthaigh
On Jun 7, 2006, at 3:02 PM, Colm MacCarthaigh wrote:
On Wed, Jun 07, 2006 at 02:51:12PM -0700, Cliff Schmidt wrote:
Here's the page that I've put together right now:
http://apache.org/dev/crypto.html. Unfortunately, it needs a little
more detail.
Thank you very much, that's already
On Wed, Jun 07, 2006 at 04:32:40PM -0700, Roy T. Fielding wrote:
We also cannot go to one of those countries and agitate for people
to download a copy of httpd and run their own web server
Who's we? Members of the ASF? Members of the PMC? committers?
developers?
I'd like to know. My Apache
On Jun 7, 2006, at 4:53 PM, Colm MacCarthaigh wrote:
On Wed, Jun 07, 2006 at 04:32:40PM -0700, Roy T. Fielding wrote:
We also cannot go to one of those countries and agitate for people
to download a copy of httpd and run their own web server
Who's we? Members of the ASF? Members of the PMC?
On Wed, Jun 07, 2006 at 06:58:27PM -0700, Roy T. Fielding wrote:
We is anyone representing the ASF. How (or who) would determine
that is anyone's guess.
eek. Who is burdened with that liability? I'm guessing it's the ASF as a
body corporate and possibly its directors personally.
If that's the
33 matches
Mail list logo
