On Jun 30, 2006, at 5:37 AM, Justin Erenkrantz wrote:
On 6/30/06, William A. Rowe, Jr. <[EMAIL PROTECTED]> wrote:
Nope. We don't ship OpenSSL the product, we ship APR-util the
product which
happens to link to OpenSSL, and therefore, ***APR.apache.org/
crypto.html***
resolves to www.apache.org, and openssl.org/sources. APR-util is
the product
that creates a dependency/binding to openssl.
Once again, incorrect. We have to notify BIS that we are distributing
source code from a third-party product. Therefore, the BIS guidelines
state that we have to notify that we are distributing OpenSSL (as part
of our binaries).
Please, let's not have this discussion again on APR when it has already
been resolved for httpd. We just have to follow through with the docs.
I'll do that once I get the other procedural documentation crap off
my plate (OpenSolaris).
We do not distribute OpenSSL because it contains software that we
cannot distribute for reasons unrelated to export control.
We must notify the BIS for each distinct product that we distribute that
is under 5D002 export control for which we qualify for the TSU
exception by
providing the complete source code along with that product.
Including an OpenSSL binary within another package does not create
a separate project -- it only creates an obligation to provide the
source
with that product, which is kind of hard because OpenSSL cannot be
distributed by us in the form that is supplied by openssl.org.
That is why we don't distribute OpenSSL.
Once again, this is false. OpenSSL is its own independent project and
we are shipping its libraries. Therefore, we need to do two separate
notifications: one for APR-util and one for OpenSSL. -- justin
APR-util is not shipping OpenSSL. In any case, we would only need
to do separate notifications if we distributed OpenSSL as a stand-alone
product with its own packaging.
....Roy
