I've seen my name mentioned a lot in this thread...hopefully the "Crypto FAQ" that I just sent to this list will answer most of the questions referred to me in this thread. If not, I'll try to get to the others.
BTW, I think David Reid's projects RDF idea is a great one. I'll try to follow up on his legal-discuss thread tomorrow. Cliff On 7/4/06, Justin Erenkrantz <[EMAIL PROTECTED]> wrote:
On 7/4/06, William A. Rowe, Jr. <[EMAIL PROTECTED]> wrote: > That's my question... Cliff? Is OpenSSL, in the context of being one component > of the APR-util "product", or the Apache HTTP Server "product", its own, > independent "product" that apr or httpd pmc's should be notifing the BIS of > on its own? I'm going to jump in here just to ensure that the rationale for my current viewpoint is clear and - hopefully - can either be confirmed or debunked. My interpretation from Cliff is that OpenSSL is its own product and that we have to perform notification for it since our product (be it APR or HTTP Server) uses this other product that has crypto functionalities. We can include the BIS notice for OpenSSL in the one email we send along with our notification. Likewise, the issue, as I understood it, was that *all* downstream APR developers (Subversion, log4j, etc.) will now have to notify BIS about their own products whenever they release as they now have a dependency upon BIS-notifiable code. Hence, they have to notify BIS about their own projects and APR-util and OpenSSL now too. Yikes. Of course, Cliff can (should!) reply too - but that's the impression I got from him when talking about this during ApacheCon. This is why I mentioned in my earlier email that we'll need to notify regarding OpenSSL too and why our downstream devs will have to do likewise. I'd *really* love to be wrong on this - so that we don't have to notify for OpenSSL and that other projects don't have to notify for APR too; but Cliff seemed pretty clear on this. *shrug* -- justin
