Hi Garrett,
Sorry for the slow reply -- been on the road a lot since ApacheCon,
but I'm home now and catching up!
On 10/17/06, Garrett Rooney <[EMAIL PROTECTED]> wrote:
Cliff, I'm looking at setting up the crypto notification stuff for
APR, and I was wondering if my rdf file was correct. Keep in mind
that APR makes use of OpenSSL, but only in 1.3.0, which hasn't yet
been released.
And just to be extra clear (if the doc I wrote isn't clear enough), it
is only required to mention OpenSSL if you are actually distributing
some part of that crypto. If you are just linking to it when it is on
the user's system or something like that, you only mention APR as
being crypto (since it is specially designed to use other controlled
cryptography). So, if when you say "makes use of OpenSSL" above, you
only mean links but doesn't include, then you don't need the
<CryptoSrc/> element for it, just for the code that uses it.
I'm not clear if my link to the OpenSSL sources
directory is correct, since it's not linking to a specific tarball
like the bouncy castle links do for James, and I'm not sure if I
Whether you link directly to the right source or specify the version
number somewhere and link to a higher level page, there should be some
way that a BIS admin/enforcement person can look at the information
and find the source for all crypto that we are distributing. So, in
this case, I'm not sure why you wouldn't want to link directly to the
source.
should be linking to the apr/apr-util directory in our svn tree, or if
I should just link to the top level apr directory on the off chance
that the crypto code migrates into APR itself at some point.
If the project considers "APR itself" to be a separate product, you'd
need to send out a separate email anyway, once that product is being
distributed with crypto. The unit of concern for notification is the
product that an organization distributes, not a piece of code that
could end up in multiple products. So, given that, I think you should
keep it to the top level of whatever you consider the product to be
and label the name attribute of the Product element appropriately.
Cliff
<?xml version="1.0"?>
<rdf:RDF xml:lang="en"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#";>
<!--
=======================================================================
Copyright (c) 2006 The Apache Software Foundation.
All rights reserved.
=======================================================================
-->
<BISData>
<Contact>
<Project rdf:resource="http://apr.apache.org";>
Apache Portable Runtime
</Project>
<Name>Garrett Rooney</Name>
</Contact>
<Product name="Apache Portable Runtime">
<Distribution versions="development">
<CryptoSrc manufacturer="The Apache Software Foundation"
rdf:resource="http://svn.apache.org/repos/asf/apr/apr-util"/>
<CryptoSrc manufacturer="OpenSSL"
rdf:resource="http://www.openssl.org/source/"/>
</Distribution>
<Distribution versions="v1.3.0-TO-latest">
<CryptoSrc manufacturer="The Apache Software Foundation"
rdf:resource="http://archive.apache.org/dist/apr/"/>
<CryptoSrc manufacturer="OpenSSL"
rdf:resource="http://www.openssl.org/source/"/>
</Distribution>
</Product>
</BISData>
</rdf>
