On 10/24/06, Cliff Schmidt <[EMAIL PROTECTED]> wrote:
On 10/17/06, Garrett Rooney <[EMAIL PROTECTED]> wrote: > Cliff, I'm looking at setting up the crypto notification stuff for > APR, and I was wondering if my rdf file was correct. Keep in mind > that APR makes use of OpenSSL, but only in 1.3.0, which hasn't yet > been released. And just to be extra clear (if the doc I wrote isn't clear enough), it is only required to mention OpenSSL if you are actually distributing some part of that crypto. If you are just linking to it when it is on the user's system or something like that, you only mention APR as being crypto (since it is specially designed to use other controlled cryptography). So, if when you say "makes use of OpenSSL" above, you only mean links but doesn't include, then you don't need the <CryptoSrc/> element for it, just for the code that uses it.
Well, at the moment we don't have anything that actually ships OpenSSL binaries, but that's more a function of the fact that we don't have any released version of the code that uses it. I expect that when we do ship 1.3.x someone will build win32 binaries and will probably want to ship OpenSSL DLLs with them.
> I'm not clear if my link to the OpenSSL sources > directory is correct, since it's not linking to a specific tarball > like the bouncy castle links do for James, and I'm not sure if I Whether you link directly to the right source or specify the version number somewhere and link to a higher level page, there should be some way that a BIS admin/enforcement person can look at the information and find the source for all crypto that we are distributing. So, in this case, I'm not sure why you wouldn't want to link directly to the source.
Well, primarily because I don't want to have to update the link every time someone ships a build that bundles a new patch release of OpenSSL. If there's no way around that, fine, but it would be more convenient to be able to just point to their source directory.
> should be linking to the apr/apr-util directory in our svn tree, or if > I should just link to the top level apr directory on the off chance > that the crypto code migrates into APR itself at some point. If the project considers "APR itself" to be a separate product, you'd need to send out a separate email anyway, once that product is being distributed with crypto. The unit of concern for notification is the product that an organization distributes, not a piece of code that could end up in multiple products. So, given that, I think you should keep it to the top level of whatever you consider the product to be and label the name attribute of the Product element appropriately.
Ok, then I suppose that would be the APR-Util top level dir in svn. Thanks, -garrett
