Damien, Looks like legal-discuss is suggesting that we fill out the notices [1]. The instructions [2] don't appear overly complicated but it does appear that you're the only one with the proper authority to make the updates to different web pages.
Paul [1] http://mail-archives.apache.org/mod_mbox/www-legal-discuss/200908.mbox/%[email protected]%3e [2] http://www.apache.org/dev/crypto.html On Tue, Aug 18, 2009 at 1:49 PM, Damien Katz<[email protected]> wrote: > > On Aug 17, 2009, at 10:16 PM, Curt Arnold wrote: > >> >> On Aug 17, 2009, at 6:45 PM, Damien Katz wrote: >> >>> I don't think it's necessary as we aren't encrypting anything. We do use >>> the crypto library, but only for generating random UUIDs. >>> >>> -Damien >>> >> >> Probably should have used "suspect" or "concerned" or something more >> speculative. Noticing that CouchDB would not start on an Erlang runtime >> without openssl was a bit jarring. OAuth would also seem to be have a >> significant likelihood of incorporating encryption. Those two facts seemed >> to warrant a message. >> >> The whole export license stuff is an quagmire that I've taken pains to >> avoid. Definitely think that you should check with legal-discuss if you >> have any questions. >> >> erlang_oauth has a module named oauth_rsa_sha1 which makes me suspect that >> it would need an export declaration. >> >> The following code snippet from couch_http_oauth.erl >> >> consumer_lookup(Key, MethodStr) -> >> SignatureMethod = case MethodStr of >> "PLAINTEXT" -> plaintext; >> "HMAC-SHA1" -> hmac_sha1; >> %"RSA-SHA1" -> rsa_sha1; >> _Else -> undefined >> >> appears to be at aware of specific encryption method. >> >> >> I also ran into this little snippet in couch_util.erl: >> >> %%% Purpose : Base 64 encoding and decoding. >> %%% Copied from ssl_base_64 to avoid using the >> %%% erlang ssl library >> >> If there is a required dependency on ssl elsewhere, the duplicated code >> probably should be eliminated. Also, the "license notice" doesn't give me >> much confidence. >> >> >> FYI: Encryption notice for Erlang ssl: >> http://erlang.org/doc/apps/ssl/index.html >> >> My wild guess is that the previous CouchDB releases did not need an export >> or cryptography notice if all they did was use the random number generator >> from the SSL module. erlang_oauth and couch_http_oauth seem to be aware >> of cryptographic methods which my reading means that they require some >> action, but exactly what I'm uncertain. > > I disagree. We don't encrypt anything and as far as I know neither does any > of the Auth stuff, which just uses cryptographic strength hashes, not > encryption itself. > > -Damien > >
