On 29 Jul 2010, at 04:55, Norman Barker wrote:
> I work for ITT VIS and we would really like to give this multiview for
> consideration by the community (as well as other patches)*. I have
> passed this to our legal dept and they would like us to follow
> http://www.apache.org/dev/crypto.html, I believe this has already been
> followed since Damien has his name on the XML below as PMC chair.
Have a look at:
http://www.apache.org/licenses/exports/
> Whatever procedure Damien followed should be documented so that other
> US companies can contribute. I believe that all is sufficient is a
Please see
http://www.apache.org/dev/crypto.html
> paper trail to show that the necessary govt depts have been notified
> about cryptography (in this case SSL) components in the software.
If the entry is there -
http://www.apache.org/licenses/exports/
you can be sure that the PMC followed the right path and that this is under the
normal oversight by the board of the foundation. And the board is to oversee
that PMCs keep doing this right; and PMCs are to ensure their area's are all
doing the right things; and that each release has its t's crossed and i's
dotted.
Or in other words - you have confirmation that the legal entity responsible
(the ASF) has, and is, carrying out the right steps.
Every time a release is rolled - it is the PMCs tasks to oversee that - and
specifically they are expected to keep an eye on the correctness of above
corporate records; and bring them up to date if needed.
It is very good practice to alert the Dev community and the PMC when doing
contributions such as this; as the process described on
http://www.apache.org/dev/crypto.html
titled 'Check the Export Control Classification Number (ECCN)' with regard to
qualification under 740.13(e) as ECCN 5D002 is not trivial (though it does over
a large swath).
And if a project is particularly worried, say because it has a lot of small
moving crypto, you could simply add a step to your release process which says
're-evaluate ECCN qualification if any crypto code was added or changed
relative to prior releases'.
But in this case - the PMC seems to have this well under control and releases
get their i's dotted and t's crossed.
Thanks,
Dw.
*: I am skipping the usual verbiage on CCLA and/or iCLA being on file, etc.
