Dirk-Willem and Chris, thanks for your help on this, I have passed this through our legal dept and I am good to add the code to github.
The code will be going up by the w/end, I am going to add a few installation instructions. Norman On Thu, Jul 29, 2010 at 5:10 AM, Dirk-Willem van Gulik <[email protected]> wrote: > > On 29 Jul 2010, at 04:55, Norman Barker wrote: > >> I work for ITT VIS and we would really like to give this multiview for >> consideration by the community (as well as other patches)*. I have >> passed this to our legal dept and they would like us to follow >> http://www.apache.org/dev/crypto.html, I believe this has already been >> followed since Damien has his name on the XML below as PMC chair. > > Have a look at: > > http://www.apache.org/licenses/exports/ > >> Whatever procedure Damien followed should be documented so that other >> US companies can contribute. I believe that all is sufficient is a > > Please see > http://www.apache.org/dev/crypto.html > >> paper trail to show that the necessary govt depts have been notified >> about cryptography (in this case SSL) components in the software. > > If the entry is there - > > http://www.apache.org/licenses/exports/ > > you can be sure that the PMC followed the right path and that this is under > the normal oversight by the board of the foundation. And the board is to > oversee that PMCs keep doing this right; and PMCs are to ensure their area's > are all doing the right things; and that each release has its t's crossed and > i's dotted. > > Or in other words - you have confirmation that the legal entity responsible > (the ASF) has, and is, carrying out the right steps. > > Every time a release is rolled - it is the PMCs tasks to oversee that - and > specifically they are expected to keep an eye on the correctness of above > corporate records; and bring them up to date if needed. > > It is very good practice to alert the Dev community and the PMC when doing > contributions such as this; as the process described on > > http://www.apache.org/dev/crypto.html > > titled 'Check the Export Control Classification Number (ECCN)' with regard to > qualification under 740.13(e) as ECCN 5D002 is not trivial (though it does > over a large swath). > > And if a project is particularly worried, say because it has a lot of small > moving crypto, you could simply add a step to your release process which says > 're-evaluate ECCN qualification if any crypto code was added or changed > relative to prior releases'. > > But in this case - the PMC seems to have this well under control and releases > get their i's dotted and t's crossed. > > Thanks, > > Dw. > > *: I am skipping the usual verbiage on CCLA and/or iCLA being on file, etc. > >
