Graham Leggett wrote:
Hi all,
With the notice up at http://www.apache.org/dev/crypto.html, is the ASF
in a position to start publishing binaries containing crypto?
Getting closer.
More specifically, I would like to make the mod_ssl*.rpm binary files
available that to date were built but never published.
From the crypto.html page, the following steps need to be taken:
- Check the Export Control Classification Number (ECCN).
I understand that mod_ssl meets these requirements, is this correct?
Yes.
- Inform users with a crypto notice in the distribution's README and
download pages.
Does placing a README file at the point of download cover this? Does a
new release need to be made with the notice inside the distributed
binary, or can the notice live alongside the binary?
IMHO? Sure. Package names themselves can help too (I downloaded crypto?!?
but it was named xxxx-mod_ssl.rpm!!!)
- Notify the U.S. Government of the release.
Can this be done once off for the httpd project as a whole?
Not 'can'. Really, a must. They don't want to be inundated with hundreds
of notices of the same thing. But Roy initially suspected each binary/rev
needed notice, and the rules have changed. Cliff's clarified this, but we
haven't heard feedback if Roy's satisfied with the conclusion.
What should the notice contain for the "manufacturer", "product
name/model" and "notification" fields specifically for the httpd project?
That's underway.
Must a US based person submit the notice? (I am not us based).
No, however Cliff's policy is that the PMC chairman submits the notice.
- Publish a sources page for future notifications.
Is this URL http://www.apache.org/dist/httpd?
No. Projects will either piggyback http://www.apache.org/export.html if their
export is very trivial, or create http://{proj}.apache.org/export.html if they
don't want their project details lost in the noise. Both solutions will be
fine choices. I keep mentioning export.html - it was decided that there are
other issues beyond crypto that could be issues.
When Roy's updated our notice, and we've decided on how to notify the OpenSSL
component if shipped or dependent (al la your rpm package) then life's golden,
you will see the update at [EMAIL PROTECTED] and will be free to post up the
binaries.
David Reid proposes a doap-model to collect all this information ASF-wide and
that is in the works, help is always welcomed.
Right at this moment, the apr project is correctly reporting their newly created
dependency on openssl (as of a future apr-util release) so solving that case
study will make the HTTP Server case trivial.
Bill
