Graham Leggett wrote:
On Mon, July 17, 2006 4:57 pm, William A. Rowe, Jr. wrote:
- Inform users with a crypto notice in the distribution's README and
download pages.
Does placing a README file at the point of download cover this? Does a
new release need to be made with the notice inside the distributed
binary, or can the notice live alongside the binary?
IMHO? Sure. Package names themselves can help too (I downloaded
crypto?!?
but it was named xxxx-mod_ssl.rpm!!!)
Just to understand you correctly, the "sure" was referring to the "placing
a README file" rather than "notice inside the binary"?
Well, letting them know in our official http://httpd.apache.org/dev/export.html
or whatever name is has, plus indicating 'ssl' in the package name, plus a nice
mention on the README of the autoindex should be more than enough.
Some packages, like a Windows .msi, display README guides, and so these should
obviously mention crypto. Some packages don't lend themselves to this, or have
a pkginfo text block that can mention it (but won't necessarily be examined by
the user during installation.) In those cases, the README in the download dir
is perhaps our best chance.
In theory, the "ssl" in mod_ssl-version.rpm" should be a hint that it is
crypto, is this enough?
That's my theory :)
Right at this moment, the apr project is correctly reporting their newly
created
dependency on openssl (as of a future apr-util release) so solving that
case
study will make the HTTP Server case trivial.
I could find no http://www.apache.org/export.html, or
http://apr.apache.org/export.html yet, or am I jumping the gun?
Yup :) I started a thread suggesting the export resource page contents
for the apr project, but I don't think we've committed anything just yet.
Still discussing a few particulars. Cliff is also starting a new page
of Q&A's that already includes alot of his questions to BIS folks and now
alot of the questions that have been raised. When that page is committed
I'll be sure to post a link.
Bill
