On Thu, Sep 1, 2011 at 9:35 PM, Dennis E. Hamilton <[email protected]> wrote: > Technically, this was to have been resolved before the code was put up on > SVN. We need to audit specifically for this rather quickly, and including > the places that Rob also identified (import-export filters and http TLS).
I definitely recommend a full crypto audit but IIRC it's not necessary before sending the initial notification. AIUI (from [1] and [2]) all that's needed is a list of the cryptographic libraries used by OOo. If the results of the full audit differ then we can just update the details and send an updated notification. Robert [1] http://www.apache.org/dev/crypto.html#sources [2] http://www.apache.org/licenses/exports/
