>From <http://www.apache.org/dev/crypto.html> top of page, Overview, second >paragraph:
"PMCs considering including cryptographic functionality within their products or specially designing their products to use other software with cryptographic functionality should take the following steps *before* placing such code on any ASF server, including commits to subversion" [*emphasis* mine] >From <http://incubator.apache.org/guides/mentor.html#crypto-audit> "Before the code base is committed into an Apache repository, the contribution MUST be checked and any restricted cryptography reported appropriately." -----Original Message----- From: Robert Burrell Donkin [mailto:robertburrelldon...@gmail.com] Sent: Thursday, September 01, 2011 14:01 To: ooo-dev@incubator.apache.org Subject: Re: Request dev help: Info for required crypto export declaration On Thu, Sep 1, 2011 at 9:35 PM, Dennis E. Hamilton <dennis.hamil...@acm.org> wrote: > Technically, this was to have been resolved before the code was put up on > SVN. We need to audit specifically for this rather quickly, and including > the places that Rob also identified (import-export filters and http TLS). I definitely recommend a full crypto audit but IIRC it's not necessary before sending the initial notification. AIUI (from [1] and [2]) all that's needed is a list of the cryptographic libraries used by OOo. If the results of the full audit differ then we can just update the details and send an updated notification. Robert [1] http://www.apache.org/dev/crypto.html#sources [2] http://www.apache.org/licenses/exports/
