On Thu, Sep 1, 2011 at 7:01 PM, Dennis E. Hamilton <dennis.hamil...@acm.org> wrote: > From <http://www.apache.org/dev/crypto.html> top of page, Overview, second > paragraph: > > "PMCs considering including cryptographic functionality within their products > or specially designing their products to use other software with > cryptographic functionality should take the following steps *before* placing > such code on any ASF server, including commits to subversion" [*emphasis* > mine] > > From <http://incubator.apache.org/guides/mentor.html#crypto-audit> > "Before the code base is committed into an Apache repository, the > contribution MUST be checked and any restricted cryptography reported > appropriately." >
Yup. We did this in the wrong order. Nothing we can do about that now. I hope to get to this soon, but probably not until the weekend at earliest. If you (or anyone else) have cycles earlier, feel free to grab this task. I don't mean to be sitting on it if someone else can act sooner. -Rob > -----Original Message----- > From: Robert Burrell Donkin [mailto:robertburrelldon...@gmail.com] > Sent: Thursday, September 01, 2011 14:01 > To: ooo-dev@incubator.apache.org > Subject: Re: Request dev help: Info for required crypto export declaration > > On Thu, Sep 1, 2011 at 9:35 PM, Dennis E. Hamilton > <dennis.hamil...@acm.org> wrote: >> Technically, this was to have been resolved before the code was put up on >> SVN. We need to audit specifically for this rather quickly, and including >> the places that Rob also identified (import-export filters and http TLS). > > I definitely recommend a full crypto audit but IIRC it's not necessary > before sending the initial notification. > > AIUI (from [1] and [2]) all that's needed is a list of the > cryptographic libraries used by OOo. If the results of the full audit > differ then we can just update the details and send an updated > notification. > > Robert > > [1] http://www.apache.org/dev/crypto.html#sources > [2] http://www.apache.org/licenses/exports/ > >