On Jun 9, 2006, at 3:56 AM, Colm MacCarthaigh wrote:
On Fri, Jun 09, 2006 at 12:29:06PM +0200, Plüm, Rüdiger, VF EITO
wrote:
-Ursprüngliche Nachricht-
Von: Joe Orton [
Would only committers count as "participating" in the project
for this
purpose, do you think? Random people submitti
On Fri, Jun 09, 2006 at 12:29:06PM +0200, Plüm, Rüdiger, VF EITO wrote:
> > -Ursprüngliche Nachricht-
> > Von: Joe Orton [
> >
> > Would only committers count as "participating" in the project
> > for this
> > purpose, do you think? Random people submitting patches would not?
>
> Stupi
> -Ursprüngliche Nachricht-
> Von: Joe Orton [
>
> Would only committers count as "participating" in the project
> for this
> purpose, do you think? Random people submitting patches would not?
Stupid question: How can someone who is not allowed to download the sources
can submit patc
On Thu, Jun 08, 2006 at 02:47:59PM -0700, Roy T. Fielding wrote:
> to with a URL. That is no big deal. The big deal is that 5D002
> classification also means that it is illegal for the ASF to knowingly
> allow anyone residing in, or a citizen of, the T-8 countries, or anyone
> on the "denied pers
> -Ursprüngliche Nachricht-
> Von: Roy T. Fielding
> The sane solution would be to convince the US government to remove
> encryption from the export control list, since that regulation has
> been totally ineffective. That is not likely to happen during this
I totally agree, but I fear
> -Ursprüngliche Nachricht-
> Von: Colm MacCarthaigh
>
> After that, based on your excellent summary, I'm begining to see the
> wisdom of a subproject - despite the overhead, maximising developer
> involvement and the potential community size is much more important.
Just for my clarifi
> Roy wrote...
>
> The sane solution would be to convince the US government to remove> encryption from the export control list, since that regulation has> been totally ineffective. That is not likely to happen during this> administration, though, and I don't think the ASF is allowed to> lobby f
Roy T. Fielding wrote:
>
> ... The big deal is that 5D002
> classification also means that it is illegal for the ASF to knowingly
> allow anyone residing in, or a citizen of, the T-8 countries, or anyone
> on the "denied persons list", to even participate in our project,
> let alone download packa
On Jun 8, 2006, at 3:38 PM, Colm MacCarthaigh wrote:
Another option is that we could ask the ASF to formally consider
upping
roots and changing jurisdiction. I have little doubt over what the
answer would be, but I'd prefer that we exhaust all of the alternative
options before doing anything w
On 6/8/06, Colm MacCarthaigh <[EMAIL PROTECTED]> wrote:
Another option is that we could ask the ASF to formally consider upping
roots and changing jurisdiction. I have little doubt over what the
answer would be, but I'd prefer that we exhaust all of the alternative
options before doing anything w
On Thu, Jun 08, 2006 at 02:47:59PM -0700, Roy T. Fielding wrote:
> If anyone can think of another option, I'd like to hear it before
> proposing a vote.
Another option is that we could ask the ASF to formally consider upping
roots and changing jurisdiction. I have little doubt over what the
answe
On 06/08/2006 11:47 PM, Roy T. Fielding wrote:
> Sorry, I did a poor job of explaining -- the binaries issue is about
> openssl. The openssl issue is what required me to read the EAR
No reason to say sorry. Thanks for your work on this issue.
> The mere presence of mod_ssl source code appears
Sorry, I did a poor job of explaining -- the binaries issue is about
openssl. The openssl issue is what required me to read the EAR
guidelines, but my response is based on what I learned about the
EAR in general.
The mere presence of mod_ssl source code appears to be sufficient to
make the produ
^^^ see subject ^^^
There are quite a few reasonable alternative strategies for dealing with
that kind of scenario. Does the ASF have such a policy as a matter of
course, regardless of the severity of such an action?
really sort of off topic; yes the mechanisms to handle this have existed
sin
On 06/08/2006 07:13 PM, William A. Rowe, Jr. wrote:
>
> I will say this; the people who are wildly waving their arms "no more
> binaries" are the same people who, surprise, haven't contributed binaries
> to httpd, at least not lately (little surprise).
This is true, but I do not think that peo
On Thu, Jun 08, 2006 at 11:07:51AM -0700, Justin Erenkrantz wrote:
> On 6/8/06, Colm MacCarthaigh <[EMAIL PROTECTED]> wrote:
> >There are quite a few reasonable alternative strategies for dealing with
> >that kind of scenario. Does the ASF have such a policy as a matter of
> >course, regardless of
On 6/8/06, Joe Orton <[EMAIL PROTECTED]> wrote:
Thanks for doing the research, Roy.
Ditto.
On Wed, Jun 07, 2006 at 02:03:33PM -0700, Roy T. Fielding wrote:
> Okay, let me put it in a different way. The alternatives are
>
> 1) retain the status quo, forbid distributing ssl binaries, and
> in
On 6/8/06, Colm MacCarthaigh <[EMAIL PROTECTED]> wrote:
There are quite a few reasonable alternative strategies for dealing with
that kind of scenario. Does the ASF have such a policy as a matter of
course, regardless of the severity of such an action?
As that hasn't happened yet, there is no s
On Thu, Jun 08, 2006 at 12:16:02PM -0500, William A. Rowe, Jr. wrote:
> Colm MacCarthaigh wrote:
> >
> >Suffice it to say that even a cursory glance at a patents register
> >would likely reveal many ludicrous patents which httpd may infringe.
>
> Yup; if the claimant to any such -legitimate- paten
Colm MacCarthaigh wrote:
Suffice it to say that even a cursory glance at a patents register would
likely reveal many ludicrous patents which httpd may infringe.
Yup; if the claimant to any such -legitimate- patent comes knocking, it *will*
be removed from svn and the project, in case you had a
Jeff Trawick wrote:
Just curious: does anybody in that boat actually think that anything
we httpd-ers could do with packaging httpd (binaries, SSL,etc.) would
conceivably compete with what our employers are providing? (I find
that preposterous personally)
rofl - no.
I will say this; the peop
On Thu, Jun 08, 2006 at 12:01:16PM -0500, William A. Rowe, Jr. wrote:
> Colm MacCarthaigh wrote:
> >What's next, do we start stripping patented methods from our tarball
> >and making that available too?
>
> Uhm which patent *encumbered* methods?
If I were to identify any or perform a patent
Colm MacCarthaigh wrote:
What's next, do we start stripping patented methods from our tarball
and making that available too?
Uhm which patent *encumbered* methods?
On 6/8/06, William A. Rowe, Jr. <[EMAIL PROTECTED]> wrote:
Plüm wrote:
>
>>Von: Joe Orton
>>I don't see why it's necessary for the ASF to be in
>>the business of distributing binaries; letting other people assume the
>>technical and legal responsibilites for doing that seems reasonable.
Ahhh, th
> -Ursprüngliche Nachricht-
> Von: Colm MacCarthaigh
>
>
> On Thu, Jun 08, 2006 at 08:16:48AM -0500, William A. Rowe, Jr. wrote:
> > The group of people who concern me are not those in T-8,
> they are those who
> > live in jurisdictions where *they* would be breaking local
> law by p
On Thu, Jun 08, 2006 at 08:16:48AM -0500, William A. Rowe, Jr. wrote:
> The group of people who concern me are not those in T-8, they are those who
> live in jurisdictions where *they* would be breaking local law by possessing
> crypto. Leave them a) in the backwaters / b) in fear / c) in violatio
Joe Orton wrote:
If you think there is some group of users who want to be able to
download the "crypto"-enabled httpd tarballs in $BANNEDCOUNTRY but
refuse to do so because they don't want to violate US export
regulations, then maybe that should be addressed separately.
The group of peopl
On Thu, Jun 08, 2006 at 07:00:29AM -0500, William Rowe wrote:
> Plüm wrote:
> >>Von: Joe Orton
> >>On Wed, Jun 07, 2006 at 02:03:33PM -0700, Roy T. Fielding wrote:
> >>>Okay, let me put it in a different way. The alternatives are
> >>>
> >>>1) retain the status quo, forbid distributing ssl binarie
On Jun 7, 2006, at 4:03 PM, Roy T. Fielding wrote:
Given those constraints, I would prefer to separate the httpd releases
into a non-crypto package and a crypto overlay, similar to what most
of the packaging redistributors do (fink, apt, etc.).
Is the concern that we bundle mod_ssl with htt
Plüm wrote:
Von: Joe Orton
On Wed, Jun 07, 2006 at 02:03:33PM -0700, Roy T. Fielding wrote:
Okay, let me put it in a different way. The alternatives are
1) retain the status quo, forbid distributing ssl binaries, and
include in our documentation that people in banned
countries ar
On Thu, Jun 08, 2006 at 11:01:12AM +0100, Joe Orton wrote:
> On Wed, Jun 07, 2006 at 02:03:33PM -0700, Roy T. Fielding wrote:
> > Okay, let me put it in a different way. The alternatives are
> >
> > 1) retain the status quo, forbid distributing ssl binaries, and
> > include in our documentation
> -Ursprüngliche Nachricht-
> Von: Joe Orton [
>
> Thanks for doing the research, Roy.
Yep, thanks from me too.
>
> On Wed, Jun 07, 2006 at 02:03:33PM -0700, Roy T. Fielding wrote:
> > Okay, let me put it in a different way. The alternatives are
> >
> > 1) retain the status quo, fo
Thanks for doing the research, Roy.
On Wed, Jun 07, 2006 at 02:03:33PM -0700, Roy T. Fielding wrote:
> Okay, let me put it in a different way. The alternatives are
>
> 1) retain the status quo, forbid distributing ssl binaries, and
> include in our documentation that people in banned countries
On Wed, Jun 07, 2006 at 06:58:27PM -0700, Roy T. Fielding wrote:
> "We" is anyone representing the ASF. How (or who) would determine
> that is anyone's guess.
eek. Who is burdened with that liability? I'm guessing it's the ASF as a
body corporate and possibly its directors personally.
If that's
On Jun 7, 2006, at 2:35 PM, Ruediger Pluem wrote:
On 06/07/2006 10:53 PM, William A. Rowe, Jr. wrote:
There's another gray point, without OpenSSL, mod_ssl is a noop,
that is,
it does no crypto. There is more crypto in mod_auth_digest,
util_md5 or
in apr-util than there is in mod_ssl.
I th
On Jun 7, 2006, at 4:02 PM, Roy T. Fielding wrote:
One weird thing about the ECCNs is that there is no classification
number for "not controlled". *shrug*
It seems that "EAR 99" is the catch-all name for things that might
be controlled but are not specifically classified already.
Roy
On Jun 7, 2006, at 4:53 PM, Colm MacCarthaigh wrote:
On Wed, Jun 07, 2006 at 04:32:40PM -0700, Roy T. Fielding wrote:
We also cannot go to one of those countries and agitate for people
to download a copy of httpd and run their own web server
Who's "we"? Members of the ASF? Members of the PMC?
On Wed, Jun 07, 2006 at 04:32:40PM -0700, Roy T. Fielding wrote:
> We also cannot go to one of those countries and agitate for people
> to download a copy of httpd and run their own web server
Who's "we"? Members of the ASF? Members of the PMC? committers?
developers?
I'd like to know. My "Apache
On Jun 7, 2006, at 3:02 PM, Colm MacCarthaigh wrote:
On Wed, Jun 07, 2006 at 02:51:12PM -0700, Cliff Schmidt wrote:
Here's the page that I've put together right now:
http://apache.org/dev/crypto.html. Unfortunately, it needs a little
more detail.
Thank you very much, that's already answered
On Wed, Jun 07, 2006 at 04:02:01PM -0700, Roy T. Fielding wrote:
> we would have to provide our own copy of the distribution or include
> the source code directly in our product, just to comply with EAR.
> My preference is to not distribute OpenSSL.
+1
--
Colm MacCárthaigh
On Jun 7, 2006, at 1:39 PM, William A. Rowe, Jr. wrote:
On the T-8 prohibited countries list, note it is a crime to export
technologies
to them (it's hard for the US to define a crime to obtain said
technologies in
a foreign jurisdiction - let's not get into that debate). However,
as a 'pub
So, I'm wondering how effective a liability shield it is for a US-based
corporation to export such content via non-US-based distributors. It
seems odd that this would work legally, but that SPI/Debian did it for
so long sparks my interest; maybe there is a path through.
I have no idea what the D
Colm MacCarthaigh wrote:
On Wed, Jun 07, 2006 at 03:53:51PM -0500, William A. Rowe, Jr. wrote:
Before we take -any- action, we need to have one policy across the ASF.
*shrug*, this is [EMAIL PROTECTED], so I'm going to stick to httpd specifically
for now, and that can feed in or not to any p
On Wed, Jun 07, 2006 at 02:51:12PM -0700, Cliff Schmidt wrote:
> Here's the page that I've put together right now:
> http://apache.org/dev/crypto.html. Unfortunately, it needs a little
> more detail.
Thank you very much, that's already answered a few of my questions and
given me some good pointe
Ruediger Pluem wrote:
> A complete different question: Does anybody know how mozilla.org handles
> these kind
> of problems with firefox?
>
They appear to have a brief overview of their trials and tribulations on
the subject here:
http://www.mozilla.org/crypto-faq.html
On 06/07/2006 10:53 PM, William A. Rowe, Jr. wrote:
>
> There's another gray point, without OpenSSL, mod_ssl is a noop, that is,
> it does no crypto. There is more crypto in mod_auth_digest, util_md5 or
> in apr-util than there is in mod_ssl.
I think this is an excellent point regarding the s
On Wed, Jun 07, 2006 at 02:03:33PM -0700, Roy T. Fielding wrote:
> The point is that they may want to download a web server which doesn't
> have that problem, and right now they are limited to 1.3.x. I consider
> Web servers to be something we would want people in those countries
> to be able to d
Roy T. Fielding wrote:
Okay, let me put it in a different way. The alternatives are
1) retain the status quo, forbid distributing ssl binaries, and include
in our documentation that people in banned countries are not allowed
to download httpd 2.x.
Acutally - I'm still looking for
On Wed, Jun 07, 2006 at 03:53:51PM -0500, William A. Rowe, Jr. wrote:
> Before we take -any- action, we need to have one policy across the ASF.
*shrug*, this is [EMAIL PROTECTED], so I'm going to stick to httpd specifically
for now, and that can feed in or not to any policy the ASF desires to
late
On 06/07/2006 10:03 PM, Roy T. Fielding wrote:
> After quite a bit of delving into the US export requirements for
> encryption-related software, I have found that we are able to
> distribute 100% open source packages with identifiable source code
> to anyone not in the banned set of countries. H
On Jun 7, 2006, at 1:30 PM, Colm MacCarthaigh wrote:
e) people who are in the banned set of countries and people in
countries that forbid encryption cannot legally download the
current
httpd-2 packages because they include mod_ssl even when it won't be
used.
I don't see how this can
Colm MacCarthaigh wrote:
I think the best way to accomplish that is to separate mod_ssl into a
subproject that is capable of producing overlay releases for each
release of httpd.
yuck! -1
Before we take -any- action, we need to have one policy across the ASF.
Our research hopefully contrib
Roy T. Fielding wrote:
Thoughts? Anyone have any better ideas?
+1 to an overlay; I know you have - but for the rest of the participants, also
consider that it 'illegal' to have crypto in some jurisdictions (and actually
if you are traveling to some jurisdictions it's best to leave your ssl en
On Wed, Jun 07, 2006 at 01:03:48PM -0700, Roy T. Fielding wrote:
> c) each redistributor (re-exporter) of our packages must do the same
> [I am unsure if that means every mirror is supposed to file as
> well, but for now I am guessing that they don't];
They don't :)
> e) people who are in
After quite a bit of delving into the US export requirements for
encryption-related software, I have found that we are able to
distribute 100% open source packages with identifiable source code
to anyone not in the banned set of countries. However,
a) we have to file export notices prior to ea
55 matches
Mail list logo
