incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Justin Erenkrantz" <>
Subject Re: Do we meet the definition of ECCN 5D002 ?
Date Thu, 16 Aug 2007 21:19:49 GMT
On 8/16/07, Gilles Scokart <> wrote:
> I just found [1], and I was wonderiing if we don't fall under the
> definition of ECCN 5D002 for our binary distribution with deps.  In
> this distribution we include binaries that support https, sft and ssh (and
> maybe other via vfs).

If you have any code which directly invokes a dependency which is
covered by 5D002, yes, our policy is you must file a notice.  APR had
to file simply because it can optionally link against OpenSSL.

>From the FAQ:
What are examples of when a crypto item is publicly accessible through
ASF servers?

The obvious example is including something like an OpenSSL binary
within a product distribution from a /dist URL. The less obvious
example, is the point at which a subversion repository starts to
include code that is specially designed to work with any other 5D002
item, whether that item is ever to be included within a product
distribution or not. In other words, a project should send out a
notification email just after making the decision to include code that
is specially designed to work with crypto APIs but before actually
committing such code. No need to worry about surprise JIRA attachments
with such code -- only the event of committing the code to the ASF
product repository.

So, sounds like Ivy falls under the latter example.

HTH.  -- justin

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message