On 8/16/07, Gilles Scokart <[EMAIL PROTECTED]> wrote: > I just found [1], and I was wonderiing if we don't fall under the > definition of ECCN 5D002 for our binary distribution with deps. In > this distribution we include binaries that support https, sft and ssh (and > maybe other via vfs).
If you have any code which directly invokes a dependency which is covered by 5D002, yes, our policy is you must file a notice. APR had to file simply because it can optionally link against OpenSSL. >From the FAQ: --- What are examples of when a crypto item is publicly accessible through ASF servers? The obvious example is including something like an OpenSSL binary within a product distribution from a /dist URL. The less obvious example, is the point at which a subversion repository starts to include code that is specially designed to work with any other 5D002 item, whether that item is ever to be included within a product distribution or not. In other words, a project should send out a notification email just after making the decision to include code that is specially designed to work with crypto APIs but before actually committing such code. No need to worry about surprise JIRA attachments with such code -- only the event of committing the code to the ASF product repository. --- So, sounds like Ivy falls under the latter example. HTH. -- justin --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
