You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2008/02/20 20:51:53 UTC

[Bug 5833] New: update ECCN status of SpamAssassin

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5833

           Summary: update ECCN status of SpamAssassin
           Product: Spamassassin
           Version: SVN Trunk (Latest Devel Version)
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Building & Packaging
        AssignedTo: dev@spamassassin.apache.org
        ReportedBy: jm@jmason.org


> OK, so it turns out that we have been exporting software that falls under
> 5D002 classification (see http://www.apache.org/licenses/exports/ ,
> http://www.apache.org/dev/crypto.html ) for a while...
>
> - SpamAssassin optionally supports SSL-encrypted communication between
>  spamc and spamd (I'd forgotten about this), so links against OpenSSL.
>  This is already established to bring a 5D002 classification, going by
>  httpd and APR.
>
> - as part of the SSL support, it also links against IO::Socket::SSL
>  (http://search.cpan.org/dist/IO-Socket-SSL/), which in turn links
>  against Net::SSLeay, which in turn links against OpenSSL.  Since
>  IO::Socket::SSL is expressly designed as an API to provide SSL
>  encryption, I think this also brings 5D002 classification and needs to
>  be called out in the BIS notice.
>
> - It also links against Mail::DKIM, which uses Crypt::OpenSSL::RSA to
>  perform authentication using crypto but does not expose encryption.
>  This appears to be fine.
>
> - We also use gpg, again for authentication (of sa-update packages) and
>  not encryption.  Again, ok.
>
> This thread discusses the "oops we just noticed" case --
>
http://mail-archives.apache.org/mod_mbox/www-legal-discuss/200710.mbox/ajax/%3cy1u8x6bwpzy.fsf@v30161.1blu.de%3e
> -- so as long as we update soon we're fine, it seems.

I'll be doing the following:

- sending a notification to BIS

- adding text to the NOTICE file for b3_0, 3.1, 3.2 and trunk

- updating http://www.apache.org/licenses/exports/



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 5833] update ECCN status of SpamAssassin

Posted by bu...@bugzilla.spamassassin.org.

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5833





------- Additional Comments From jm@jmason.org  2008-02-20 12:16 -------
sent BIS notice, cc'd to dev list; 
NOTICE changes checked in as of r629594 to r629597; 
and the change to the website -- licenses/exports/index.xml committed as
revision 629600.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 5833] update ECCN status of SpamAssassin

Posted by bu...@bugzilla.spamassassin.org.

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5833





------- Additional Comments From jm@jmason.org  2008-02-21 01:34 -------
sorry if that was quick; I left the discussion for 24-36 hours, but possibly
should have left it for longer for more comments.  

However it's arguable as to what difference that would have made, since we were
already in a state that required that BIS notification, and have been for
several *years* -- we just hadn't realised it.  The BIS notification refers to
already-published, existing code as well as the current stuff.

> Just because one of the front-ends (spamc/spamd) to
> SpamAssassin uses SSL, now the whole project is tainted. I wonder if there
> is a way back, splitting out the spamc/spamd, and leaving the rest clean.

unfortunately spamc/spamd is distributed and developed as part of one overall
"package" -- Apache SpamAssassin.  

There is indeed a way back -- if we were to split off spamc/spamd, or a new
sslspamc/sslspamd as a separate subproject, with a separate distribution in
future, that'd do it.  It's not like a "viral" license.  There'd just be a new
table row on http://www.apache.org/licenses/exports/ for that new version and
future versions, with the new status.

Is it necessary/worth it?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 5833] update ECCN status of SpamAssassin

Posted by bu...@bugzilla.spamassassin.org.

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5833





------- Additional Comments From Mark.Martinec@ijs.si  2008-02-20 16:24 -------
> sent BIS notice, cc'd to dev list; 
> done

That was kinda quick. Just because one of the front-ends (spamc/spamd) to
SpamAssassin uses SSL, now the whole project is tainted. I wonder if there
is a way back, splitting out the spamc/spamd, and leaving the rest clean.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

[Bug 5833] update ECCN status of SpamAssassin

Posted by bu...@bugzilla.spamassassin.org.

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5833


jm@jmason.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED




------- Additional Comments From jm@jmason.org  2008-02-20 12:34 -------
done



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.