You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by bu...@bugzilla.spamassassin.org on 2008/02/20 20:51:53 UTC
[Bug 5833] New: update ECCN status of SpamAssassin
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5833
Summary: update ECCN status of SpamAssassin
Product: Spamassassin
Version: SVN Trunk (Latest Devel Version)
Platform: Other
OS/Version: other
Status: NEW
Severity: normal
Priority: P5
Component: Building & Packaging
AssignedTo: dev@spamassassin.apache.org
ReportedBy: jm@jmason.org
> OK, so it turns out that we have been exporting software that falls under
> 5D002 classification (see http://www.apache.org/licenses/exports/ ,
> http://www.apache.org/dev/crypto.html ) for a while...
>
> - SpamAssassin optionally supports SSL-encrypted communication between
> spamc and spamd (I'd forgotten about this), so links against OpenSSL.
> This is already established to bring a 5D002 classification, going by
> httpd and APR.
>
> - as part of the SSL support, it also links against IO::Socket::SSL
> (http://search.cpan.org/dist/IO-Socket-SSL/), which in turn links
> against Net::SSLeay, which in turn links against OpenSSL. Since
> IO::Socket::SSL is expressly designed as an API to provide SSL
> encryption, I think this also brings 5D002 classification and needs to
> be called out in the BIS notice.
>
> - It also links against Mail::DKIM, which uses Crypt::OpenSSL::RSA to
> perform authentication using crypto but does not expose encryption.
> This appears to be fine.
>
> - We also use gpg, again for authentication (of sa-update packages) and
> not encryption. Again, ok.
>
> This thread discusses the "oops we just noticed" case --
>
http://mail-archives.apache.org/mod_mbox/www-legal-discuss/200710.mbox/ajax/%3cy1u8x6bwpzy.fsf@v30161.1blu.de%3e
> -- so as long as we update soon we're fine, it seems.
I'll be doing the following:
- sending a notification to BIS
- adding text to the NOTICE file for b3_0, 3.1, 3.2 and trunk
- updating http://www.apache.org/licenses/exports/
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5833] update ECCN status of SpamAssassin
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5833
------- Additional Comments From jm@jmason.org 2008-02-20 12:16 -------
sent BIS notice, cc'd to dev list;
NOTICE changes checked in as of r629594 to r629597;
and the change to the website -- licenses/exports/index.xml committed as
revision 629600.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5833] update ECCN status of SpamAssassin
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5833
------- Additional Comments From jm@jmason.org 2008-02-21 01:34 -------
sorry if that was quick; I left the discussion for 24-36 hours, but possibly
should have left it for longer for more comments.
However it's arguable as to what difference that would have made, since we were
already in a state that required that BIS notification, and have been for
several *years* -- we just hadn't realised it. The BIS notification refers to
already-published, existing code as well as the current stuff.
> Just because one of the front-ends (spamc/spamd) to
> SpamAssassin uses SSL, now the whole project is tainted. I wonder if there
> is a way back, splitting out the spamc/spamd, and leaving the rest clean.
unfortunately spamc/spamd is distributed and developed as part of one overall
"package" -- Apache SpamAssassin.
There is indeed a way back -- if we were to split off spamc/spamd, or a new
sslspamc/sslspamd as a separate subproject, with a separate distribution in
future, that'd do it. It's not like a "viral" license. There'd just be a new
table row on http://www.apache.org/licenses/exports/ for that new version and
future versions, with the new status.
Is it necessary/worth it?
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5833] update ECCN status of SpamAssassin
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5833
------- Additional Comments From Mark.Martinec@ijs.si 2008-02-20 16:24 -------
> sent BIS notice, cc'd to dev list;
> done
That was kinda quick. Just because one of the front-ends (spamc/spamd) to
SpamAssassin uses SSL, now the whole project is tainted. I wonder if there
is a way back, splitting out the spamc/spamd, and leaving the rest clean.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 5833] update ECCN status of SpamAssassin
Posted by bu...@bugzilla.spamassassin.org.
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5833
jm@jmason.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
------- Additional Comments From jm@jmason.org 2008-02-20 12:34 -------
done
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.