On Thu, Mar 20, 2008 at 6:00 AM, Patrice Dumas <pertusus@xxxxxxx> wrote: > On Thu, Mar 20, 2008 at 07:47:41AM -0400, Jesse Keating wrote: > > On Thu, 2008-03-20 at 10:23 +0100, Patrice Dumas wrote: > > > Then we have to register crypto packages somewhere such that the people > > > in charge can do the paperwork, isn't it? Don't we need a guideline > > > here? > > > > I actually need to prep a guideline that has all packages with crypto > > technology block FE-LEGAL (if that's still the alias). We'll use that > > to get an audit of the code to make sure its either not new crypto, or > > if it is, alert the appropriate people for export filings. > > Looks good. > > There are other questions that should be answered, however, in my opinion > (with external sources of information if possible, no need to be fedora > centric). > > What is the criteria for being a crypto technology? It is easy to spot > many packages that are not crypto, but for others it is not very clear > to me. For example at which point a math library becomes a crypto > library? And what about an applicatin that compute hashes? Also does the > registration need to be done each time there is a new release or once > for all? > > Back in 2001, it needed to be done everytime there was an update to the code (eg everytime we patched kerberos openssh and put it out.. a new fax was sent to DoC in Washington and the mirror push had to wait until then.) However I am not sure if we had to do it with coreutils (md5sum).. but I am not sure if patching that ever came up. I was mostly on the "crap remove this from the mirrors, someone pushed too early" end of things. -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" -- Fedora-packaging mailing list Fedora-packaging@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-packaging
