On Thu, Mar 20, 2008 at 6:00 AM, Patrice Dumas <pertusus(a)free.fr> wrote:
On Thu, Mar 20, 2008 at 07:47:41AM -0400, Jesse Keating wrote:
> On Thu, 2008-03-20 at 10:23 +0100, Patrice Dumas wrote:
> > Then we have to register crypto packages somewhere such that the people
> > in charge can do the paperwork, isn't it? Don't we need a guideline
> > here?
> I actually need to prep a guideline that has all packages with crypto
> technology block FE-LEGAL (if that's still the alias). We'll use that
> to get an audit of the code to make sure its either not new crypto, or
> if it is, alert the appropriate people for export filings.
There are other questions that should be answered, however, in my opinion
(with external sources of information if possible, no need to be fedora
What is the criteria for being a crypto technology? It is easy to spot
many packages that are not crypto, but for others it is not very clear
to me. For example at which point a math library becomes a crypto
library? And what about an applicatin that compute hashes? Also does the
registration need to be done each time there is a new release or once
Back in 2001, it needed to be done everytime there was an update to
the code (eg everytime we patched kerberos openssh and put it out.. a
new fax was sent to DoC in Washington and the mirror push had to wait
until then.) However I am not sure if we had to do it with coreutils
(md5sum).. but I am not sure if patching that ever came up. I was
mostly on the "crap remove this from the mirrors, someone pushed too
early" end of things.
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"