[Fedora-packaging] crypto in fedora

[Stephen John Smoogen]

On Thu, Mar 20, 2008 at 6:00 AM, Patrice Dumas <pertusus at free.fr> wrote:
> On Thu, Mar 20, 2008 at 07:47:41AM -0400, Jesse Keating wrote:
>  > On Thu, 2008-03-20 at 10:23 +0100, Patrice Dumas wrote:
>  > > Then we have to register crypto packages somewhere such that the people
>  > > in charge can do the paperwork, isn't it? Don't we need a guideline
>  > > here?
>  >
>  > I actually need to prep a guideline that has all packages with crypto
>  > technology block FE-LEGAL (if that's still the alias).  We'll use that
>  > to get an audit of the code to make sure its either not new crypto, or
>  > if it is, alert the appropriate people for export filings.
>
>  Looks good.
>
>  There are other questions that should be answered, however, in my opinion
>  (with external sources of information if possible, no need to be fedora
>  centric).
>
>  What is the criteria for being a crypto technology? It is easy to spot
>  many packages that are not crypto, but for others it is not very clear
>  to me. For example at which point a math library becomes a crypto
>  library? And what about an applicatin that compute hashes? Also does the
>  registration need to be done each time there is a new release or once
>  for all?
>
>

Back in 2001, it needed to be done everytime there was an update to
the code (eg everytime we patched kerberos  openssh and put it out.. a
new fax was sent to DoC in Washington and the mirror push had to wait
until then.) However I am not sure if we had to do it with coreutils
(md5sum).. but I am not sure if patching that ever came up. I was
mostly on the "crap remove this from the mirrors, someone pushed too
early" end of things.

-- 
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"