Hi Chathura, I am sorry I am slacking on release more than I expected. I followed the export control procedures, and tracked progress on - https://issues.apache.org/jira/browse/AIRAVATA-7. Good to double check, but my opinion is we are done with required steps for Airavata as per - http://www.apache.org/dev/crypto.html and added the dependencies to - http://www.apache.org/licenses/exports/
Suresh On Dec 28, 2011, at 9:24 AM, Chathura Herath wrote: > Hi, > > I am with the Apache Airavata incubator project and i am going through > the release checklist and I want some advice on the export control > issues related to some security jars. > > We have jce-jdk.jar[1] and criptix.jar[2] as dependencies in the distribution. > > 1) Will US export control w.r.t. cryptographic algorithms will > prevent us from shipping criptix jar. I ve pasted the license > agreement in [4]. > 2) Java jce jar download page explicitly mentions download will be > for US and Canada only[4]. Does this mean we will not be able to > package it but rather ask the use to manually provide the jar > location. > 3) If we could simply package them as is, Will there be a special > download disclaimer that we need to add. In that case should we avoid > mirrors? > > I researched usage of these jar in the history and i came across > (http://mail-archives.apache.org/mod_mbox/turbine-dev/200201.mbox/%[email protected]%3E); > though it was not clear whether the focus on export license was > resoled explicitly. > > Although with some work we may be able to continue the release without > these jars in the first release, going forward we will have these jar > dependencies to interact with Grid Security Infrastructure. Any > insight/advice/suggestion is greatly appreciated. > > Thanks and Happy holidays. > > -- > Chathura Herath Ph.D. > https://www.cs.indiana.edu/~cherath/ > http://chathurah.blogspot.com/ > > > > > > > [1] > http://docs.oracle.com/javase/1.5.0/docs/guide/security/jce/JCERefGuide.html > [2]http://sourceforge.net/projects/cryptix-asn1/, http://www.cryptix.org/ > > [3]JCE 1.2.2 Software, Jurisdiction Policy files, and Documentation > > RESTRICTED TO THE UNITED STATES AND CANADA. If you do not reside in > the United States or Canada, you will not be able to download this > software. > > [4]Cryptix General License > > Copyright (c) 1995-2005 The Cryptix Foundation Limited. > All rights reserved. > > Redistribution and use in source and binary forms, with or without > modification, are permitted provided that the following conditions are > met: > > 1. Redistributions of source code must retain the copyright notice, > this list of conditions and the following disclaimer. > 2. Redistributions in binary form must reproduce the above copyright > notice, this list of conditions and the following disclaimer in > the documentation and/or other materials provided with the > distribution. > > THIS SOFTWARE IS PROVIDED BY THE CRYPTIX FOUNDATION LIMITED AND > CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, > INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF > MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. > IN NO EVENT SHALL THE CRYPTIX FOUNDATION LIMITED OR CONTRIBUTORS BE > LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR > CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF > SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR > BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, > WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE > OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN > IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
signature.asc
Description: Message signed with OpenPGP using GPGMail
