Suresh, Another issue to resolve is jsr173 jar which is under BEA liscense
Previous discussions suggest that BEA jsr is NOT Apache compatible [1] Geronimo uses jst173 api jars from woodsotx which is Apache compatible. And i suggest we move to that. IMO this is also a blocker and we will fix this. I ve created AIRAVATA-257 for this. [1]http://mail-archives.apache.org/mod_mbox/www-legal-discuss/200604.mbox/%[email protected]%3E [2] http://mail-archives.apache.org/mod_mbox/poi-dev/200902.mbox/%[email protected]%3E On Thu, Dec 29, 2011 at 6:10 PM, Chathura Herath <[email protected]> wrote: > Hi Suresh, > > I am vetting all the jar files an i see that layout-1.0.4.jar is under > LGPL which is NOT Apache compatible. I see no reason why that jar > should be there, the source compiled without the layout-1.0.4.jar so i > am guessing it was put there by a mistake. > > I ve created a blocker for release and will fix this. > > AIRAVATA-256 > > On Wed, Dec 28, 2011 at 1:49 AM, Suresh Marru <[email protected]> wrote: >> Hi Chathura, >> >> I am sorry I am slacking on release more than I expected. I followed the >> export control procedures, and tracked progress on - >> https://issues.apache.org/jira/browse/AIRAVATA-7. Good to double check, but >> my opinion is we are done with required steps for Airavata as per - >> http://www.apache.org/dev/crypto.html and added the dependencies to - >> http://www.apache.org/licenses/exports/ >> >> Suresh >> >> On Dec 28, 2011, at 9:24 AM, Chathura Herath wrote: >> >>> Hi, >>> >>> I am with the Apache Airavata incubator project and i am going through >>> the release checklist and I want some advice on the export control >>> issues related to some security jars. >>> >>> We have jce-jdk.jar[1] and criptix.jar[2] as dependencies in the >>> distribution. >>> >>> 1) Will US export control w.r.t. cryptographic algorithms will >>> prevent us from shipping criptix jar. I ve pasted the license >>> agreement in [4]. >>> 2) Java jce jar download page explicitly mentions download will be >>> for US and Canada only[4]. Does this mean we will not be able to >>> package it but rather ask the use to manually provide the jar >>> location. >>> 3) If we could simply package them as is, Will there be a special >>> download disclaimer that we need to add. In that case should we avoid >>> mirrors? >>> >>> I researched usage of these jar in the history and i came across >>> (http://mail-archives.apache.org/mod_mbox/turbine-dev/200201.mbox/%[email protected]%3E); >>> though it was not clear whether the focus on export license was >>> resoled explicitly. >>> >>> Although with some work we may be able to continue the release without >>> these jars in the first release, going forward we will have these jar >>> dependencies to interact with Grid Security Infrastructure. Any >>> insight/advice/suggestion is greatly appreciated. >>> >>> Thanks and Happy holidays. >>> >>> -- >>> Chathura Herath Ph.D. >>> https://www.cs.indiana.edu/~cherath/ >>> http://chathurah.blogspot.com/ >>> >>> >>> >>> >>> >>> >>> [1] >>> http://docs.oracle.com/javase/1.5.0/docs/guide/security/jce/JCERefGuide.html >>> [2]http://sourceforge.net/projects/cryptix-asn1/, http://www.cryptix.org/ >>> >>> [3]JCE 1.2.2 Software, Jurisdiction Policy files, and Documentation >>> >>> RESTRICTED TO THE UNITED STATES AND CANADA. If you do not reside in >>> the United States or Canada, you will not be able to download this >>> software. >>> >>> [4]Cryptix General License >>> >>> Copyright (c) 1995-2005 The Cryptix Foundation Limited. >>> All rights reserved. >>> >>> Redistribution and use in source and binary forms, with or without >>> modification, are permitted provided that the following conditions are >>> met: >>> >>> 1. Redistributions of source code must retain the copyright notice, >>> this list of conditions and the following disclaimer. >>> 2. Redistributions in binary form must reproduce the above copyright >>> notice, this list of conditions and the following disclaimer in >>> the documentation and/or other materials provided with the >>> distribution. >>> >>> THIS SOFTWARE IS PROVIDED BY THE CRYPTIX FOUNDATION LIMITED AND >>> CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, >>> INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF >>> MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. >>> IN NO EVENT SHALL THE CRYPTIX FOUNDATION LIMITED OR CONTRIBUTORS BE >>> LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR >>> CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF >>> SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR >>> BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, >>> WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE >>> OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN >>> IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. >> >> >> -----BEGIN PGP SIGNATURE----- >> >> iQIcBAEBAgAGBQJO+rvoAAoJEHmz9P1hfdutOBQP/3isr0SvbyX80xWS10zG+RUx >> y8BNMiShGEkJHxdzLNw4ik5QSKshP3symXiPZz1yga1nn428vr+glRsBimd/uXq6 >> 3LgcvixlSODFBCc1degB8YqMTKQUCbWkf2mlSfQeC1apWMi/coUljBuYsGR6gOlj >> o1O6aSdGiieVbqxAgYKrPBU2wRZiIkxthABV/gTZENysYrVu62jWnBBsFpWsINh2 >> +WaGKc9IofEBucp60ENKrtXtBHzX9akytCC+x8VsyoLXMEILq2EA1jvqf5xEh52m >> /pYM2qXkAJDuvIqYaJ0QNMjlWb5PmI4saWj7dBkqgWgjw18sO0Y8Rbn9YFh+Y9C3 >> MNia6cf4q+Xac5DwjorLtjrybOaS8mOAi7+lqAnM5L/kgw0bi+/9Gup8jDe6W78W >> 48FFR6M4d2mRtzhxu+lauuZk50tgDz2nyqkZcTUOpPjzJKK78612MMDXFRW9BKos >> a/eYKVGwfTN1Odq8HV3gQL6tSTNrnVQ40cvumn0iXYJ89evB8KNfGVFSZTxpTa+x >> EMscbrSMvWU7Ai2eyv0fap/bQpUR7uRiwN23+G0HVvSJPaQdsCPNOZ4yxZEAjrkt >> 580dzKvGbsRsqlAX2/bL4OJSdiy/ATBTsWkGGnqGRnzNpW7eHrmMuHAb8O7LXwCI >> 5uM4Ag2ljVxe6NlVXSB+ >> =yREp >> -----END PGP SIGNATURE----- >> > > > > -- > Chathura Herath > http://people.apache.org/~chathura/ > http://chathurah.blogspot.com/ -- Chathura Herath http://people.apache.org/~chathura/ http://chathurah.blogspot.com/
