[
https://issues.apache.org/jira/browse/JENA-1169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15620677#comment-15620677
]
Stian Soiland-Reyes commented on JENA-1169:
-------------------------------------------
I think it's just in README as it's a good guidance for downstream - strangely
we have no legal requirement to inform our downstream users that the item
contains cryptography functionality at all.. So it should not go in NOTICE
(which is legally required to be propagated). Also NOTICE is hard to modify -
but it's often easy to remove the crypto functionality or item.
BTW - here's the step-by-step [Taverna Crypto
review|https://cwiki.apache.org/confluence/display/TAVERNADEV/Taverna+Cryptography+review]
I agree Taverna Language was a bit uncertain as it does not have code that is
designed to work with encryption functionality (just with encryption items) -
it is listed because it makes a shaded JAR that include encryption items:
> The shaded JAR of taverna-tavlang-tool include Apache HttpComponents Core and
> Client (ECCN classified on https://www.apache.org/licenses/exports/), which
> can initiate encrypted https:// connections using Java Secure Socket
> Extension (JSSE).
Although we didn't at the time put that in dist.apache.org, we might do so in
the future without having to send another registration email. And as users
building it would get that JAR I thought it would be good to let them know in
the README.
Jena has just a single git repository, so that would be the one that would be
reported - but as far as I can tell don't include any code designed to work
with encryption functionality, (just code using dependencies that happen to be
encryption items) except perhaps Fuseki's integration with Shiro, which I am
not sure but could be configured to use encryption for authentication?
Agree on the way Andy suggest README updates, so no need to honour my pull
request change of the top-level README
> Is Jena US Export classified due to encryption in dependencies?
> ---------------------------------------------------------------
>
> Key: JENA-1169
> URL: https://issues.apache.org/jira/browse/JENA-1169
> Project: Apache Jena
> Issue Type: Bug
> Components: Build
> Reporter: Stian Soiland-Reyes
>
> Hi - apologies for finding this..
> I just noticed on
> http://www.apache.org/licenses/exports/
> includes US export classified tools from ASF:
> Apache HttpComponents Core 4.0 and later
> Apache HttpComponents Client 4.0 and later
> Apache Hadoop 17.0 and later
> See also:
> http://www.apache.org/dev/crypto.html#faq-manyproducts
> We redistribute Apache HTTP Components in the Jena and Fuseki binary
> distributions. We don't distribute Hadoop - we only link to it from Elephas.
> Reading ASF's FAQ it is not clear if we would need to be listed just from
> having a <dependency> on such a classified item.
> Would we therefore also need to also declare Jena as classified? Or is the
> transitivity broken because Jena only use the encryption (e.g. access
> https:// JSON-LD contexts)?
> (This transitivity thing could mean anyone in the US distributing software
> using Jena would be US Export regulated. I hope I am wrong.. worth checking
> with LEGAL I think)
> BTW this was discussed in 2011 - but I believe we since removed BouncyCastle
> dependency:
> http://mail-archives.apache.org/mod_mbox/jena-dev/201108.mbox/%3c4e3ff7e8.1060...@epimorphics.com%3E
> h2. Draft eccnmatrix.xml additions
> To be added to
> https://svn.apache.org/repos/asf/infrastructure/site/trunk/content/licenses/exports/index.page/eccnmatrix.xml
> and then published to http://www.apache.org/licenses/exports/
> See http://www.apache.org/dev/crypto.html#sources
> {code:xml}
> <Project id="jena" href="http://jena.apache.org";>
> <Name>Apache Jena</Name>
> <Contact><Name>Andy Seaborne</Name></Contact>
> <Product>
> <Name>Apache Jena</Name>
> <Version>
> <Names>development</Names>
> <ECCN>5D002</ECCN>
> <ControlledSource
> href="https://git-wip-us.apache.org/repos/asf/jena.git";>
> <Manufacturer>ASF</Manufacturer>
> <Why>Use Apache HTTPComponents Client</Why>
> </ControlledSource>
> <ControlledSource
> href="http://svn.apache.org/repos/asf/httpcomponents/httpcore/";>
> <Manufacturer>ASF</Manufacturer>
> <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
> </ControlledSource>
> <ControlledSource
> href="http://archive.apache.org/dist/httpcomponents/httpcore/";>
> <Manufacturer>ASF</Manufacturer>
> <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
> </ControlledSource>
> </Version>
> <Version>
> <Names>2.7.0-incubating and later</Names>
> <ECCN>5D002</ECCN>
> <ControlledSource href="http://archive.apache.org/dist/jena/source/";>
> <Manufacturer>ASF</Manufacturer>
> <Why>Use Apache HTTPComponents Client</Why>
> </ControlledSource>
> <ControlledSource href="http://archive.apache.org/dist/jena/binaries/";>
> <Manufacturer>ASF</Manufacturer>
> <Why>Include Apache HTTPComponents Client</Why>
> </ControlledSource>
> </Version>
> </Product>
> <Product>
> <Name>Apache Jena Fuseki</Name>
> <Version>
> <Names>development</Names>
> <ECCN>5D002</ECCN>
> <ControlledSource
> href="https://git-wip-us.apache.org/repos/asf/jena.git";>
> <Manufacturer>ASF</Manufacturer>
> <Why>Use Apache HTTPComponents Client, Apache Shiro</Why>
> </ControlledSource>
> <ControlledSource
> href="http://svn.apache.org/repos/asf/httpcomponents/httpcore/";>
> <Manufacturer>ASF</Manufacturer>
> <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
> </ControlledSource>
> <ControlledSource
> href="http://archive.apache.org/dist/httpcomponents/httpcore/";>
> <Manufacturer>ASF</Manufacturer>
> <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
> </ControlledSource>
> <ControlledSource href="http://archive.apache.org/dist/shiro/";>
> <Manufacturer>ASF</Manufacturer>
> <Why>Designed for use with Java Cryptography Extensions (JCE)</Why>
> </ControlledSource>
> </Version>
> <Version>
> <Names>0.2.1-incubating and later</Names>
> <ECCN>5D002</ECCN>
> <ControlledSource href="http://archive.apache.org/dist/jena/source/";>
> <Manufacturer>ASF</Manufacturer>
> <Why>Use Apache HTTPComponents Client, Apache Shiro</Why>
> </ControlledSource>
> <ControlledSource href="http://archive.apache.org/dist/jena/binaries/";>
> <Manufacturer>ASF</Manufacturer>
> <Why>Include Apache HTTPComponents, Apache Shiro, Apache Solr,
> Jetty</Why>
> </ControlledSource>
> <ControlledSource
> href="http://svn.apache.org/repos/asf/httpcomponents/httpcore/";>
> <Manufacturer>ASF</Manufacturer>
> <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
> </ControlledSource>
> <ControlledSource
> href="http://archive.apache.org/dist/httpcomponents/httpcore/";>
> <Manufacturer>ASF</Manufacturer>
> <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
> </ControlledSource>
> <ControlledSource href="http://archive.apache.org/dist/shiro/";>
> <Manufacturer>ASF</Manufacturer>
> <Why>Designed for use with Java Cryptography Extensions (JCE)</Why>
> </ControlledSource>
> <ControlledSource href="http://www.apache.org/dist/lucene/solr/";>
> <Manufacturer>ASF</Manufacturer>
> <Why>Designed for use with the Apache Tika API in the
> contrib/extraction libraries</Why>
> </ControlledSource>
> <ControlledSource href="http://eclipse.org/jetty";>
> <Manufacturer>The Eclipse Foundation</Manufacturer>
> <Why>SSL library for Jetty</Why>
> </ControlledSource>
> </Version>
> </Product>
> </Project>
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
