The SSL libraries, code, and jars have been merged into master. Please beat the hell out of it and let me know if anything's broken.
- Charlie On Sat, Apr 28, 2012 at 3:40 PM, Charles Oliver Nutter <head...@headius.com> wrote: > Ok, I did a bit more research on the export restrictions regarding > BouncyCastle. > > According to the BouncyCastle site, BC is: > > "approved classified under ECCN code 5D002 and approved for export > under License Exception TSU." > > License exception TSU ("Technology and Software - unrestricted) > applies to software that is freely available on the internet, either > in "object code" or source form. The relevant legal paragraphs are > here: > > http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=59ee1d5eeb8f1d444ba88927fa1eaaff&rgn=div5&view=text&node=15:2.1.3.4.25&idno=15#15:2.1.3.4.25.0.1.13 > > I originally thought that TSU would mean we would have to notify the > US government that we're shipping BC, pursuant to Section 740.13.e.3, > "Notification requirement", but I had not seen this full document at > that point. Rereading it now, section 740.13.e applies to *source > code*, which we are obviously not shipping for BC. The compiled and > packaged libraries would fall under 740.13.d, "General Software Note: > mass market software". > > So 740.13.d does not have notification requirements, but does make > mention of symmetric-key crypto exceeding 64 bits and additional > restrictions therein. However, it goes on to state that such software > would move from BC's classification of 5D002 which is what BC claims > they're classified under (as of 2007). > > Ultimately we will want a lawyer to look at this, but BC's claimed > classification and export license exemption appear to indicate that we > would not have to license it (at least) and probably not even have to > notify the US government that we're shipping it. > > This does bring up a logistical issue...there are folks who will not > want to touch a JRuby distribution with BC included, so it's likely > that we'll need to provide artifacts that omit BC completely. That > means we'll still ideally want as much as possible to function when BC > is not available. > > At the moment, I believe I have the "builtin" version ready to go and > will merge it to master as a single squashed commit (for ease of > reversion if we decide to back off from this). It passes nearly all > openssl Ruby tests in 1.8 mode, and fails many (but seems to function > properly) in 1.9 mode. > > I'll need help from openssl/crypto folks to clean up as many of the > remaining issues as possible. > > - Charlie > > On Fri, Apr 27, 2012 at 4:50 AM, Charles Oliver Nutter > <head...@headius.com> wrote: >> Ok, we need to discuss this a bit. I think it's time we rolled >> jruby-ossl (OpenSSL) directly into JRuby and maintained it there. >> >> There are many reasons why this will make life easier: >> >> * No requirement to install a gem to get SSL support, which is >> sometimes impossible of only SSL sources are available >> * Ability to use SSL without loading RubyGems. Less of a gain under >> 1.9 mode, which always has RubyGems loaded. >> * Fewer goofy issues and bug reports due to our stubbed-out versions >> not being fully functional and sometimes not properly intercepting SSL >> calls that need the gem. >> >> We originally did not include jruby-ossl in JRuby because we (and Sun, >> at the time) were concerned about us shipping crypto -- the >> BouncyCastle libraries as part of JRuby proper. I've done some >> research on the exportability of BouncyCastle, and all signs >> (including BC's site and the US government's sites on the subject) >> seem to indicate that because BC is open-source and freely available, >> all we need to do is notify the US government of our intention to ship >> it as part of JRuby. So I think it's time we bit the bullet. >> >> I will handle contacting US gov't folks to confirm this, but in the >> meantime I've created the builtin_ssl branch (on github/headius/jruby) >> that folds jruby-ossl code back into JRuby proper. It appears to be >> passing tests. >> >> Thoughts? Concerns? >> >> - Charlie --------------------------------------------------------------------- To unsubscribe from this list, please visit: http://xircles.codehaus.org/manage_email