And my personal opinion re the larger historic artefacts: I’d be happy with a history rewrite.
Best Jan — > On 29. Jul 2025, at 16:43, Jan Lehnardt <[email protected]> wrote: > >> >> On 29. Jul 2025, at 16:10, Jan Lehnardt <[email protected]> wrote: >> >> Heya Alex, >> >> thank you for getting a head-start on this. I do not know >> the answer to this, but I do remember that in the context >> of CouchDB’s incubation, we had to document more than >> we thought was sensible, so the same might happen to us. >> >> That said, I have posed the question on the ASF Slack at >> >> https://the-asf.slack.com/archives/C4REPMB9S/p1753798144287009 >> >> and will escalate to the Incubator mailing list if need be. >> >> I’ll report back. > > > Initial responses conclude that we do not need a crypto registration > or notice as our use is dependent on the browser or Node.js who > would be directly interacting with crypto software (say openssl). > Let’s document things as such and if need be have the Incubator > team escalate to the ASF legal team. > > Best > Jan > — > >> >> Best >> Jan >> — >> >>> On 28. Jul 2025, at 14:54, Alex Anderson <[email protected]> wrote: >>> >>> I've read https://infra.apache.org/crypto.html, and here are some thoughts >>> >>> In >>> https://github.com/pouchdb/pouchdb/blob/master/docs/asf.md?plain=1#L249-L255, >>> Jan notes: >>> >>>> PouchDB does not directly include cryptography code, but makes use of >>>> in-browser >>> TLS. A PouchDB plugin crypto-pouch exists that does record-level >>> encryption, but >>> it is currently not part of the PouchDB code base. If md5 hashing is >>> considered >>> cryptography, PouchDB, like CouchDB, makes use of that, just note that md5 >>> hashing is not used for security relevant operations. >>> >>> It definitely looks like the only current use of node's `crypto` >>> library is for hashing and generating random values: >>> >>> ``` >>> $ git grep -Eo 'crypto\.\w+' | cut -d: -f2 | uniq >>> crypto.createHash >>> crypto.getRandomValues >>> ``` >>> >>> From the guidelines at https://infra.apache.org/crypto.html: >>> >>>> Q. Do digest algorithms such as MD5 and SHA1 require notification? >>>> A. No. >>> >>> --- >>> >>> However, the guidelines also state: >>> >>>> PMCs considering...designing their products to use other software with >>>> cryptographic functionality, should take the following steps... >>> >>> pouchdb-adapter-http is explicitly written to work with HTTPS. Does >>> this mean it's designed to use other software with cryptographic >>> functionality? That would seem extreme. >>> >>> --- >>> >>> https://infra.apache.org/crypto.html mostly talks about shipping >>> cyptographic source or object code, which pouchdb is not doing. >>> >>> However, there are historic examples in the git repo where crypto code >>> *is* probably included: >>> >>> * the selenium standalone .jar (first at >>> 082c7da0b6b85649f9490ffb855c81c6cd20cf18) >>> * aes, diffie-hellman, des implementations (first at >>> eb7d421640d2ba7d6f36231bb0f434f68a49f8b5) >>> >>> Maybe these require reporting? >>> >>> An alternative might be to rewrite history to remove third-party >>> binaries and build artifacts. >>> >>> I'm generally against rewriting history, but it would likely reduce >>> repo size significantly, as well as simplifying audit. >>> >>> --- >>> >>> Alex
