I am trying to finish the IP clearance and lookimng at TWILL-28, the crypto audit. I read the guide at http://www.apache.org/dev/crypto.html and I am quite sure what to do.
Twill does not explicitly contain cryptographic code, but - It uses java.util.UUID.randomUUID() to generate random ids. This method uses "a cryptographically strong pseudo random number generator." Since it is part of Java, I assume that is nothing to worry about. - It uses Hadoop, which uses encryption. The only thing twill does here is store delegation tokens on HDFS and read them back. So is there anything to do for this? Do I need to add Twill to the export list at http://www.apache.org/licenses/exports/ ? Do we need to include a crypto notice in our README? It is not clear to me after reading the document. Thanks -Andreas.
