Thanks! We did a dependency clean-up (but not upgrade) as part of license review. We want to delay some of the upgrades (e.g. to OSGI 5) until after getting the first full command line release out as this is what pulls together everything in its lib/.
(Thus this is also why we need to do the encryption review now). I used mvn dependency:tree -DoutputFile=`pwd`/target/tree.txt -DappendOutput=true to check what dependencies we are using across modules - obviously all the Apache ones are easy to check against http://www.apache.org/licenses/exports/ but it's harder to check if any of the others are classified or not beyond heavy googling - e.g. Jetty is apparantly classified according to https://dev.eclipse.org/mhonarc/lists/jetty-users/msg05898.html I wonder if Apache Whisker folks would have any thoughts on how generating/checking for encryption export dependencies should be simplified - you would think something like a META-INF/EXPORT-RESTRICTED in the dependency JARs would work. (Although some projects put their encryption classification in NOTICE - I understand this is discouraged?) Emma seems a bit abandoned (e.g. no Maven 2 plugin) - I know Commons now use Cobertura and/or JaCoCo - but perhaps those are better to check coverage of your own code rather than the dependencies. On 2 May 2016 at 11:22, Martin Gainty <mgai...@hotmail.com> wrote: > with other apache products to reduce code bloat and reduce deprecated > packages you might want to run > maven dependency:treemvn dependency:tree -Dverbose > https://maven.apache.org/plugins/maven-dependency-plugin/examples/resolving-conflicts-using-the-dependency-tree.html > compare delta(s) with > emma code coveragehttp://emma.sourceforge.net/ > as I have some spare cycles let me know if I can be of any assistance > Thanks Stian > Martin > > > >> From: st...@apache.org >> Date: Mon, 2 May 2016 03:23:42 +0100 >> Subject: ECCN cryptography reporting? >> To: general@incubator.apache.org >> >> Hi, >> >> Taverna is preparing its cryptography registration for US Export purposes: >> >> https://cwiki.apache.org/confluence/display/TAVERNADEV/Taverna+Cryptography+review >> >> >> We want to have this sorted before we make the next release candidate >> - but we're awaiting LEGAL-250 to see if we can reduce the list of >> transitive dependencies in this list - it feels excessive if "anything >> that can do https" needs to be listed (that would presumably affect >> many more projects) >> >> >> See also http://www.apache.org/dev/crypto.html and already classified >> ASF products on http://www.apache.org/licenses/exports/ >> >> >> >> Formally - would it need to be the Incubator PMC chair sending the >> ECCN encryption email? >> >> I'll let you know when it's ready to send. >> >> -- >> Stian Soiland-Reyes >> Apache Taverna (incubating), Apache Commons RDF (incubating) >> http://orcid.org/0000-0001-9842-9718 >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org >> For additional commands, e-mail: general-h...@incubator.apache.org >> > -- Stian Soiland-Reyes Apache Taverna (incubating), Apache Commons RDF (incubating) http://orcid.org/0000-0001-9842-9718 --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
