commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: US Export classification & ECCN registration for encryption in commons?
Date Wed, 04 May 2016 18:41:17 GMT
On 4 May 2016 at 13:35, Stian Soiland-Reyes <stain@apache.org> wrote:
> Hi,
>
> Sorry for spotting this..
>
>
> Apache Commons Crypto  is not listed on
> http://www.apache.org/licenses/exports/ - does it need to be?  (One
> would assume so..)
>
> Also it was raised that Commons VFS depends on Bouncy Castle/Apache
> Mina/Jetty/SSHD/Hadoop/jsch and has encryption binding for AES128 -
> perhaps that also needs to be listed and registered?
>
>
> We only have listed:
>
> Commons Compress
> Commons OpenPGP
>
>
> See guidance on
> http://www.apache.org/dev/crypto.html
>
>
> BTW - I've raised https://issues.apache.org/jira/browse/LEGAL-250 to
> see if merely using a listed source as a Maven <dependency> means you
> also are classified - or if you would need to also bundle the
> dependency's binary (which I think we don't do).

It does not matter if the dependency is bundled or not.

The page says:

" ASF product distributions that contain or are "specially designed"
to use cryptography."

AFAIK:
Compress contains some decryption
OpenPGP is "specially designed" to use cryptography.

I assume the same is true of Crypto.

But note that the rules changed in 2010; the page has yet to be updated.

>
>
> --
> Stian Soiland-Reyes
> Apache Taverna (incubating), Apache Commons RDF (incubating)
> http://orcid.org/0000-0001-9842-9718
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Mime
View raw message