forrest-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Crossley <cross...@apache.org>
Subject Re: export classification, ECCN, handling cryptography, etc.
Date Wed, 05 Mar 2008 02:24:20 GMT
David Crossley wrote:
> David Crossley wrote:
> > David Crossley wrote:
> > > 
> > > ---------------------
> > > Affected code
> > > -------------
> > > I have found our use of "jsch" (see below). Please help
> > > to find what other affected products that we use.
> > 
> > I have spent a lot of time on this. I now gather that
> > it is not just if a product uses cryptographic features.
> > 
> > Rather we need to declare a product that uses or is designed
> > to use cryptography for the purpose of information security.
> > 
> > We have a number of supporting products that use it for
> > authentication. We don't need to declare those.
> >
> > So far i have found:
> > 
> > "jsch" which is used for scp tasks.
> 
> I have added a notice to the "exports" page for Apache Forrest:
> http://www.apache.org/licenses/exports/
> only lists our use of "jsch" at the moment.
> 
> This also still needs mention in our top-level README.txt
> 
> Does someone know where jsch is used in forrest. I know that
> "forrestbot" uses it for the deploy.scp task. Anywhere else?
> 
> > "Apache FOP" which can be used for encryption of PDF output.
> 
> I saw some discussion on another list which leads
> me to think it is not needed.
> 
> > Can forrest use "https" to retrieve remote sources?
> > If so, then what product(s) enables that?
> > 
> > I haven't finished yet. Other eyes are appreciated,
> > perhaps you will find something that i may have missed.
> 
> Added https://issues.apache.org/jira/browse/FOR-1069
> to help manage this task.
> 
> I am waiting on sending the actual BIS notice until
> we know if any more products need to be added.

Hmmm, no-one from the Forrest PMC seems interested.

I have tried to complete the job by myself and hope that
i have done it correctly.

As from this date, if someone contributes code which
utilises a supporting product that handles crypto functions
and we package that product, then we need to add a new notice.

-David

Mime
View raw message