www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: ECCN questions, again, this time Ant
Date Wed, 10 Oct 2007 04:38:05 GMT
Stefan Bodewig wrote:
> 
> Ant is a build tool that contains tasks that perform steps of the
> build process.  Ant ships with tasks that ssh out to different
> machines or copy files over SSH.  These tasks use the jsch library[1]
> but we do not distribute the library itself.  jsch is produced in
> Japan and as such doesn't seem to have a ECCN, but it would require a
> ECCN if distributed from the US.

Could you please clarify?  You provide the hooks to jsch?  Or you invoke
ssh via the ssh process?

If you are running an ssh command out-of-process, I can't quite fathom
how this is "implementing" crypto.  If you are invoking ssh sessions in
process through jsch, I can see where this is an issue.

> So much for the background of why we think we need an ECCN.  Now my
> comments and questions on the crypto doc.
> 
> First of all, the doc quite clearly talks about getting an ECCN before
> doing a release.  Well, we've already had several releases that
> contained the tasks (the first one was Ant 1.6.0 released in December
> 2003).  We are probably not the first project that didn't know about
> the ECCN requirement back then (four years ago).  So what do we do
> about those older releases?  Simply pretend they never happened?

There is only one ECCN that applies to 99.5% of our work.

And we can only be concerned about "coming into" compliance.  Please
don't panic when you are making good faith efforts at correcting any
non-compliance.

> The other point is that "What are examples of when a crypto item is
> publicly accessible through ASF servers?" still really didn't help us.
> Apart from the ssh task we might have other tasks that need to be
> listed.
> 
> For example Ant contains tasks that deploy to different application
> servers and as such do compile against some BEA WebLogic libraries for
> example.  We are pretty sure that the WebLogic application server
> itself must be a 5D002 item, but we are certainly not using it for its
> crypto features.  Would a direct dependency on the application server
> be enough for us to require an ECCN?  If so, any release of Ant
> starting with 1.2 release seven years ago would be affected.

There has to be a demarcation.  If ANT does not explicitly enable but
only casually follows the possibility of using an https: request URI
when configured by the user (and not by us) then we are overthinking
things, methinks.  If ANT is providing API's, configuration and hooks
into cryptography, then that is a different matter (e.g. jsch above).

e.g. if you invoke wget (without explicitly referring to https:) I'm not
about to start suggesting that needs to be covered under this policy.
Otherwise, an argument can be made that virtually every web service
today needs an export notice.  (Sigh... perhaps they do.)

Cliff can provide more feedback, I expect.

Bill

---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only.  Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF.  See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org


Mime
View raw message