www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Bodewig <bode...@apache.org>
Subject Re: ECCN questions, again, this time Ant
Date Wed, 10 Oct 2007 09:50:15 GMT
On Tue, 09 Oct 2007, William A. Rowe, Jr. <wrowe@rowe-clan.net> wrote:
> Stefan Bodewig wrote:
>> Ant is a build tool that contains tasks that perform steps of the
>> build process.  Ant ships with tasks that ssh out to different
>> machines or copy files over SSH.  These tasks use the jsch
>> library[1] but we do not distribute the library itself.  jsch is
>> produced in Japan and as such doesn't seem to have a ECCN, but it
>> would require a ECCN if distributed from the US.
> Could you please clarify?  You provide the hooks to jsch?  Or you
> invoke ssh via the ssh process?

Ant invokes jsch which implements the SSH protocol using JCE.  No ssh
executable involved at all.

> If you are running an ssh command out-of-process, I can't quite
> fathom how this is "implementing" crypto.  If you are invoking ssh
> sessions in process through jsch, I can see where this is an issue.

I said we know we need to get Ant added to the exports page 8-)

I'll start creating/adding the required documents soon.

>> First of all, the doc quite clearly talks about getting an ECCN
>> before doing a release.  Well, we've already had several releases
>> that contained the tasks (the first one was Ant 1.6.0 released in
>> December 2003).  We are probably not the first project that didn't
>> know about the ECCN requirement back then (four years ago).  So
>> what do we do about those older releases?  Simply pretend they
>> never happened?
> There is only one ECCN that applies to 99.5% of our work.

OK, sloppy language, sorry.

> And we can only be concerned about "coming into" compliance.  Please
> don't panic when you are making good faith efforts at correcting any
> non-compliance.

Even if I sounded worried, I'm not, not at all.  It's just that the
page puts so much emphasis on "before placing such code  ..." which
leaves the question of existing releases completely open.

>> The other point is that "What are examples of when a crypto item is
>> publicly accessible through ASF servers?" still really didn't help
>> us.  Apart from the ssh task we might have other tasks that need to
>> be listed.
>> For example Ant contains tasks that deploy to different application
>> servers and as such do compile against some BEA WebLogic libraries
>> for example.  We are pretty sure that the WebLogic application
>> server itself must be a 5D002 item, but we are certainly not using
>> it for its crypto features.  Would a direct dependency on the
>> application server be enough for us to require an ECCN?  If so, any
>> release of Ant starting with 1.2 release seven years ago would be
>> affected.
> There has to be a demarcation.

This is what common sense told me as well.  But then again I'm German
and not used to US government restrictions and their interpretation.

> If ANT does not explicitly enable but only casually follows the
> possibility of using an https: request URI when configured by the
> user (and not by us) then we are overthinking things, methinks.

In any cases other than the ssh tasks we are not explicitly using any
third party software for the cryprotgraphic features they might

Thanks for the feedback


DISCLAIMER: Discussions on this list are informational and educational
only.  Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF.  See <http://www.apache.org/licenses/> for
official ASF policies and documents.
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message