www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: Crypto status of bundling PDFBox
Date Fri, 14 Mar 2008 18:37:52 GMT
Craig L Russell wrote:
> On Mar 13, 2008, at 11:39 AM, Roy T. Fielding wrote:
>> On Mar 13, 2008, at 2:52 AM, Jukka Zitting wrote:
>>> The PDFBox library (http://www.pdfbox.com/) uses the Bouncy Castle
>>> crypto libraries when working with encrypted PDF files, but that's an
>>> optional dependency that is not needed when working with normal PDF
>>> files.
>>> In Apache Jackrabbit we use and bundle PDFBox without the crypto
>>> libraries and no part of Jackrabbit is designed to deal with
>>> cryptography. Based on that I don't believe we need crypto
>>> notifications as described on http://www.apache.org/dev/crypto.html,
>>> but I wanted to check with you that this interpretation is OK.
>> That is correct.
> I don't necessarily agree. If PDFBox has code that writes to the Bouncy 
> Castle APIs, then why is it not "Software specially designed or modified 
> for the development, production or use of any of the other software of 
> this list, or software designed to certify other software on this list"?

If you ship BouncyCastle - end of discussion - you are shipping crypto.
One possible example, if Maven made BouncyCastle jars available, then the
maven project needs to provide the notice.

If a project doesn't ship BouncyCastle, depends on it for *non-encryption*
features such as authentication tokens, etc, these are explicitly not part
of the crypto notice requirements.  BouncyCastle is being exported by that
project (or whatever repository they obtain it from, such as Maven or some
specific java+++ distribution shipped with an OS or framework, etc).

To take your example to the extreme, Binaries for Win32 depend on the Win32
API - and the Win32 API contains crypto functions.  Ergo...


DISCLAIMER: Discussions on this list are informational and educational
only.  Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF.  See <http://www.apache.org/licenses/> for
official ASF policies and documents.
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

View raw message