www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Craig L Russell <Craig.Russ...@Sun.COM>
Subject Re: Crypto status of bundling PDFBox
Date Sun, 16 Mar 2008 22:49:15 GMT
Hi BIll,

On Mar 14, 2008, at 11:37 AM, William A. Rowe, Jr. wrote:

> Craig L Russell wrote:
>> On Mar 13, 2008, at 11:39 AM, Roy T. Fielding wrote:
>>> On Mar 13, 2008, at 2:52 AM, Jukka Zitting wrote:
>>>> The PDFBox library (http://www.pdfbox.com/) uses the Bouncy Castle
>>>> crypto libraries when working with encrypted PDF files, but  
>>>> that's an
>>>> optional dependency that is not needed when working with normal PDF
>>>> files.
>>>> In Apache Jackrabbit we use and bundle PDFBox without the crypto
>>>> libraries and no part of Jackrabbit is designed to deal with
>>>> cryptography. Based on that I don't believe we need crypto
>>>> notifications as described on http://www.apache.org/dev/ 
>>>> crypto.html,
>>>> but I wanted to check with you that this interpretation is OK.
>>> That is correct.
>> I don't necessarily agree. If PDFBox has code that writes to the  
>> Bouncy Castle APIs, then why is it not "Software specially designed  
>> or modified for the development, production or use of any of the  
>> other software of this list, or software designed to certify other  
>> software on this list"?
> If you ship BouncyCastle - end of discussion - you are shipping  
> crypto.
> One possible example, if Maven made BouncyCastle jars available,  
> then the
> maven project needs to provide the notice.
> If a project doesn't ship BouncyCastle, depends on it for *non- 
> encryption*
> features such as authentication tokens, etc, these are explicitly  
> not part
> of the crypto notice requirements.

Please re-read the paragraph above. I'll highlight it here for emphasis:
> The PDFBox library (http://www.pdfbox.com/) uses the Bouncy Castle  
> crypto libraries when working with encrypted PDF files...

Regardless of the fact that it's optional, my understanding of this  
sentence means that BouncyCastle is being used for its crypto  
capabilities, and therefore PDFBox is "designed.. for... the use of"  


> BouncyCastle is being exported by that
> project (or whatever repository they obtain it from, such as Maven  
> or some
> specific java+++ distribution shipped with an OS or framework, etc).
> To take your example to the extreme, Binaries for Win32 depend on  
> the Win32
> API - and the Win32 API contains crypto functions.  Ergo...
> Bill

Craig Russell
Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
408 276-5638 mailto:Craig.Russell@sun.com
P.S. A good JDO? O, Gasp!

View raw message