www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Craig L Russell <Craig.Russ...@Sun.COM>
Subject Re: Crypto status of bundling PDFBox
Date Sun, 16 Mar 2008 23:14:13 GMT
I have taken the opportunity to re-read the message and disregard the  
subject, as the subject misled me. [I thought that we were discussing  
the PDFBox project not the Jackrabbit project].

I agree Jackrabbit needs not to identify as a crypto project.

Craig

On Mar 16, 2008, at 3:49 PM, Craig L Russell wrote:

> Hi BIll,
>
> On Mar 14, 2008, at 11:37 AM, William A. Rowe, Jr. wrote:
>
>> Craig L Russell wrote:
>>> On Mar 13, 2008, at 11:39 AM, Roy T. Fielding wrote:
>>>> On Mar 13, 2008, at 2:52 AM, Jukka Zitting wrote:
>>>>> The PDFBox library (http://www.pdfbox.com/) uses the Bouncy Castle
>>>>> crypto libraries when working with encrypted PDF files, but  
>>>>> that's an
>>>>> optional dependency that is not needed when working with normal  
>>>>> PDF
>>>>> files.
>>>>>
>>>>> In Apache Jackrabbit we use and bundle PDFBox without the crypto
>>>>> libraries and no part of Jackrabbit is designed to deal with
>>>>> cryptography. Based on that I don't believe we need crypto
>>>>> notifications as described on http://www.apache.org/dev/crypto.html 
>>>>> ,
>>>>> but I wanted to check with you that this interpretation is OK.
>>>>
>>>> That is correct.
>>> I don't necessarily agree. If PDFBox has code that writes to the  
>>> Bouncy Castle APIs, then why is it not "Software specially  
>>> designed or modified for the development, production or use of any  
>>> of the other software of this list, or software designed to  
>>> certify other software on this list"?
>>
>> If you ship BouncyCastle - end of discussion - you are shipping  
>> crypto.
>> One possible example, if Maven made BouncyCastle jars available,  
>> then the
>> maven project needs to provide the notice.
>>
>> If a project doesn't ship BouncyCastle, depends on it for *non- 
>> encryption*
>> features such as authentication tokens, etc, these are explicitly  
>> not part
>> of the crypto notice requirements.
>
> Please re-read the paragraph above. I'll highlight it here for  
> emphasis:
>> The PDFBox library (http://www.pdfbox.com/) uses the Bouncy Castle  
>> crypto libraries when working with encrypted PDF files...
>
> Regardless of the fact that it's optional, my understanding of this  
> sentence means that BouncyCastle is being used for its crypto  
> capabilities, and therefore PDFBox is "designed.. for... the use of"  
> encryption.
>
> Craig
>
>> BouncyCastle is being exported by that
>> project (or whatever repository they obtain it from, such as Maven  
>> or some
>> specific java+++ distribution shipped with an OS or framework, etc).
>>
>> To take your example to the extreme, Binaries for Win32 depend on  
>> the Win32
>> API - and the Win32 API contains crypto functions.  Ergo...
>>
>> Bill
>
> Craig Russell
> Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
> 408 276-5638 mailto:Craig.Russell@sun.com
> P.S. A good JDO? O, Gasp!
>

Craig Russell
Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
408 276-5638 mailto:Craig.Russell@sun.com
P.S. A good JDO? O, Gasp!


Mime
View raw message