www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave Fisher <dave2w...@comcast.net>
Subject Re: Cryptography audit for Twill
Date Mon, 20 Jan 2014 20:39:28 GMT
Hi Andreas,

On Jan 20, 2014, at 10:39 AM, Andreas Neumann wrote:

> If anybody reads this, do you have advice for us? 
> Thanks -Andreas. 
> On Thu, Jan 16, 2014 at 5:03 PM, Andreas Neumann <anew@apache.org> wrote:
> Hi, 
> I am trying to complete the IP clearance for Twill and I am slightly confused by the
cryptography part of that (https://issues.apache.org/jira/browse/TWILL-28). 
> Twill does not explicitly contain cryptographic code, except that:
> It uses java.util.UUID.randomUUID() to generate random ids. This method uses "a cryptographically
strong pseudo random number generator." Since it is part of Java, I assume that is nothing
to worry about.
> It uses Hadoop, which uses encryption. The only thing twill does here is store delegation
tokens on HDFS and read them back.
> So is there anything to do for this? Do I need to add Twill to the export list at http://www.apache.org/licenses/exports/

I looked at the page: http://www.apache.org/licenses/exports/ 

It looks like when there is a dependency like this then there is a reference.

E.G. Apache Solr on Apache Tika ...

Apache Solr	development	5D002	ASF
1.4 and later	5D002	ASF, Apache Tika
Apache Tika	development	5D002	ASF
0.2-incubating and later	5D002	ASF, Bouncy Castle, Bouncy Castle

I will note that this file has a number of TLPs listed in the Incubator or as subprojects.
There is an update missing.

> Do we need to include a crypto notice in our README? It is not clear to me after reading
the document at http://www.apache.org/dev/crypto.html

I looked at Accumulo and they include one in their README.


> Thanks for your help
> -Andreas.

View raw message