www-legal-discuss mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Purtell <apurt...@apache.org>
Subject Re: Cryptography audit for Twill
Date Tue, 21 Jan 2014 18:37:33 GMT
When considering adding features based on cryptography for Apache HBase I
posted a query on this mailing list and received an "IANAL" answer, which
was unfortunately unhelpful. We can forgive Twill for taking a maybe overly
conservative position given what we have here is another volunteered
personal opinion. I share that view but my opinion is worthless because I
am neither a lawyer, nor one representing the Foundation. The material on
http://www.apache.org/dev/crypto.html carries this ominous disclaimer:

"Note - the regulations covering US export control laws for encryption were
changed on June 25th 2010. This page describes the previous process. Until
an updated version has been drawn up and approved by the Apache VP Legal
Affairs, projects should check with the legal-discuss list before

It's fair to say at this point the Foundation does not provide effective
guidance for use of cryptographic functions, or even what that means.

On Mon, Jan 20, 2014 at 4:37 PM, Kevan Miller <kevan.miller@gmail.com>wrote:

> On Thu Jan 16 2014 at 7:59:44 PM, Andreas Neumann <anew@apache.org> wrote:
>> Hi,
>> I am trying to complete the IP clearance for Twill and I am slightly
>> confused by the cryptography part of that (
>> https://issues.apache.org/jira/browse/TWILL-28).
>> Twill does not explicitly contain cryptographic code, except that:
>>    - It uses java.util.UUID.randomUUID() to generate random ids. This
>>    method uses "a cryptographically strong pseudo random number generator."
>>    Since it is part of Java, I assume that is nothing to worry about.
>>    - It uses Hadoop, which uses encryption. The only thing twill does
>>    here is store delegation tokens on HDFS and read them back.
>> So is there anything to do for this? Do I need to add Twill to the export
>> list at http://www.apache.org/licenses/exports/ ? Do we need to include
>> a crypto notice in our README? It is not clear to me after reading the
>> document at http://www.apache.org/dev/crypto.html
> How would you evaluate the following statement with regard to TWILL?
> PMCs considering including cryptographic functionality within their
> products or specially designing their products to use other software with
> cryptographic functionality should take the following steps *before
> placing such code on any ASF server, including commits to subversion *:
> My personal opinion: using java.util.UUID.randomUUID() to generate a
> unique id is not cryptographic functionality. Note: being part of Java or
> not is not necessarily relevant...
> I don't have enough context to offer an opinion on 'store delegation
> tokens on HDFS and read them back'. Was TWILL "specially designing their
> products to use other software with cryptographic functionality"? Answer
> that, and I think you have your answer.
> --kevan

Best regards,

   - Andy

Problems worthy of attack prove their worth by hitting back. - Piet Hein
(via Tom White)

View raw message