David Crossley wrote: > David Crossley wrote: > > > > --------------------- > > Affected code > > ------------- > > I have found our use of "jsch" (see below). Please help > > to find what other affected products that we use. > > I have spent a lot of time on this. I now gather that > it is not just if a product uses cryptographic features. > > Rather we need to declare a product that uses or is designed > to use cryptography for the purpose of information security. > > We have a number of supporting products that use it for > authentication. We don't need to declare those. > > So far i have found: > > "jsch" which is used for scp tasks.
I have added a notice to the "exports" page for Apache Forrest: http://www.apache.org/licenses/exports/ only lists our use of "jsch" at the moment. This also still needs mention in our top-level README.txt Does someone know where jsch is used in forrest. I know that "forrestbot" uses it for the deploy.scp task. Anywhere else? > "Apache FOP" which can be used for encryption of PDF output. I saw some discussion on another list which leads me to think it is not needed. > Can forrest use "https" to retrieve remote sources? > If so, then what product(s) enables that? > > I haven't finished yet. Other eyes are appreciated, > perhaps you will find something that i may have missed. Added https://issues.apache.org/jira/browse/FOR-1069 to help manage this task. I am waiting on sending the actual BIS notice until we know if any more products need to be added. -David
