David Crossley wrote: > David Crossley wrote: > > David Crossley wrote: > > > > > > --------------------- > > > Affected code > > > ------------- > > > I have found our use of "jsch" (see below). Please help > > > to find what other affected products that we use. > > > > I have spent a lot of time on this. I now gather that > > it is not just if a product uses cryptographic features. > > > > Rather we need to declare a product that uses or is designed > > to use cryptography for the purpose of information security. > > > > We have a number of supporting products that use it for > > authentication. We don't need to declare those. > > > > So far i have found: > > > > "jsch" which is used for scp tasks. > > I have added a notice to the "exports" page for Apache Forrest: > http://www.apache.org/licenses/exports/ > only lists our use of "jsch" at the moment. > > This also still needs mention in our top-level README.txt > > Does someone know where jsch is used in forrest. I know that > "forrestbot" uses it for the deploy.scp task. Anywhere else? > > > "Apache FOP" which can be used for encryption of PDF output. > > I saw some discussion on another list which leads > me to think it is not needed. > > > Can forrest use "https" to retrieve remote sources? > > If so, then what product(s) enables that? > > > > I haven't finished yet. Other eyes are appreciated, > > perhaps you will find something that i may have missed. > > Added https://issues.apache.org/jira/browse/FOR-1069 > to help manage this task. > > I am waiting on sending the actual BIS notice until > we know if any more products need to be added.
Hmmm, no-one from the Forrest PMC seems interested. I have tried to complete the job by myself and hope that i have done it correctly. As from this date, if someone contributes code which utilises a supporting product that handles crypto functions and we package that product, then we need to add a new notice. -David
