[
https://issues.apache.org/jira/browse/JENA-1169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15272517#comment-15272517
]
Stian Soiland-Reyes commented on JENA-1169:
-------------------------------------------
Discussion on LEGAL-250 seems to show that if you bundle an "encryption item",
then you are registered.
You are however [exempt from
registration|https://www.bis.doc.gov/index.php/policy-guidance/encryption/identifying-encryption-items#Three]
at all if:
{quote}
* (a) The primary function or set of functions is not any of the following:
** (1) "Information security";
** (2) A computer, including operating systems, parts and components
therefor;
** (3) Sending, receiving or storing information (except in support of
entertainment, mass commercial broadcasts, digital rights management or medical
records management); or
** (4) Networking (includes operation, administration, management and
provisioning);
{quote}
Unfortunately Jena falls through this exemption on (3) as Jena has a set of
functions that includes sending information (Fuseki) and storing information
(TDB store). And although those are not encrypted - that would mean we have to
do a registration of the "encryption functionalities" we use (compile against)
and "encryption items" we include (distribute).
In terms of "using any encryption functionality" there would be the use of
'riot' and RDFDataMgr with https URLs (using Java Secure Socket Extension
(JSSE)). Bindings to Hadoop is fine - that is not "using encryption
functionality"
The biggie is that the binary distributions include HTTPComponents, which is
itself an "encryption item".
> Is Jena US Export classified due to encryption in dependencies?
> ---------------------------------------------------------------
>
> Key: JENA-1169
> URL: https://issues.apache.org/jira/browse/JENA-1169
> Project: Apache Jena
> Issue Type: Bug
> Components: Build
> Reporter: Stian Soiland-Reyes
>
> Hi - apologies for finding this..
> I just noticed on
> http://www.apache.org/licenses/exports/
> includes US export classified tools from ASF:
> Apache HttpComponents Core 4.0 and later
> Apache HttpComponents Client 4.0 and later
> Apache Hadoop 17.0 and later
> See also:
> http://www.apache.org/dev/crypto.html#faq-manyproducts
> We redistribute Apache HTTP Components in the Jena and Fuseki binary
> distributions. We don't distribute Hadoop - we only link to it from Elephas.
> Reading ASF's FAQ it is not clear if we would need to be listed just from
> having a <dependency> on such a classified item.
> Would we therefore also need to also declare Jena as classified? Or is the
> transitivity broken because Jena only use the encryption (e.g. access
> https:// JSON-LD contexts)?
> (This transitivity thing could mean anyone in the US distributing software
> using Jena would be US Export regulated. I hope I am wrong.. worth checking
> with LEGAL I think)
> BTW this was discussed in 2011 - but I believe we since removed BouncyCastle
> dependency:
> http://mail-archives.apache.org/mod_mbox/jena-dev/201108.mbox/%[email protected]%3E
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
