[jira] [Commented] (JENA-1169) Is Jena US Export classified due to encryption in dependencies?

Fri, 06 May 2016 05:46:12 -0700 

    [ 
https://issues.apache.org/jira/browse/JENA-1169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15273985#comment-15273985
 ] 

Andy Seaborne commented on JENA-1169:
-------------------------------------

Thanks for pushing forward in this.

I think we should register Jena regardless of whether some reading of the 
requirements means Jena may or may not be included.

There have been, in the lifetime of the TLP, two enquiries about ECCN so adding 
Jena to the registrations makes sense to me.

(Note that the responsibility for anything using Jena downstream does reside 
with the downstream integrator.)


> Is Jena US Export classified due to encryption in dependencies?
> ---------------------------------------------------------------
>
>                 Key: JENA-1169
>                 URL: https://issues.apache.org/jira/browse/JENA-1169
>             Project: Apache Jena
>          Issue Type: Bug
>          Components: Build
>            Reporter: Stian Soiland-Reyes
>
> Hi - apologies for finding this..
> I just noticed  on 
> http://www.apache.org/licenses/exports/   
> includes US export classified tools from ASF:
> Apache HttpComponents Core 4.0 and later
> Apache HttpComponents Client 4.0 and later
> Apache Hadoop 17.0 and later
> See also:
> http://www.apache.org/dev/crypto.html#faq-manyproducts
> We redistribute Apache HTTP Components in the Jena and Fuseki binary 
> distributions. We don't distribute Hadoop - we only link to it from Elephas.
> Reading ASF's FAQ it is not clear if we would need to be listed just from 
> having a <dependency> on such a classified item.
> Would we therefore also need to also declare Jena as classified? Or is the 
> transitivity broken because Jena only use the encryption (e.g. access 
> https:// JSON-LD contexts)? 
> (This transitivity thing could mean anyone in the US distributing software 
> using Jena would be US Export regulated. I hope I am wrong.. worth checking 
> with LEGAL I think)
> BTW this was discussed in 2011 - but I believe we since removed BouncyCastle 
> dependency:
> http://mail-archives.apache.org/mod_mbox/jena-dev/201108.mbox/%[email protected]%3E



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to