OK, having just done this for Taverna I can draft the XML and readme changes to be added, and then Jena PMC Chair (you!) :) can send the formal email.
Should we delay 3.1.0 for this? ---------- Forwarded message ---------- From: "Andy Seaborne (JIRA)" <[email protected]> Date: 6 May 2016 1:45 p.m. Subject: [jira] [Commented] (JENA-1169) Is Jena US Export classified due to encryption in dependencies? To: <[email protected]> Cc: [ https://issues.apache.org/jira/browse/JENA-1169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15273985#comment-15273985 ] Andy Seaborne commented on JENA-1169: ------------------------------------- Thanks for pushing forward in this. I think we should register Jena regardless of whether some reading of the requirements means Jena may or may not be included. There have been, in the lifetime of the TLP, two enquiries about ECCN so adding Jena to the registrations makes sense to me. (Note that the responsibility for anything using Jena downstream does reside with the downstream integrator.) > Is Jena US Export classified due to encryption in dependencies? > --------------------------------------------------------------- > > Key: JENA-1169 > URL: https://issues.apache.org/jira/browse/JENA-1169 > Project: Apache Jena > Issue Type: Bug > Components: Build > Reporter: Stian Soiland-Reyes > > Hi - apologies for finding this.. > I just noticed on > http://www.apache.org/licenses/exports/ > includes US export classified tools from ASF: > Apache HttpComponents Core 4.0 and later > Apache HttpComponents Client 4.0 and later > Apache Hadoop 17.0 and later > See also: > http://www.apache.org/dev/crypto.html#faq-manyproducts > We redistribute Apache HTTP Components in the Jena and Fuseki binary distributions. We don't distribute Hadoop - we only link to it from Elephas. > Reading ASF's FAQ it is not clear if we would need to be listed just from having a <dependency> on such a classified item. > Would we therefore also need to also declare Jena as classified? Or is the transitivity broken because Jena only use the encryption (e.g. access https:// JSON-LD contexts)? > (This transitivity thing could mean anyone in the US distributing software using Jena would be US Export regulated. I hope I am wrong.. worth checking with LEGAL I think) > BTW this was discussed in 2011 - but I believe we since removed BouncyCastle dependency: > http://mail-archives.apache.org/mod_mbox/jena-dev/201108.mbox/%[email protected]%3E -- This message was sent by Atlassian JIRA (v6.3.4#6332)
