[jira] [Commented] (JENA-1169) Is Jena US Export classified due to encryption in dependencies?

Stian Soiland-Reyes (JIRA) Fri, 06 May 2016 07:39:54 -0700

    [ 
https://issues.apache.org/jira/browse/JENA-1169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15274130#comment-15274130
 ]


Stian Soiland-Reyes commented on JENA-1169:
-------------------------------------------

I added a draft XML to be added - please review and then I can commit it and 
you can click the CMS publish button.

Basically I split between Jena and Fuseki. I didn't make a separate Product 
Jena-arq 2.9.0-incubating - and I didn't make two separate versions depending 
on when Solr was added to Fuseki (I think it was in one of the 0.x releases)

Note that the "Why" reasoning is different for the source and binary 
distributions - the source is only restricted based on the encryption 
functionality it USES (e.g. use HTTP Components and Apache Shiro - but we don't 
use the encryption facility of say), while the binary also is restricted based 
on hat is bundled (e.g. Jetty)

I did not list Hadoop as we don't re-distribute Hadoop and Elephas don't use 
the encryption facility in Hadoop (?).

If you agree on this list then I'll prepare the README.md changes.. which is 
probably a bit easier to understand for people :)

> Is Jena US Export classified due to encryption in dependencies?
> ---------------------------------------------------------------
>
>                 Key: JENA-1169
>                 URL: https://issues.apache.org/jira/browse/JENA-1169
>             Project: Apache Jena
>          Issue Type: Bug
>          Components: Build
>            Reporter: Stian Soiland-Reyes
>
> Hi - apologies for finding this..
> I just noticed  on 
> http://www.apache.org/licenses/exports/   
> includes US export classified tools from ASF:
> Apache HttpComponents Core 4.0 and later
> Apache HttpComponents Client 4.0 and later
> Apache Hadoop 17.0 and later
> See also:
> http://www.apache.org/dev/crypto.html#faq-manyproducts
> We redistribute Apache HTTP Components in the Jena and Fuseki binary 
> distributions. We don't distribute Hadoop - we only link to it from Elephas.
> Reading ASF's FAQ it is not clear if we would need to be listed just from 
> having a <dependency> on such a classified item.
> Would we therefore also need to also declare Jena as classified? Or is the 
> transitivity broken because Jena only use the encryption (e.g. access 
> https:// JSON-LD contexts)? 
> (This transitivity thing could mean anyone in the US distributing software 
> using Jena would be US Export regulated. I hope I am wrong.. worth checking 
> with LEGAL I think)
> BTW this was discussed in 2011 - but I believe we since removed BouncyCastle 
> dependency:
> http://mail-archives.apache.org/mod_mbox/jena-dev/201108.mbox/%[email protected]%3E
> h2. Draft eccnmatrix.xml additions
> To be added to 
> https://svn.apache.org/repos/asf/infrastructure/site/trunk/content/licenses/exports/index.page/eccnmatrix.xml
> and then published to http://www.apache.org/licenses/exports/
> See http://www.apache.org/dev/crypto.html#sources
> {code}
>  <Project id="jena" href="http://jena.apache.org";>
>   <Name>Apache Jena</Name>
>   <Contact><Name>Andy Seaborne</Name></Contact>
>   <Product>
>     <Name>Apache Jena</Name>
>     <Version>
>       <Names>development</Names>
>       <ECCN>5D002</ECCN>
>       <ControlledSource 
> href="https://git-wip-us.apache.org/repos/asf/jena.git";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Use Apache HTTPComponents Client</Why>
>       </ControlledSource>
>       <ControlledSource 
> href="http://svn.apache.org/repos/asf/httpcomponents/httpcore/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
>       </ControlledSource>
>       <ControlledSource 
> href="http://archive.apache.org/dist/httpcomponents/httpcore/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
>       </ControlledSource>
>     </Version>
>     <Version>
>       <Names>2.7.0-incubating and later</Names>
>       <ControlledSource href="http://archive.apache.org/dist/jena/source/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Use Apache HTTPComponents Client</Why>
>       </ControlledSource>
>       <ControlledSource href="http://archive.apache.org/dist/jena/binaries/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Include Apache HTTPComponents Client</Why>
>       </ControlledSource>
>     </Version>
>   </Product>
>   <Product>
>     <Name>Apache Jena Fuseki</Name>
>     <Version>
>       <Names>development</Names>
>       <ECCN>5D002</ECCN>
>       <ControlledSource 
> href="https://git-wip-us.apache.org/repos/asf/jena.git";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Use Apache HTTPComponents Client, Apache Shiro</Why>
>       </ControlledSource>
>       <ControlledSource 
> href="http://svn.apache.org/repos/asf/httpcomponents/httpcore/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
>       </ControlledSource>
>       <ControlledSource 
> href="http://archive.apache.org/dist/httpcomponents/httpcore/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
>       </ControlledSource>
>       <ControlledSource href="http://archive.apache.org/dist/shiro/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Designed for use with Java Cryptography Extensions (JCE)</Why>
>       </ControlledSource>
>     </Version>
>     <Version>
>       <Names>0.2.1-incubating and later</Names>
>       <ControlledSource href="http://archive.apache.org/dist/jena/source/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Use Apache HTTPComponents Client, Apache Shiro</Why>
>       </ControlledSource>
>       <ControlledSource href="http://archive.apache.org/dist/jena/binaries/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Include Apache HTTPComponents, Apache Shiro, Apache Solr, 
> Jetty</Why>
>       </ControlledSource>
>       <ControlledSource 
> href="http://svn.apache.org/repos/asf/httpcomponents/httpcore/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
>       </ControlledSource>
>       <ControlledSource 
> href="http://archive.apache.org/dist/httpcomponents/httpcore/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
>       </ControlledSource>
>       <ControlledSource href="http://archive.apache.org/dist/shiro/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Designed for use with Java Cryptography Extensions (JCE)</Why>
>       </ControlledSource>
>       <ControlledSource href="http://www.apache.org/dist/lucene/solr/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Designed for use with the Apache Tika API in the 
> contrib/extraction libraries</Why>
>       </ControlledSource>
>       <ControlledSource href="http://eclipse.org/jetty";>
>         <Manufacturer>The Eclipse Foundation</Manufacturer>
>         <Why>SSL library for Jetty</Why>
>       </ControlledSource>
>     </Version>
>   </Product>
> </Project>
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (JENA-1169) Is Jena US Export classified due to encryption in dependencies?

Reply via email to