[jira] [Commented] (JENA-1169) Is Jena US Export classified due to encryption in dependencies?

Fri, 06 May 2016 08:22:50 -0700 

    [ 
https://issues.apache.org/jira/browse/JENA-1169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15274196#comment-15274196
 ] 

ASF GitHub Bot commented on JENA-1169:
--------------------------------------

GitHub user stain opened a pull request:

    https://github.com/apache/jena/pull/138

    JENA-1169 Add Export Restriction READMEs

    As detailed in JENA-1169 https://issues.apache.org/jira/browse/JENA-1169
    
    this adds README notices about the Export restrictions in accordance with 
http://www.apache.org/dev/crypto.html#inform

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/stain/jena JENA-1169

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/jena/pull/138.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #138
    
----
commit 40b6daf9f513f78eb4f28c026deee7259e0bc054
Author: Stian Soiland-Reyes <[email protected]>
Date:   2016-05-06T14:53:20Z

    Merge remote-tracking branch 'refs/remotes/apache/master'

commit 8fedfdff40fbf0bb2687d472dd800a31a28c5b29
Author: Stian Soiland-Reyes <[email protected]>
Date:   2016-05-06T15:18:04Z

    JENA-1169 Export Restriction notice
    
    Also this adds a basic README to the Fuseki binary distributions.
    
    TODO: Check if the READMEs also survive into the mvn release: source
    distribution.
    
    Highest-level README (e.g. what you would see on GitHub)
    reference the deeper READMEs.

----


> Is Jena US Export classified due to encryption in dependencies?
> ---------------------------------------------------------------
>
>                 Key: JENA-1169
>                 URL: https://issues.apache.org/jira/browse/JENA-1169
>             Project: Apache Jena
>          Issue Type: Bug
>          Components: Build
>            Reporter: Stian Soiland-Reyes
>
> Hi - apologies for finding this..
> I just noticed  on 
> http://www.apache.org/licenses/exports/   
> includes US export classified tools from ASF:
> Apache HttpComponents Core 4.0 and later
> Apache HttpComponents Client 4.0 and later
> Apache Hadoop 17.0 and later
> See also:
> http://www.apache.org/dev/crypto.html#faq-manyproducts
> We redistribute Apache HTTP Components in the Jena and Fuseki binary 
> distributions. We don't distribute Hadoop - we only link to it from Elephas.
> Reading ASF's FAQ it is not clear if we would need to be listed just from 
> having a <dependency> on such a classified item.
> Would we therefore also need to also declare Jena as classified? Or is the 
> transitivity broken because Jena only use the encryption (e.g. access 
> https:// JSON-LD contexts)? 
> (This transitivity thing could mean anyone in the US distributing software 
> using Jena would be US Export regulated. I hope I am wrong.. worth checking 
> with LEGAL I think)
> BTW this was discussed in 2011 - but I believe we since removed BouncyCastle 
> dependency:
> http://mail-archives.apache.org/mod_mbox/jena-dev/201108.mbox/%[email protected]%3E
> h2. Draft eccnmatrix.xml additions
> To be added to 
> https://svn.apache.org/repos/asf/infrastructure/site/trunk/content/licenses/exports/index.page/eccnmatrix.xml
> and then published to http://www.apache.org/licenses/exports/
> See http://www.apache.org/dev/crypto.html#sources
> {code:xml}
>  <Project id="jena" href="http://jena.apache.org";>
>   <Name>Apache Jena</Name>
>   <Contact><Name>Andy Seaborne</Name></Contact>
>   <Product>
>     <Name>Apache Jena</Name>
>     <Version>
>       <Names>development</Names>
>       <ECCN>5D002</ECCN>
>       <ControlledSource 
> href="https://git-wip-us.apache.org/repos/asf/jena.git";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Use Apache HTTPComponents Client</Why>
>       </ControlledSource>
>       <ControlledSource 
> href="http://svn.apache.org/repos/asf/httpcomponents/httpcore/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
>       </ControlledSource>
>       <ControlledSource 
> href="http://archive.apache.org/dist/httpcomponents/httpcore/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
>       </ControlledSource>
>     </Version>
>     <Version>
>       <Names>2.7.0-incubating and later</Names>
>       <ECCN>5D002</ECCN>
>       <ControlledSource href="http://archive.apache.org/dist/jena/source/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Use Apache HTTPComponents Client</Why>
>       </ControlledSource>
>       <ControlledSource href="http://archive.apache.org/dist/jena/binaries/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Include Apache HTTPComponents Client</Why>
>       </ControlledSource>
>     </Version>
>   </Product>
>   <Product>
>     <Name>Apache Jena Fuseki</Name>
>     <Version>
>       <Names>development</Names>
>       <ECCN>5D002</ECCN>
>       <ControlledSource 
> href="https://git-wip-us.apache.org/repos/asf/jena.git";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Use Apache HTTPComponents Client, Apache Shiro</Why>
>       </ControlledSource>
>       <ControlledSource 
> href="http://svn.apache.org/repos/asf/httpcomponents/httpcore/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
>       </ControlledSource>
>       <ControlledSource 
> href="http://archive.apache.org/dist/httpcomponents/httpcore/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
>       </ControlledSource>
>       <ControlledSource href="http://archive.apache.org/dist/shiro/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Designed for use with Java Cryptography Extensions (JCE)</Why>
>       </ControlledSource>
>     </Version>
>     <Version>
>       <Names>0.2.1-incubating and later</Names>
>       <ECCN>5D002</ECCN>
>       <ControlledSource href="http://archive.apache.org/dist/jena/source/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Use Apache HTTPComponents Client, Apache Shiro</Why>
>       </ControlledSource>
>       <ControlledSource href="http://archive.apache.org/dist/jena/binaries/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Include Apache HTTPComponents, Apache Shiro, Apache Solr, 
> Jetty</Why>
>       </ControlledSource>
>       <ControlledSource 
> href="http://svn.apache.org/repos/asf/httpcomponents/httpcore/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
>       </ControlledSource>
>       <ControlledSource 
> href="http://archive.apache.org/dist/httpcomponents/httpcore/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
>       </ControlledSource>
>       <ControlledSource href="http://archive.apache.org/dist/shiro/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Designed for use with Java Cryptography Extensions (JCE)</Why>
>       </ControlledSource>
>       <ControlledSource href="http://www.apache.org/dist/lucene/solr/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Designed for use with the Apache Tika API in the 
> contrib/extraction libraries</Why>
>       </ControlledSource>
>       <ControlledSource href="http://eclipse.org/jetty";>
>         <Manufacturer>The Eclipse Foundation</Manufacturer>
>         <Why>SSL library for Jetty</Why>
>       </ControlledSource>
>     </Version>
>   </Product>
> </Project>
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to