Jena does not implement any cryptographic but we do bundle dependencies
that include such software in the binary distributions for HTTPS and for
web app security (Shiro).
Plan:
1/ Include a "Cryptographic Software Notice" in each of the binary
distribution README files.
apache-jena/dist/README
jena-fuseki2/apache-jena-fuseki/README
jena-fuseki1/apache-jena-fuseki/README
This part is Apache-required and not part of the US export registration
process.
The software bundled concerned is
Apache HttpClient
Apache HttpComponents Core
Eclipse Jetty
Apache Shiro
PR#187
2/ Register a product
NB "version" has a specific means, more like "usage"
"Apache Jena (distribution)"
Versions: development
[for the snapshot maven repo]
binary distribution
[for the binaries and release maven repo]
and send required email to the required US gov organisations and Apache
lists.
----
I thought about 3 products (apache-jena, fuseki1, fuseki2). For
stability, the links ended up to the gernal area of repo or archives (as
other projects also have it) so 3 products did not make anything better.
I also looked at various other projects - things are not uniform. Theer
are cases of "over register" where the crypto notice in the code base
README. That's unhelpful when the project itself does not provide crypto
software and wrong when the source-release gets made (it goes not
contain any such software). Like NOTICE, being minimal seemed more in
the spirit of things.
Andy
[1] http://www.apache.org/dev/crypto.html
[2] http://www.apache.org/licenses/exports/
