[jira] [Commented] (JENA-1169) Is Jena US Export classified due to encryption in dependencies?

Sun, 30 Oct 2016 07:33:34 -0700 

    [ 
https://issues.apache.org/jira/browse/JENA-1169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15620031#comment-15620031
 ] 

Andy Seaborne commented on JENA-1169:
-------------------------------------

Because Jena only includes export-controlled software when buindled into 
binaries, I don't think we need to or should put that in the source code 
READMEs. The README's pertain to the Jena code and there isn't any regulated 
software there. So the README in a source-release is about the the source code 
in the release.

(It is also true that READMEs are overloaded.)

There is no US government requirement to put anythign in READMEs - it's an 
Apache principle. US gov only requires the registration.

It is the binary distributions that contain controlled software and they are 
published on US-based servers so regulations apply.  They are published by 
being placed in the maven repos for snapshots and releases, and the in the dist 
area (specifically archive.apache.org). Mirrors are not the point of 
publication.



> Is Jena US Export classified due to encryption in dependencies?
> ---------------------------------------------------------------
>
>                 Key: JENA-1169
>                 URL: https://issues.apache.org/jira/browse/JENA-1169
>             Project: Apache Jena
>          Issue Type: Bug
>          Components: Build
>            Reporter: Stian Soiland-Reyes
>
> Hi - apologies for finding this..
> I just noticed  on 
> http://www.apache.org/licenses/exports/   
> includes US export classified tools from ASF:
> Apache HttpComponents Core 4.0 and later
> Apache HttpComponents Client 4.0 and later
> Apache Hadoop 17.0 and later
> See also:
> http://www.apache.org/dev/crypto.html#faq-manyproducts
> We redistribute Apache HTTP Components in the Jena and Fuseki binary 
> distributions. We don't distribute Hadoop - we only link to it from Elephas.
> Reading ASF's FAQ it is not clear if we would need to be listed just from 
> having a <dependency> on such a classified item.
> Would we therefore also need to also declare Jena as classified? Or is the 
> transitivity broken because Jena only use the encryption (e.g. access 
> https:// JSON-LD contexts)? 
> (This transitivity thing could mean anyone in the US distributing software 
> using Jena would be US Export regulated. I hope I am wrong.. worth checking 
> with LEGAL I think)
> BTW this was discussed in 2011 - but I believe we since removed BouncyCastle 
> dependency:
> http://mail-archives.apache.org/mod_mbox/jena-dev/201108.mbox/%[email protected]%3E
> h2. Draft eccnmatrix.xml additions
> To be added to 
> https://svn.apache.org/repos/asf/infrastructure/site/trunk/content/licenses/exports/index.page/eccnmatrix.xml
> and then published to http://www.apache.org/licenses/exports/
> See http://www.apache.org/dev/crypto.html#sources
> {code:xml}
>  <Project id="jena" href="http://jena.apache.org";>
>   <Name>Apache Jena</Name>
>   <Contact><Name>Andy Seaborne</Name></Contact>
>   <Product>
>     <Name>Apache Jena</Name>
>     <Version>
>       <Names>development</Names>
>       <ECCN>5D002</ECCN>
>       <ControlledSource 
> href="https://git-wip-us.apache.org/repos/asf/jena.git";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Use Apache HTTPComponents Client</Why>
>       </ControlledSource>
>       <ControlledSource 
> href="http://svn.apache.org/repos/asf/httpcomponents/httpcore/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
>       </ControlledSource>
>       <ControlledSource 
> href="http://archive.apache.org/dist/httpcomponents/httpcore/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
>       </ControlledSource>
>     </Version>
>     <Version>
>       <Names>2.7.0-incubating and later</Names>
>       <ECCN>5D002</ECCN>
>       <ControlledSource href="http://archive.apache.org/dist/jena/source/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Use Apache HTTPComponents Client</Why>
>       </ControlledSource>
>       <ControlledSource href="http://archive.apache.org/dist/jena/binaries/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Include Apache HTTPComponents Client</Why>
>       </ControlledSource>
>     </Version>
>   </Product>
>   <Product>
>     <Name>Apache Jena Fuseki</Name>
>     <Version>
>       <Names>development</Names>
>       <ECCN>5D002</ECCN>
>       <ControlledSource 
> href="https://git-wip-us.apache.org/repos/asf/jena.git";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Use Apache HTTPComponents Client, Apache Shiro</Why>
>       </ControlledSource>
>       <ControlledSource 
> href="http://svn.apache.org/repos/asf/httpcomponents/httpcore/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
>       </ControlledSource>
>       <ControlledSource 
> href="http://archive.apache.org/dist/httpcomponents/httpcore/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
>       </ControlledSource>
>       <ControlledSource href="http://archive.apache.org/dist/shiro/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Designed for use with Java Cryptography Extensions (JCE)</Why>
>       </ControlledSource>
>     </Version>
>     <Version>
>       <Names>0.2.1-incubating and later</Names>
>       <ECCN>5D002</ECCN>
>       <ControlledSource href="http://archive.apache.org/dist/jena/source/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Use Apache HTTPComponents Client, Apache Shiro</Why>
>       </ControlledSource>
>       <ControlledSource href="http://archive.apache.org/dist/jena/binaries/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Include Apache HTTPComponents, Apache Shiro, Apache Solr, 
> Jetty</Why>
>       </ControlledSource>
>       <ControlledSource 
> href="http://svn.apache.org/repos/asf/httpcomponents/httpcore/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
>       </ControlledSource>
>       <ControlledSource 
> href="http://archive.apache.org/dist/httpcomponents/httpcore/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
>       </ControlledSource>
>       <ControlledSource href="http://archive.apache.org/dist/shiro/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Designed for use with Java Cryptography Extensions (JCE)</Why>
>       </ControlledSource>
>       <ControlledSource href="http://www.apache.org/dist/lucene/solr/";>
>         <Manufacturer>ASF</Manufacturer>
>         <Why>Designed for use with the Apache Tika API in the 
> contrib/extraction libraries</Why>
>       </ControlledSource>
>       <ControlledSource href="http://eclipse.org/jetty";>
>         <Manufacturer>The Eclipse Foundation</Manufacturer>
>         <Why>SSL library for Jetty</Why>
>       </ControlledSource>
>     </Version>
>   </Product>
> </Project>
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to