> On 29. Jul 2025, at 16:10, Jan Lehnardt <[email protected]> wrote: > > Heya Alex, > > thank you for getting a head-start on this. I do not know > the answer to this, but I do remember that in the context > of CouchDB’s incubation, we had to document more than > we thought was sensible, so the same might happen to us. > > That said, I have posed the question on the ASF Slack at > > https://the-asf.slack.com/archives/C4REPMB9S/p1753798144287009 > > and will escalate to the Incubator mailing list if need be. > > I’ll report back.
Initial responses conclude that we do not need a crypto registration or notice as our use is dependent on the browser or Node.js who would be directly interacting with crypto software (say openssl). Let’s document things as such and if need be have the Incubator team escalate to the ASF legal team. Best Jan — > > Best > Jan > — > >> On 28. Jul 2025, at 14:54, Alex Anderson <[email protected]> wrote: >> >> I've read https://infra.apache.org/crypto.html, and here are some thoughts >> >> In >> https://github.com/pouchdb/pouchdb/blob/master/docs/asf.md?plain=1#L249-L255, >> Jan notes: >> >>> PouchDB does not directly include cryptography code, but makes use of >>> in-browser >> TLS. A PouchDB plugin crypto-pouch exists that does record-level encryption, >> but >> it is currently not part of the PouchDB code base. If md5 hashing is >> considered >> cryptography, PouchDB, like CouchDB, makes use of that, just note that md5 >> hashing is not used for security relevant operations. >> >> It definitely looks like the only current use of node's `crypto` >> library is for hashing and generating random values: >> >> ``` >> $ git grep -Eo 'crypto\.\w+' | cut -d: -f2 | uniq >> crypto.createHash >> crypto.getRandomValues >> ``` >> >> From the guidelines at https://infra.apache.org/crypto.html: >> >>> Q. Do digest algorithms such as MD5 and SHA1 require notification? >>> A. No. >> >> --- >> >> However, the guidelines also state: >> >>> PMCs considering...designing their products to use other software with >>> cryptographic functionality, should take the following steps... >> >> pouchdb-adapter-http is explicitly written to work with HTTPS. Does >> this mean it's designed to use other software with cryptographic >> functionality? That would seem extreme. >> >> --- >> >> https://infra.apache.org/crypto.html mostly talks about shipping >> cyptographic source or object code, which pouchdb is not doing. >> >> However, there are historic examples in the git repo where crypto code >> *is* probably included: >> >> * the selenium standalone .jar (first at >> 082c7da0b6b85649f9490ffb855c81c6cd20cf18) >> * aes, diffie-hellman, des implementations (first at >> eb7d421640d2ba7d6f36231bb0f434f68a49f8b5) >> >> Maybe these require reporting? >> >> An alternative might be to rewrite history to remove third-party >> binaries and build artifacts. >> >> I'm generally against rewriting history, but it would likely reduce >> repo size significantly, as well as simplifying audit. >> >> --- >> >> Alex >
