Thanks @Dominik and @Thomas for the review. AFAIU, We are currently using the `cupertino_http` package which internaly uses the URL LOADING SYSTEM of iOS. The URL LOADING SYSTEM [0] is using the platform APIs for SSL/TLS. Since it's platform APIs, in the apple documentation they have mentioned "No documentation required in App Store connect" [1][2].
However, I will do a thorough research again and will update it here. - [0] https://developer.apple.com/documentation/foundation/url-loading-system - [1] https://developer.apple.com/help/app-store-connect/reference/export-compliance-documentation-for-encryption - [2] https://developer.apple.com/documentation/security/complying-with-encryption-export-regulations On Fri Sep 26, 2025 at 11:51 AM CEST, Thomas Lamprecht wrote: > Am 26.09.25 um 11:21 schrieb Dominik Csapak: >> I'm not a lawyer, but are you sure we are compliant with this? >> >> the https client will use encryption, so it's not like we don't use >> encryption at all. (Especially with the cupertino_http package) > > We use it, but we do not implement it, which is the key point > here. > >> I guess this is exempt, but having some reference for that (aside >> some medium/reddit post) would be nice. >> >> At least some kind of rationale in the commit would be good. >> (IMHO 'we don't use proprietary encryption' is not a good reason Makes sense, Sorry i should have added more details in the commit message. Will send another patch with more details after doing some more research on this. >> when also 'standard encryption' falls under the export regulation...) >> @Thomas, what do you think? > > We basically only need to check if any of the used dependencies > implements the (lower level) encryption that HTTPS builds upon > themselves, compared to using the platform libraries for that. > And doing so would be good in any case, which would be an actual > blocker for us anyway, i.e. independent of legal compliance with > app stores, as that needs to be thoroughly vetted then, and even > if we could to that (which I don't think we got the capacity to > thoroughly do for this, especially considering the ROI here), > would still need other to feel somewhat confident. > > I quickly checked cupertino_http [0], and from what I saw it uses > only iOS platform native interfaces for TLS and the like, if that > holds true (please check closer), we would be indeed compliant and > can indeed signal this through setting ITSAppUsesNonExemptEncryption > flag to false. Thanks thomas for checking it. I should have mentioned in the commit. We are also using crypto package as well. So i also need to check how the hashing algorithms are categorised in BIS. > [0]: https://github.com/dart-lang/http/tree/master/pkgs/cupertino_http/lib/src _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
