Re: ECCN cryptography reporting?

Thanks! I think we need to work more on https://www.apache.org/dev/crypto.html to add the kind of considerations to make to decide if some software needs to be registered or not, perhaps suggest various "escape hatches". Now we can proceed with the Taverna RCs :) On 21 May 2016 at 22:24, Ted

Re: ECCN cryptography reporting?

I just sent this notification. I added a small amount of language to the notification and added secretary@a.o as a cc and as a contact point. Thanks to the Taverna community for laying the groundwork so assiduously. This is a notoriously opaque area which you have illuminated nicely. On Thu,

Re: ECCN cryptography reporting?

Hi, Taverna is still waiting for the ECCN registration for Taverna to be sent in from Ted before we can continue to prepare our next release candiates. Taverna's listing is now live on: https://www.apache.org/licenses/exports/ See draft email on

Re: ECCN cryptography reporting?

We documented it in https://issues.apache.org/jira/browse/TAVERNA-959 and on https://cwiki.apache.org/confluence/display/TAVERNADEV/Taverna+Cryptography+review See also

Re: ECCN cryptography reporting?

I would be happy if Taverna doesn't meet the ECCN registration criteria :) I think we are not exempt overall from the 2010 decontrolling: https://www.bis.doc.gov/index.php/policy-guidance/encryption/identifying-encryption-items#Three because we do a lot of "sending and receiving information" -

Re: ECCN cryptography reporting?

Ted, I think that's my point. It sounds like taverna doesn't meet the criteria. John On May 5, 2016 13:07, "Ted Dunning" wrote: > John, > > I love what you do and respect what you say, but do you have a citation for > that registration requirement? Taverna isn't

Re: ECCN cryptography reporting?

John, I love what you do and respect what you say, but do you have a citation for that registration requirement? Taverna isn't distributing JSSE and it allows weak encryption. On Wed, May 4, 2016 at 7:36 PM, John D. Ament wrote: > That's the thing, JSSE is an add-on

Re: ECCN cryptography reporting?

That's the thing, JSSE is an add-on encryption component in Java. If the product requires it, you have to register it. Ideally the product shouldn't require it and make it an optional feature to enable. The latter is just my $0.02 John On May 4, 2016 21:30, "Ted Dunning"

Re: ECCN cryptography reporting?

My guess is that this would fall to me. There is considerable analysis to be done to determine whether filing is required. Are you guys documenting the decision points? On Wed, May 4, 2016 at 4:45 AM, Stian Soiland-Reyes wrote: > On 2 May 2016 at 03:23, Stian Soiland-Reyes

Re: ECCN cryptography reporting?

On 2 May 2016 at 03:23, Stian Soiland-Reyes wrote: > Formally - would it need to be the Incubator PMC chair sending the > ECCN encryption email? Could anyone from IPMC (e.g. our mentors) do it, or just Ted Dunning? -- Stian Soiland-Reyes Apache Taverna (incubating), Apache

RE: ECCN cryptography reporting?

MG>hopefully quick answer > From: st...@apache.org > Date: Mon, 2 May 2016 17:45:12 +0100 > Subject: Re: ECCN cryptography reporting? > To: general@incubator.apache.org > > Thanks! > > We did a dependency clean-up (but not upgrade) as part of license >

Re: ECCN cryptography reporting?

Thanks! We did a dependency clean-up (but not upgrade) as part of license review. We want to delay some of the upgrades (e.g. to OSGI 5) until after getting the first full command line release out as this is what pulls together everything in its lib/. (Thus this is also why we need to do the

RE: ECCN cryptography reporting?

with other apache products to reduce code bloat and reduce deprecated packages you might want to run maven dependency:treemvn dependency:tree -Dverbose https://maven.apache.org/plugins/maven-dependency-plugin/examples/resolving-conflicts-using-the-dependency-tree.html compare delta(s) with emma