I looked up a mail thread on the legal-discuss list wherein the Derby
project asked if projects which included Derby (distributed it) but
didn't use any encryption APIs, would need to be classified as 5D002 and
notify the US govt., the answer was "Yes". To see this thread in the
legal-discuss list, here's the markmail link:
http://markmail.org/search/?q=apache%20legal-discuss%20jean%20anderson#query:apache%20legal-discuss%20jean%20anderson+page:1+mid:snluth3ikwpd7ztn+state:results
So for UIMA-AS, in its currently planned packaging, will need to be be
classified as 5D002 because it distributes ActiveMQ 4.1.1 jars - and
ActiveMQ 4.1.1 is 5D002.
This, in turn, means that anyone else who distributes UIMA-AS inside
their product, will need to have their product classified as 5D002.
This will not affect releases of the core UIMA. In addition, we can
avoid this by changing the release process to not distribute ActiveMQ
(or any other 5D002 component), and instead have some kind of install
process that (a) obtained these components from (say) the maven
repositories, and (b) applied the patches needed (we needed to patch
some things in ActiveMQ to fix bugs we reported).
I think this might be preferable, but perhaps I'm overreacting to the
prospect of tagging UIMA-AS with the 5D002 designation.
Other opinions?
-Marshall
Marshall Schor wrote:
UIMA is currently not classified as 5D002 software
(a classification for software, requiring "notification" due to issues
around crypto).
To keep this status, we have to
a) avoid including any 5D002 software in any distribution we do, and
b) avoid using interfaces for 5D002 components (that we do not
include in our distributions) that are specially designed
to access crypto functionality in these components
The page http://www.apache.org/licenses/exports
<http://www.apache.org/licenses/exports>
lists Apache distributed software that is classified as 5D002
(note: for APR, only APR-Util- "development" version).
ActiveMq and Derby are on the list.
In the proposed UIMA extension for asynchronous
scaleout, we use, but do not distribute, ActiveMq 4.1,
which, in turn, includes Derby.
In UIMA-CPP, we use APR, and
we distribute it. I think we don't use APR-Util (Eddie, please
confirm), which is 5D002 software.
If we include in our distribution any component
that is classified as 5D002 then
UIMA becomes 5D002, as well.
Additionally, even if we don't distribute these components,
if our UIMA software uses interfaces for these components
that are specially designed to access crypto functionality in
these components, then UIMA becomes 5D002 and
we need to follow the procedures
outlined in http://www.apache.org/dev/crypto.html.
-Marshall
