On 8/30/12 4:44 PM, "Ate Douma" <[email protected]> wrote: >Hi team, > >I've checked this release candidate and I *think* I can vote +1 on this, >but I'm >not sure about maybe one important thing: if this version might be >embedding >restricted cryptography functionality, or not: > >This version adds Apache Santuario xmlsec-1.5.2.jar for W3C XML Digital >Signatures support. AFAIK Santuario can be used to encrypt XML. Even if >Wookie >doesn't, if it is bundled this release might be considered 'exporting' >cryptography functionality. I'm totally unexperienced in this regard for >what >the rules/restrictions etc. are [1], and/or if something needs to be done >before >dealing with this [2].
IMO, this might be best discussed with legal. The crypto site notes that an update to the language was posted by the US IBS in 2010 but the text of our site hasn't been updated. Better safe than sorry. > >I couldn't find anything concerning this on the Santuario site, so >maybe/probably I'm just making noise, but as the Incubator mentor guide >says >this *must* be checked [3], I'm raising this now. > >If already checked and/or a false alarm then I apologize for the trouble, >and if >this is resolved or can be ignored, I vote +1 for this release candidate. I too am +1 pending legal's sign off on the crypto > >Besides the above, there are two other minor issues: >- The current LICENSE file(s) have encoding errors since the addition of >the >xmldsig-core-schema.xsd section at the end. > >- The xmlsec-1.5.2.jar doesn't come with an embedded NOTICE/LICENSE file >itself >(which should be an issue for Apache Santuario), but the download >distribution >does, and it has a few extra NOTICEs. We thus should also carry these >additions >IMO, but this can be done with next release I think. > >Regards, Ate > >[1] http://www.apache.org/dev/crypto.html >[2] http://www.apache.org/licenses/exports/ >[3] http://incubator.apache.org/guides/mentor.html#crypto-audit > >On 08/22/2012 11:26 PM, Paul Sharples wrote: >> This is the 6th incubator release for Apache Wookie, with the artifacts >>being >> versioned as 0.12.0-incubating. >> >> We are requesting a vote via wookie-dev for the release of the >>artifacts in the >> first instance found here... >> >> http://people.apache.org/builds/incubator/wookie/0.12.0-incubating/ >> >> ...as the final 0.12.0-incubating release. >> >> PGP release keys (signed using DDED352A): >> >> http://www.apache.org/dist/incubator/wookie/KEYS >> >> Additionally there are 3 sets of maven artifacts, which we hope will >>help >> others to integrate WOOKIE into their own applications. These are... >> >> 1. Wookie itself as a downloadable WAR >> 2. The W3C parser >> 3. The Java connector framework >> >> These artifacts are now in the staging area found here... >> >> https://repository.apache.org/content/repositories/orgapachewookie-001/ >> >> Please take the time to verify the artifacts before casting your vote. >> >> Vote will be open at least 72 hours but until we receive most of the >>committers >> votes. >> >> [ ] +1 approve >> [ ] +0 no opinion >> [ ] -1 disapprove (and reason why) >
