On 30 Aug 2012, at 21:44, Ate Douma wrote: > Hi team, > > I've checked this release candidate and I *think* I can vote +1 on this, but > I'm not sure about maybe one important thing: if this version might be > embedding restricted cryptography functionality, or not: > > This version adds Apache Santuario xmlsec-1.5.2.jar for W3C XML Digital > Signatures support. AFAIK Santuario can be used to encrypt XML. Even if > Wookie doesn't, if it is bundled this release might be considered 'exporting' > cryptography functionality. I'm totally unexperienced in this regard for what > the rules/restrictions etc. are [1], and/or if something needs to be done > before dealing with this [2]. > > I couldn't find anything concerning this on the Santuario site, so > maybe/probably I'm just making noise, but as the Incubator mentor guide says > this *must* be checked [3], I'm raising this now. > > If already checked and/or a false alarm then I apologize for the trouble, and > if this is resolved or can be ignored, I vote +1 for this release candidate.
Thanks for picking this up Ate - hopefully its not an issue, but it will be useful to go through the process. (Note that while Apache Santuario XmlSec can be used for crpyto, Wookie only performs signature generation and verification, not encryption.) > Besides the above, there are two other minor issues: > - The current LICENSE file(s) have encoding errors since the addition of the > xmldsig-core-schema.xsd section at the end. > > - The xmlsec-1.5.2.jar doesn't come with an embedded NOTICE/LICENSE file > itself (which should be an issue for Apache Santuario), but the download > distribution does, and it has a few extra NOTICEs. We thus should also carry > these additions IMO, but this can be done with next release I think. > > Regards, Ate > > [1] http://www.apache.org/dev/crypto.html > [2] http://www.apache.org/licenses/exports/ > [3] http://incubator.apache.org/guides/mentor.html#crypto-audit > > On 08/22/2012 11:26 PM, Paul Sharples wrote: >> This is the 6th incubator release for Apache Wookie, with the artifacts being >> versioned as 0.12.0-incubating. >> >> We are requesting a vote via wookie-dev for the release of the artifacts in >> the >> first instance found here... >> >> http://people.apache.org/builds/incubator/wookie/0.12.0-incubating/ >> >> ...as the final 0.12.0-incubating release. >> >> PGP release keys (signed using DDED352A): >> >> http://www.apache.org/dist/incubator/wookie/KEYS >> >> Additionally there are 3 sets of maven artifacts, which we hope will help >> others to integrate WOOKIE into their own applications. These are... >> >> 1. Wookie itself as a downloadable WAR >> 2. The W3C parser >> 3. The Java connector framework >> >> These artifacts are now in the staging area found here... >> >> https://repository.apache.org/content/repositories/orgapachewookie-001/ >> >> Please take the time to verify the artifacts before casting your vote. >> >> Vote will be open at least 72 hours but until we receive most of the >> committers >> votes. >> >> [ ] +1 approve >> [ ] +0 no opinion >> [ ] -1 disapprove (and reason why) >
