On 31 Aug 2012, at 02:05, Franklin, Matthew B. wrote: > On 8/30/12 4:44 PM, "Ate Douma" <[email protected]> wrote: > >> Hi team, >> >> I've checked this release candidate and I *think* I can vote +1 on this, >> but I'm >> not sure about maybe one important thing: if this version might be >> embedding >> restricted cryptography functionality, or not: >> >> This version adds Apache Santuario xmlsec-1.5.2.jar for W3C XML Digital >> Signatures support. AFAIK Santuario can be used to encrypt XML. Even if >> Wookie >> doesn't, if it is bundled this release might be considered 'exporting' >> cryptography functionality. I'm totally unexperienced in this regard for >> what >> the rules/restrictions etc. are [1], and/or if something needs to be done >> before >> dealing with this [2]. > > IMO, this might be best discussed with legal. The crypto site notes that > an update to the language was posted by the US IBS in 2010 but the text of > our site hasn't been updated. Better safe than sorry.
I've created a new Question ticket in Legal Discuss for this: https://issues.apache.org/jira/browse/LEGAL-148 > >> >> I couldn't find anything concerning this on the Santuario site, so >> maybe/probably I'm just making noise, but as the Incubator mentor guide >> says >> this *must* be checked [3], I'm raising this now. >> >> If already checked and/or a false alarm then I apologize for the trouble, >> and if >> this is resolved or can be ignored, I vote +1 for this release candidate. > > I too am +1 pending legal's sign off on the crypto > > >> >> Besides the above, there are two other minor issues: >> - The current LICENSE file(s) have encoding errors since the addition of >> the >> xmldsig-core-schema.xsd section at the end. >> >> - The xmlsec-1.5.2.jar doesn't come with an embedded NOTICE/LICENSE file >> itself >> (which should be an issue for Apache Santuario), but the download >> distribution >> does, and it has a few extra NOTICEs. We thus should also carry these >> additions >> IMO, but this can be done with next release I think. >> >> Regards, Ate >> >> [1] http://www.apache.org/dev/crypto.html >> [2] http://www.apache.org/licenses/exports/ >> [3] http://incubator.apache.org/guides/mentor.html#crypto-audit >> >> On 08/22/2012 11:26 PM, Paul Sharples wrote: >>> This is the 6th incubator release for Apache Wookie, with the artifacts >>> being >>> versioned as 0.12.0-incubating. >>> >>> We are requesting a vote via wookie-dev for the release of the >>> artifacts in the >>> first instance found here... >>> >>> http://people.apache.org/builds/incubator/wookie/0.12.0-incubating/ >>> >>> ...as the final 0.12.0-incubating release. >>> >>> PGP release keys (signed using DDED352A): >>> >>> http://www.apache.org/dist/incubator/wookie/KEYS >>> >>> Additionally there are 3 sets of maven artifacts, which we hope will >>> help >>> others to integrate WOOKIE into their own applications. These are... >>> >>> 1. Wookie itself as a downloadable WAR >>> 2. The W3C parser >>> 3. The Java connector framework >>> >>> These artifacts are now in the staging area found here... >>> >>> https://repository.apache.org/content/repositories/orgapachewookie-001/ >>> >>> Please take the time to verify the artifacts before casting your vote. >>> >>> Vote will be open at least 72 hours but until we receive most of the >>> committers >>> votes. >>> >>> [ ] +1 approve >>> [ ] +0 no opinion >>> [ ] -1 disapprove (and reason why) >> >
