On 31/08/2012 10:24, Scott Wilson wrote:
On 31 Aug 2012, at 02:05, Franklin, Matthew B. wrote:
On 8/30/12 4:44 PM, "Ate Douma" <[email protected]> wrote:
Hi team,
I've checked this release candidate and I *think* I can vote +1 on this,
but I'm
not sure about maybe one important thing: if this version might be
embedding
restricted cryptography functionality, or not:
This version adds Apache Santuario xmlsec-1.5.2.jar for W3C XML Digital
Signatures support. AFAIK Santuario can be used to encrypt XML. Even if
Wookie
doesn't, if it is bundled this release might be considered 'exporting'
cryptography functionality. I'm totally unexperienced in this regard for
what
the rules/restrictions etc. are [1], and/or if something needs to be done
before
dealing with this [2].
IMO, this might be best discussed with legal. The crypto site notes that
an update to the language was posted by the US IBS in 2010 but the text of
our site hasn't been updated. Better safe than sorry.
I've created a new Question ticket in Legal Discuss for this:
https://issues.apache.org/jira/browse/LEGAL-148
Its now been six weeks without an answer from legal and it looks as
though we will never get one.
How do we we proceed?
Apologies to all for not picking this up sooner, but I have been swamped
this last month.
Paul
I couldn't find anything concerning this on the Santuario site, so
maybe/probably I'm just making noise, but as the Incubator mentor guide
says
this *must* be checked [3], I'm raising this now.
If already checked and/or a false alarm then I apologize for the trouble,
and if
this is resolved or can be ignored, I vote +1 for this release candidate.
I too am +1 pending legal's sign off on the crypto
Besides the above, there are two other minor issues:
- The current LICENSE file(s) have encoding errors since the addition of
the
xmldsig-core-schema.xsd section at the end.
- The xmlsec-1.5.2.jar doesn't come with an embedded NOTICE/LICENSE file
itself
(which should be an issue for Apache Santuario), but the download
distribution
does, and it has a few extra NOTICEs. We thus should also carry these
additions
IMO, but this can be done with next release I think.
Regards, Ate
[1] http://www.apache.org/dev/crypto.html
[2] http://www.apache.org/licenses/exports/
[3] http://incubator.apache.org/guides/mentor.html#crypto-audit
On 08/22/2012 11:26 PM, Paul Sharples wrote:
This is the 6th incubator release for Apache Wookie, with the artifacts
being
versioned as 0.12.0-incubating.
We are requesting a vote via wookie-dev for the release of the
artifacts in the
first instance found here...
http://people.apache.org/builds/incubator/wookie/0.12.0-incubating/
...as the final 0.12.0-incubating release.
PGP release keys (signed using DDED352A):
http://www.apache.org/dist/incubator/wookie/KEYS
Additionally there are 3 sets of maven artifacts, which we hope will
help
others to integrate WOOKIE into their own applications. These are...
1. Wookie itself as a downloadable WAR
2. The W3C parser
3. The Java connector framework
These artifacts are now in the staging area found here...
https://repository.apache.org/content/repositories/orgapachewookie-001/
Please take the time to verify the artifacts before casting your vote.
Vote will be open at least 72 hours but until we receive most of the
committers
votes.
[ ] +1 approve
[ ] +0 no opinion
[ ] -1 disapprove (and reason why)
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2012.0.2197 / Virus Database: 2437/5227 - Release Date: 08/27/12
Internal Virus Database is out of date.
