You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jena.apache.org by "Stian Soiland-Reyes (JIRA)" <ji...@apache.org> on 2016/05/05 15:33:12 UTC

[jira] [Comment Edited] (JENA-1169) Is Jena US Export classified due to encryption in dependencies?

    [ https://issues.apache.org/jira/browse/JENA-1169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15272517#comment-15272517 ] 

Stian Soiland-Reyes edited comment on JENA-1169 at 5/5/16 3:33 PM:
-------------------------------------------------------------------

Discussion on LEGAL-250 seems to show that if you bundle an "encryption item", then you must register.

You are however [exempt from registration|https://www.bis.doc.gov/index.php/policy-guidance/encryption/identifying-encryption-items#Three] at all if:

{quote}
* (a) The primary function or set of functions is not any of the following:
**     (1) "Information security";
**     (2) A computer, including operating systems, parts and components therefor;
**     (3) Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights management or medical records management); or
**     (4) Networking (includes operation, administration, management and provisioning);
{quote}

Unfortunately Jena falls through this exemption on (3) as Jena has a set of functions that includes sending information (Fuseki) and storing information (TDB store). And although those are not encrypted - that would mean we have to do a registration of the "encryption functionalities" we use (compile against) and "encryption items" we include (distribute). 

In terms of "using any encryption functionality" there would be the use of 'riot' and RDFDataMgr with https URLs (using Java Secure Socket Extension (JSSE)). Bindings to Hadoop is fine - that is not "using encryption functionality"

The biggie is that the binary distributions include HTTPComponents, which is itself an "encryption item".


was (Author: stain):
Discussion on LEGAL-250 seems to show that if you bundle an "encryption item", then you are registered.

You are however [exempt from registration|https://www.bis.doc.gov/index.php/policy-guidance/encryption/identifying-encryption-items#Three] at all if:

{quote}
* (a) The primary function or set of functions is not any of the following:
**     (1) "Information security";
**     (2) A computer, including operating systems, parts and components therefor;
**     (3) Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights management or medical records management); or
**     (4) Networking (includes operation, administration, management and provisioning);
{quote}

Unfortunately Jena falls through this exemption on (3) as Jena has a set of functions that includes sending information (Fuseki) and storing information (TDB store). And although those are not encrypted - that would mean we have to do a registration of the "encryption functionalities" we use (compile against) and "encryption items" we include (distribute). 

In terms of "using any encryption functionality" there would be the use of 'riot' and RDFDataMgr with https URLs (using Java Secure Socket Extension (JSSE)). Bindings to Hadoop is fine - that is not "using encryption functionality"

The biggie is that the binary distributions include HTTPComponents, which is itself an "encryption item".

> Is Jena US Export classified due to encryption in dependencies?
> ---------------------------------------------------------------
>
>                 Key: JENA-1169
>                 URL: https://issues.apache.org/jira/browse/JENA-1169
>             Project: Apache Jena
>          Issue Type: Bug
>          Components: Build
>            Reporter: Stian Soiland-Reyes
>
> Hi - apologies for finding this..
> I just noticed  on 
> http://www.apache.org/licenses/exports/   
> includes US export classified tools from ASF:
> Apache HttpComponents Core 4.0 and later
> Apache HttpComponents Client 4.0 and later
> Apache Hadoop 17.0 and later
> See also:
> http://www.apache.org/dev/crypto.html#faq-manyproducts
> We redistribute Apache HTTP Components in the Jena and Fuseki binary distributions. We don't distribute Hadoop - we only link to it from Elephas.
> Reading ASF's FAQ it is not clear if we would need to be listed just from having a <dependency> on such a classified item.
> Would we therefore also need to also declare Jena as classified? Or is the transitivity broken because Jena only use the encryption (e.g. access https:// JSON-LD contexts)? 
> (This transitivity thing could mean anyone in the US distributing software using Jena would be US Export regulated. I hope I am wrong.. worth checking with LEGAL I think)
> BTW this was discussed in 2011 - but I believe we since removed BouncyCastle dependency:
> http://mail-archives.apache.org/mod_mbox/jena-dev/201108.mbox/%3C4E3FF7E8.1060206@epimorphics.com%3E



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)