You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pulsar.apache.org by Joe F <jo...@gmail.com> on 2017/09/22 00:36:28 UTC
Pulsar encryption, Bouncycastle and export license page
Hi Mentors,
As I was going through the license verification for the next release
(1.20) , I happened to see this
http://www.apache.org/licenses/exports/ (which I'm calling the export
license page)
Pulsar 1.20 release introduces encryption (as an optional feature), and it
uses Bouncycastle, and we were planning on including the Bouncy* jars in
the binary.
Many Apache projects using Bouncycastle as listed on the export license
page. Do we need to list it Pulsar on the export license page now? If so,
how do we get it into there?
Or should we just remove the BouncyCastle jars from the distribution and
leave it optional, letting users install it if needed? Users will need
to install it for building Pulsar from source. They wont need it for
running Pulsar, unless they use encryption.
What's the guidance on this?
Cheers,
Joe
Re: Pulsar encryption, Bouncycastle and export license page
Posted by Sahaya Andrews <an...@apache.org>.
Thank you Dave.
Andrews.
On Tue, Sep 26, 2017 at 11:54 AM, Dave Fisher <da...@comcast.net> wrote:
> Hi -
>
> I’ve updated the page http://www.apache.org/licenses/exports/index.html and
> sent the notice to the government.
>
> Regards,
> Dave
>
> On Sep 25, 2017, at 3:40 PM, Sahaya Andrews <an...@apache.org> wrote:
>
> In the bouncy castle website, they refer to their ftp website for
> previous releases. The corresponding ftp location for the version we
> are using would be:
> ftp://ftp.bouncycastle.org/pub/release1.55/bcprov-jdk15on-155.jar
> ftp://ftp.bouncycastle.org/pub/release1.55/bcprov-jdk15on-155.jar
>
> Andrews.
>
> On Mon, Sep 25, 2017 at 3:27 PM, Matteo Merli <mm...@apache.org> wrote:
>
> The exact BouncyCastle JAR that is going to be fetched during the build
> would be :
>
> http://repo2.maven.org/maven2/org/bouncycastle/bcpkix-jdk15on/1.55/bcpkix-jdk15on-1.55.jar
>
> And for Pulsar source code, should we just list the git repo at
> https://github.com/apache/incubator-pulsar ?
>
>
>
>
> On Mon, Sep 25, 2017 at 1:32 PM Dave Fisher <da...@comcast.net> wrote:
>
> Hi Joe,
>
> I can help submit the form to the government and make the changes to the
> ECCN page…
>
> To make the update I need to know the hrefs below:
>
> <Product>
> <Name>Apache Pulsar</Name>
> <Version>
> <Names>Versions 1.20 and greater</Names>
> <ECCN>5D002</ECCN>
> <ControlledSource href="https://pulsar trunk">
> <Manufacturer>ASF</Manufacturer>
> <Why>
> Designed for use with the Bouncy Castle enryption libraries.
> </Why>
> </ControlledSource>
> <ControlledSource href="https://path.to.pulsars.bouncy-castle.jar">
> <Manufacturer>Bouncy Castle</Manufacturer>
> <Why>General-purpose encryption library</Why>
> </ControlledSource>
> </Version>
> </Product>
>
> Regards,
> Dave
>
>
> On Sep 21, 2017, at 7:54 PM, Dave Fisher <da...@comcast.net> wrote:
>
> Hi Joe,
>
> This is a good catch. I am traveling this week and can help with the
> filing on Monday unless one of the other mentors can do so tomorrow.
>
> Regards,
> Dave
>
> Sent from my iPhone
>
> On Sep 21, 2017, at 8:36 PM, Joe F <jo...@gmail.com> wrote:
>
> Hi Mentors,
>
> As I was going through the license verification for the next release
> (1.20) , I happened to see this
> http://www.apache.org/licenses/exports/ (which I'm calling the export
> license page)
>
> Pulsar 1.20 release introduces encryption (as an optional feature), and it
> uses Bouncycastle, and we were planning on including the Bouncy* jars in
> the binary.
>
> Many Apache projects using Bouncycastle as listed on the export license
> page. Do we need to list it Pulsar on the export license page now? If so,
> how do we get it into there?
>
> Or should we just remove the BouncyCastle jars from the distribution and
> leave it optional, letting users install it if needed? Users will need
> to install it for building Pulsar from source. They wont need it for
> running Pulsar, unless they use encryption.
>
> What's the guidance on this?
>
> Cheers,
> Joe
>
>
>
> --
>
> Matteo Merli
> <mm...@apache.org>
>
>
Re: Pulsar encryption, Bouncycastle and export license page
Posted by Dave Fisher <da...@comcast.net>.
Hi -
I’ve updated the page http://www.apache.org/licenses/exports/index.html <http://www.apache.org/licenses/exports/index.html> and sent the notice to the government.
Regards,
Dave
> On Sep 25, 2017, at 3:40 PM, Sahaya Andrews <an...@apache.org> wrote:
>
> In the bouncy castle website, they refer to their ftp website for
> previous releases. The corresponding ftp location for the version we
> are using would be:
> ftp://ftp.bouncycastle.org/pub/release1.55/bcprov-jdk15on-155.jar
> ftp://ftp.bouncycastle.org/pub/release1.55/bcprov-jdk15on-155.jar
>
> Andrews.
>
> On Mon, Sep 25, 2017 at 3:27 PM, Matteo Merli <mm...@apache.org> wrote:
>> The exact BouncyCastle JAR that is going to be fetched during the build
>> would be :
>>
>> http://repo2.maven.org/maven2/org/bouncycastle/bcpkix-jdk15on/1.55/bcpkix-jdk15on-1.55.jar
>>
>> And for Pulsar source code, should we just list the git repo at
>> https://github.com/apache/incubator-pulsar ?
>>
>>
>>
>>
>> On Mon, Sep 25, 2017 at 1:32 PM Dave Fisher <da...@comcast.net> wrote:
>>
>>> Hi Joe,
>>>
>>> I can help submit the form to the government and make the changes to the
>>> ECCN page…
>>>
>>> To make the update I need to know the hrefs below:
>>>
>>> <Product>
>>> <Name>Apache Pulsar</Name>
>>> <Version>
>>> <Names>Versions 1.20 and greater</Names>
>>> <ECCN>5D002</ECCN>
>>> <ControlledSource href="https://pulsar trunk">
>>> <Manufacturer>ASF</Manufacturer>
>>> <Why>
>>> Designed for use with the Bouncy Castle enryption libraries.
>>> </Why>
>>> </ControlledSource>
>>> <ControlledSource href="https://path.to.pulsars.bouncy-castle.jar">
>>> <Manufacturer>Bouncy Castle</Manufacturer>
>>> <Why>General-purpose encryption library</Why>
>>> </ControlledSource>
>>> </Version>
>>> </Product>
>>>
>>> Regards,
>>> Dave
>>>
>>>
>>> On Sep 21, 2017, at 7:54 PM, Dave Fisher <da...@comcast.net> wrote:
>>>
>>> Hi Joe,
>>>
>>> This is a good catch. I am traveling this week and can help with the
>>> filing on Monday unless one of the other mentors can do so tomorrow.
>>>
>>> Regards,
>>> Dave
>>>
>>> Sent from my iPhone
>>>
>>> On Sep 21, 2017, at 8:36 PM, Joe F <jo...@gmail.com> wrote:
>>>
>>> Hi Mentors,
>>>
>>> As I was going through the license verification for the next release
>>> (1.20) , I happened to see this
>>> http://www.apache.org/licenses/exports/ (which I'm calling the export
>>> license page)
>>>
>>> Pulsar 1.20 release introduces encryption (as an optional feature), and it
>>> uses Bouncycastle, and we were planning on including the Bouncy* jars in
>>> the binary.
>>>
>>> Many Apache projects using Bouncycastle as listed on the export license
>>> page. Do we need to list it Pulsar on the export license page now? If so,
>>> how do we get it into there?
>>>
>>> Or should we just remove the BouncyCastle jars from the distribution and
>>> leave it optional, letting users install it if needed? Users will need
>>> to install it for building Pulsar from source. They wont need it for
>>> running Pulsar, unless they use encryption.
>>>
>>> What's the guidance on this?
>>>
>>> Cheers,
>>> Joe
>>>
>>>
>>>
>>> --
>> Matteo Merli
>> <mm...@apache.org>
Re: Pulsar encryption, Bouncycastle and export license page
Posted by Sahaya Andrews <an...@apache.org>.
In the bouncy castle website, they refer to their ftp website for
previous releases. The corresponding ftp location for the version we
are using would be:
ftp://ftp.bouncycastle.org/pub/release1.55/bcprov-jdk15on-155.jar
ftp://ftp.bouncycastle.org/pub/release1.55/bcprov-jdk15on-155.jar
Andrews.
On Mon, Sep 25, 2017 at 3:27 PM, Matteo Merli <mm...@apache.org> wrote:
> The exact BouncyCastle JAR that is going to be fetched during the build
> would be :
>
> http://repo2.maven.org/maven2/org/bouncycastle/bcpkix-jdk15on/1.55/bcpkix-jdk15on-1.55.jar
>
> And for Pulsar source code, should we just list the git repo at
> https://github.com/apache/incubator-pulsar ?
>
>
>
>
> On Mon, Sep 25, 2017 at 1:32 PM Dave Fisher <da...@comcast.net> wrote:
>
>> Hi Joe,
>>
>> I can help submit the form to the government and make the changes to the
>> ECCN page…
>>
>> To make the update I need to know the hrefs below:
>>
>> <Product>
>> <Name>Apache Pulsar</Name>
>> <Version>
>> <Names>Versions 1.20 and greater</Names>
>> <ECCN>5D002</ECCN>
>> <ControlledSource href="https://pulsar trunk">
>> <Manufacturer>ASF</Manufacturer>
>> <Why>
>> Designed for use with the Bouncy Castle enryption libraries.
>> </Why>
>> </ControlledSource>
>> <ControlledSource href="https://path.to.pulsars.bouncy-castle.jar">
>> <Manufacturer>Bouncy Castle</Manufacturer>
>> <Why>General-purpose encryption library</Why>
>> </ControlledSource>
>> </Version>
>> </Product>
>>
>> Regards,
>> Dave
>>
>>
>> On Sep 21, 2017, at 7:54 PM, Dave Fisher <da...@comcast.net> wrote:
>>
>> Hi Joe,
>>
>> This is a good catch. I am traveling this week and can help with the
>> filing on Monday unless one of the other mentors can do so tomorrow.
>>
>> Regards,
>> Dave
>>
>> Sent from my iPhone
>>
>> On Sep 21, 2017, at 8:36 PM, Joe F <jo...@gmail.com> wrote:
>>
>> Hi Mentors,
>>
>> As I was going through the license verification for the next release
>> (1.20) , I happened to see this
>> http://www.apache.org/licenses/exports/ (which I'm calling the export
>> license page)
>>
>> Pulsar 1.20 release introduces encryption (as an optional feature), and it
>> uses Bouncycastle, and we were planning on including the Bouncy* jars in
>> the binary.
>>
>> Many Apache projects using Bouncycastle as listed on the export license
>> page. Do we need to list it Pulsar on the export license page now? If so,
>> how do we get it into there?
>>
>> Or should we just remove the BouncyCastle jars from the distribution and
>> leave it optional, letting users install it if needed? Users will need
>> to install it for building Pulsar from source. They wont need it for
>> running Pulsar, unless they use encryption.
>>
>> What's the guidance on this?
>>
>> Cheers,
>> Joe
>>
>>
>>
>> --
> Matteo Merli
> <mm...@apache.org>
Re: Pulsar encryption, Bouncycastle and export license page
Posted by Matteo Merli <mm...@apache.org>.
The exact BouncyCastle JAR that is going to be fetched during the build
would be :
http://repo2.maven.org/maven2/org/bouncycastle/bcpkix-jdk15on/1.55/bcpkix-jdk15on-1.55.jar
And for Pulsar source code, should we just list the git repo at
https://github.com/apache/incubator-pulsar ?
On Mon, Sep 25, 2017 at 1:32 PM Dave Fisher <da...@comcast.net> wrote:
> Hi Joe,
>
> I can help submit the form to the government and make the changes to the
> ECCN page…
>
> To make the update I need to know the hrefs below:
>
> <Product>
> <Name>Apache Pulsar</Name>
> <Version>
> <Names>Versions 1.20 and greater</Names>
> <ECCN>5D002</ECCN>
> <ControlledSource href="https://pulsar trunk">
> <Manufacturer>ASF</Manufacturer>
> <Why>
> Designed for use with the Bouncy Castle enryption libraries.
> </Why>
> </ControlledSource>
> <ControlledSource href="https://path.to.pulsars.bouncy-castle.jar">
> <Manufacturer>Bouncy Castle</Manufacturer>
> <Why>General-purpose encryption library</Why>
> </ControlledSource>
> </Version>
> </Product>
>
> Regards,
> Dave
>
>
> On Sep 21, 2017, at 7:54 PM, Dave Fisher <da...@comcast.net> wrote:
>
> Hi Joe,
>
> This is a good catch. I am traveling this week and can help with the
> filing on Monday unless one of the other mentors can do so tomorrow.
>
> Regards,
> Dave
>
> Sent from my iPhone
>
> On Sep 21, 2017, at 8:36 PM, Joe F <jo...@gmail.com> wrote:
>
> Hi Mentors,
>
> As I was going through the license verification for the next release
> (1.20) , I happened to see this
> http://www.apache.org/licenses/exports/ (which I'm calling the export
> license page)
>
> Pulsar 1.20 release introduces encryption (as an optional feature), and it
> uses Bouncycastle, and we were planning on including the Bouncy* jars in
> the binary.
>
> Many Apache projects using Bouncycastle as listed on the export license
> page. Do we need to list it Pulsar on the export license page now? If so,
> how do we get it into there?
>
> Or should we just remove the BouncyCastle jars from the distribution and
> leave it optional, letting users install it if needed? Users will need
> to install it for building Pulsar from source. They wont need it for
> running Pulsar, unless they use encryption.
>
> What's the guidance on this?
>
> Cheers,
> Joe
>
>
>
> --
Matteo Merli
<mm...@apache.org>
Re: Pulsar encryption, Bouncycastle and export license page
Posted by Dave Fisher <da...@comcast.net>.
Hi Joe,
I can help submit the form to the government and make the changes to the ECCN page…
To make the update I need to know the hrefs below:
<Product>
<Name>Apache Pulsar</Name>
<Version>
<Names>Versions 1.20 and greater</Names>
<ECCN>5D002</ECCN>
<ControlledSource href="https://pulsar <https://pulsar/> trunk">
<Manufacturer>ASF</Manufacturer>
<Why>
Designed for use with the Bouncy Castle enryption libraries.
</Why>
</ControlledSource>
<ControlledSource href="https://path.to <https://path.to/>.pulsars.bouncy-castle.jar">
<Manufacturer>Bouncy Castle</Manufacturer>
<Why>General-purpose encryption library</Why>
</ControlledSource>
</Version>
</Product>
Regards,
Dave
> On Sep 21, 2017, at 7:54 PM, Dave Fisher <da...@comcast.net> wrote:
>
> Hi Joe,
>
> This is a good catch. I am traveling this week and can help with the filing on Monday unless one of the other mentors can do so tomorrow.
>
> Regards,
> Dave
>
> Sent from my iPhone
>
>> On Sep 21, 2017, at 8:36 PM, Joe F <jo...@gmail.com> wrote:
>>
>> Hi Mentors,
>>
>> As I was going through the license verification for the next release
>> (1.20) , I happened to see this
>> http://www.apache.org/licenses/exports/ (which I'm calling the export
>> license page)
>>
>> Pulsar 1.20 release introduces encryption (as an optional feature), and it
>> uses Bouncycastle, and we were planning on including the Bouncy* jars in
>> the binary.
>>
>> Many Apache projects using Bouncycastle as listed on the export license
>> page. Do we need to list it Pulsar on the export license page now? If so,
>> how do we get it into there?
>>
>> Or should we just remove the BouncyCastle jars from the distribution and
>> leave it optional, letting users install it if needed? Users will need
>> to install it for building Pulsar from source. They wont need it for
>> running Pulsar, unless they use encryption.
>>
>> What's the guidance on this?
>>
>> Cheers,
>> Joe
>
Re: Pulsar encryption, Bouncycastle and export license page
Posted by Dave Fisher <da...@comcast.net>.
Hi Matteo,
> On Sep 25, 2017, at 1:20 PM, Matteo Merli <mm...@apache.org> wrote:
>
> Hi Dave,
>
> thanks for chiming in. I and Joe have been reading along the document for
> handling crypto code at http://www.apache.org/dev/crypto.html
>
> My brief understanding of it is that:
> * We should have started before committing the code (though we didn't know
> about it :( )
No worries we are doing it now.
> * There is a mail that has to be sent to US gov for notification.
I’ll take care of it once we update the exports page.
> * The project needs to be listed in the ASF "exports” page
I can do this too. See my recent email.
>
> * The actions are to be taken from someone in the project PMC and I am
> assuming in this case that would be the Incubator PMC.
Yes. IPMC and I can do it.
> * We shouldn't need to wait from any confirmation from US gov, once the
> notification is sent and the ASF page updated, we should in theory good to
> commit the code (..ahem..) and make a release.
Exactly/
>
> Are my statements correct?
Yes.
Regards,
Dave
> Thank you,
> Matteo
>
> On Thu, Sep 21, 2017 at 7:54 PM Dave Fisher <da...@comcast.net> wrote:
>
>> Hi Joe,
>>
>> This is a good catch. I am traveling this week and can help with the
>> filing on Monday unless one of the other mentors can do so tomorrow.
>>
>> Regards,
>> Dave
>>
>> Sent from my iPhone
>>
>>> On Sep 21, 2017, at 8:36 PM, Joe F <jo...@gmail.com> wrote:
>>>
>>> Hi Mentors,
>>>
>>> As I was going through the license verification for the next release
>>> (1.20) , I happened to see this
>>> http://www.apache.org/licenses/exports/ (which I'm calling the export
>>> license page)
>>>
>>> Pulsar 1.20 release introduces encryption (as an optional feature), and
>> it
>>> uses Bouncycastle, and we were planning on including the Bouncy* jars in
>>> the binary.
>>>
>>> Many Apache projects using Bouncycastle as listed on the export license
>>> page. Do we need to list it Pulsar on the export license page now? If
>> so,
>>> how do we get it into there?
>>>
>>> Or should we just remove the BouncyCastle jars from the distribution and
>>> leave it optional, letting users install it if needed? Users will
>> need
>>> to install it for building Pulsar from source. They wont need it for
>>> running Pulsar, unless they use encryption.
>>>
>>> What's the guidance on this?
>>>
>>> Cheers,
>>> Joe
>>
>> --
> Matteo Merli
> <mm...@apache.org>
Re: Pulsar encryption, Bouncycastle and export license page
Posted by Joe Francis <jo...@oath.com.INVALID>.
Dave,
To the best of my knowledge, that seems completely correct.
Joe
On Mon, Sep 25, 2017 at 1:20 PM, Matteo Merli <mm...@apache.org> wrote:
> Hi Dave,
>
> thanks for chiming in. I and Joe have been reading along the document for
> handling crypto code at http://www.apache.org/dev/crypto.html
>
> My brief understanding of it is that:
> * We should have started before committing the code (though we didn't know
> about it :( )
> * There is a mail that has to be sent to US gov for notification.
> * The project needs to be listed in the ASF "exports" page
>
> * The actions are to be taken from someone in the project PMC and I am
> assuming in this case that would be the Incubator PMC.
> * We shouldn't need to wait from any confirmation from US gov, once the
> notification is sent and the ASF page updated, we should in theory good to
> commit the code (..ahem..) and make a release.
>
> Are my statements correct?
>
> Thank you,
> Matteo
>
> On Thu, Sep 21, 2017 at 7:54 PM Dave Fisher <da...@comcast.net> wrote:
>
> > Hi Joe,
> >
> > This is a good catch. I am traveling this week and can help with the
> > filing on Monday unless one of the other mentors can do so tomorrow.
> >
> > Regards,
> > Dave
> >
> > Sent from my iPhone
> >
> > > On Sep 21, 2017, at 8:36 PM, Joe F <jo...@gmail.com> wrote:
> > >
> > > Hi Mentors,
> > >
> > > As I was going through the license verification for the next release
> > > (1.20) , I happened to see this
> > > http://www.apache.org/licenses/exports/ (which I'm calling the export
> > > license page)
> > >
> > > Pulsar 1.20 release introduces encryption (as an optional feature), and
> > it
> > > uses Bouncycastle, and we were planning on including the Bouncy* jars
> in
> > > the binary.
> > >
> > > Many Apache projects using Bouncycastle as listed on the export license
> > > page. Do we need to list it Pulsar on the export license page now? If
> > so,
> > > how do we get it into there?
> > >
> > > Or should we just remove the BouncyCastle jars from the distribution
> and
> > > leave it optional, letting users install it if needed? Users will
> > need
> > > to install it for building Pulsar from source. They wont need it for
> > > running Pulsar, unless they use encryption.
> > >
> > > What's the guidance on this?
> > >
> > > Cheers,
> > > Joe
> >
> > --
> Matteo Merli
> <mm...@apache.org>
>
Re: Pulsar encryption, Bouncycastle and export license page
Posted by Matteo Merli <mm...@apache.org>.
Hi Dave,
thanks for chiming in. I and Joe have been reading along the document for
handling crypto code at http://www.apache.org/dev/crypto.html
My brief understanding of it is that:
* We should have started before committing the code (though we didn't know
about it :( )
* There is a mail that has to be sent to US gov for notification.
* The project needs to be listed in the ASF "exports" page
* The actions are to be taken from someone in the project PMC and I am
assuming in this case that would be the Incubator PMC.
* We shouldn't need to wait from any confirmation from US gov, once the
notification is sent and the ASF page updated, we should in theory good to
commit the code (..ahem..) and make a release.
Are my statements correct?
Thank you,
Matteo
On Thu, Sep 21, 2017 at 7:54 PM Dave Fisher <da...@comcast.net> wrote:
> Hi Joe,
>
> This is a good catch. I am traveling this week and can help with the
> filing on Monday unless one of the other mentors can do so tomorrow.
>
> Regards,
> Dave
>
> Sent from my iPhone
>
> > On Sep 21, 2017, at 8:36 PM, Joe F <jo...@gmail.com> wrote:
> >
> > Hi Mentors,
> >
> > As I was going through the license verification for the next release
> > (1.20) , I happened to see this
> > http://www.apache.org/licenses/exports/ (which I'm calling the export
> > license page)
> >
> > Pulsar 1.20 release introduces encryption (as an optional feature), and
> it
> > uses Bouncycastle, and we were planning on including the Bouncy* jars in
> > the binary.
> >
> > Many Apache projects using Bouncycastle as listed on the export license
> > page. Do we need to list it Pulsar on the export license page now? If
> so,
> > how do we get it into there?
> >
> > Or should we just remove the BouncyCastle jars from the distribution and
> > leave it optional, letting users install it if needed? Users will
> need
> > to install it for building Pulsar from source. They wont need it for
> > running Pulsar, unless they use encryption.
> >
> > What's the guidance on this?
> >
> > Cheers,
> > Joe
>
> --
Matteo Merli
<mm...@apache.org>
Re: Pulsar encryption, Bouncycastle and export license page
Posted by Dave Fisher <da...@comcast.net>.
Hi Joe,
This is a good catch. I am traveling this week and can help with the filing on Monday unless one of the other mentors can do so tomorrow.
Regards,
Dave
Sent from my iPhone
> On Sep 21, 2017, at 8:36 PM, Joe F <jo...@gmail.com> wrote:
>
> Hi Mentors,
>
> As I was going through the license verification for the next release
> (1.20) , I happened to see this
> http://www.apache.org/licenses/exports/ (which I'm calling the export
> license page)
>
> Pulsar 1.20 release introduces encryption (as an optional feature), and it
> uses Bouncycastle, and we were planning on including the Bouncy* jars in
> the binary.
>
> Many Apache projects using Bouncycastle as listed on the export license
> page. Do we need to list it Pulsar on the export license page now? If so,
> how do we get it into there?
>
> Or should we just remove the BouncyCastle jars from the distribution and
> leave it optional, letting users install it if needed? Users will need
> to install it for building Pulsar from source. They wont need it for
> running Pulsar, unless they use encryption.
>
> What's the guidance on this?
>
> Cheers,
> Joe