You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@forrest.apache.org by David Crossley <cr...@apache.org> on 2008/03/05 03:24:20 UTC
Re: export classification, ECCN, handling cryptography, etc.
David Crossley wrote:
> David Crossley wrote:
> > David Crossley wrote:
> > >
> > > ---------------------
> > > Affected code
> > > -------------
> > > I have found our use of "jsch" (see below). Please help
> > > to find what other affected products that we use.
> >
> > I have spent a lot of time on this. I now gather that
> > it is not just if a product uses cryptographic features.
> >
> > Rather we need to declare a product that uses or is designed
> > to use cryptography for the purpose of information security.
> >
> > We have a number of supporting products that use it for
> > authentication. We don't need to declare those.
> >
> > So far i have found:
> >
> > "jsch" which is used for scp tasks.
>
> I have added a notice to the "exports" page for Apache Forrest:
> http://www.apache.org/licenses/exports/
> only lists our use of "jsch" at the moment.
>
> This also still needs mention in our top-level README.txt
>
> Does someone know where jsch is used in forrest. I know that
> "forrestbot" uses it for the deploy.scp task. Anywhere else?
>
> > "Apache FOP" which can be used for encryption of PDF output.
>
> I saw some discussion on another list which leads
> me to think it is not needed.
>
> > Can forrest use "https" to retrieve remote sources?
> > If so, then what product(s) enables that?
> >
> > I haven't finished yet. Other eyes are appreciated,
> > perhaps you will find something that i may have missed.
>
> Added https://issues.apache.org/jira/browse/FOR-1069
> to help manage this task.
>
> I am waiting on sending the actual BIS notice until
> we know if any more products need to be added.
Hmmm, no-one from the Forrest PMC seems interested.
I have tried to complete the job by myself and hope that
i have done it correctly.
As from this date, if someone contributes code which
utilises a supporting product that handles crypto functions
and we package that product, then we need to add a new notice.
-David