You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jena.apache.org by "Stian Soiland-Reyes (JIRA)" <ji...@apache.org> on 2016/05/06 14:30:13 UTC
[jira] [Updated] (JENA-1169) Is Jena US Export classified due to
encryption in dependencies?
[ https://issues.apache.org/jira/browse/JENA-1169?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stian Soiland-Reyes updated JENA-1169:
--------------------------------------
Description:
Hi - apologies for finding this..
I just noticed on
http://www.apache.org/licenses/exports/
includes US export classified tools from ASF:
Apache HttpComponents Core 4.0 and later
Apache HttpComponents Client 4.0 and later
Apache Hadoop 17.0 and later
See also:
http://www.apache.org/dev/crypto.html#faq-manyproducts
We redistribute Apache HTTP Components in the Jena and Fuseki binary distributions. We don't distribute Hadoop - we only link to it from Elephas.
Reading ASF's FAQ it is not clear if we would need to be listed just from having a <dependency> on such a classified item.
Would we therefore also need to also declare Jena as classified? Or is the transitivity broken because Jena only use the encryption (e.g. access https:// JSON-LD contexts)?
(This transitivity thing could mean anyone in the US distributing software using Jena would be US Export regulated. I hope I am wrong.. worth checking with LEGAL I think)
BTW this was discussed in 2011 - but I believe we since removed BouncyCastle dependency:
http://mail-archives.apache.org/mod_mbox/jena-dev/201108.mbox/%3C4E3FF7E8.1060206@epimorphics.com%3E
## Draft eccnmatrix.xml additions
Add to
{code}
<Project id="jena" href="http://jena.apache.org">
<Name>Apache Jena</Name>
<Contact><Name>Andy Seaborne</Name></Contact>
<Product>
<Name>Apache Jena</Name>
<Version>
<Names>development</Names>
<ECCN>5D002</ECCN>
<ControlledSource href="https://git-wip-us.apache.org/repos/asf/jena.git">
<Manufacturer>ASF</Manufacturer>
<Why>Use Apache HTTPComponents Client</Why>
</ControlledSource>
<ControlledSource href="http://svn.apache.org/repos/asf/httpcomponents/httpcore/">
<Manufacturer>ASF</Manufacturer>
<Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
</ControlledSource>
<ControlledSource href="http://archive.apache.org/dist/httpcomponents/httpcore/">
<Manufacturer>ASF</Manufacturer>
<Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
</ControlledSource>
</Version>
<Version>
<Names>2.7.0-incubating and later</Names>
<ControlledSource href="http://archive.apache.org/dist/jena/source/">
<Manufacturer>ASF</Manufacturer>
<Why>Use Apache HTTPComponents Client</Why>
</ControlledSource>
<ControlledSource href="http://archive.apache.org/dist/jena/binaries/">
<Manufacturer>ASF</Manufacturer>
<Why>Include Apache HTTPComponents Client</Why>
</ControlledSource>
</Version>
</Product>
<Product>
<Name>Apache Jena Fuseki</Name>
<Version>
<Names>development</Names>
<ECCN>5D002</ECCN>
<ControlledSource href="https://git-wip-us.apache.org/repos/asf/jena.git">
<Manufacturer>ASF</Manufacturer>
<Why>Use Apache HTTPComponents Client, Apache Shiro</Why>
</ControlledSource>
<ControlledSource href="http://svn.apache.org/repos/asf/httpcomponents/httpcore/">
<Manufacturer>ASF</Manufacturer>
<Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
</ControlledSource>
<ControlledSource href="http://archive.apache.org/dist/httpcomponents/httpcore/">
<Manufacturer>ASF</Manufacturer>
<Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
</ControlledSource>
<ControlledSource href="http://archive.apache.org/dist/shiro/">
<Manufacturer>ASF</Manufacturer>
<Why>Designed for use with Java Cryptography Extensions (JCE)</Why>
</ControlledSource>
</Version>
<Version>
<Names>0.2.1-incubating and later</Names>
<ControlledSource href="http://archive.apache.org/dist/jena/source/">
<Manufacturer>ASF</Manufacturer>
<Why>Use Apache HTTPComponents Client, Apache Shiro</Why>
</ControlledSource>
<ControlledSource href="http://archive.apache.org/dist/jena/binaries/">
<Manufacturer>ASF</Manufacturer>
<Why>Include Apache HTTPComponents, Apache Shiro, Apache Solr, Jetty</Why>
</ControlledSource>
<ControlledSource href="http://svn.apache.org/repos/asf/httpcomponents/httpcore/">
<Manufacturer>ASF</Manufacturer>
<Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
</ControlledSource>
<ControlledSource href="http://archive.apache.org/dist/httpcomponents/httpcore/">
<Manufacturer>ASF</Manufacturer>
<Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
</ControlledSource>
<ControlledSource href="http://archive.apache.org/dist/shiro/">
<Manufacturer>ASF</Manufacturer>
<Why>Designed for use with Java Cryptography Extensions (JCE)</Why>
</ControlledSource>
<ControlledSource href="http://www.apache.org/dist/lucene/solr/">
<Manufacturer>ASF</Manufacturer>
<Why>Designed for use with the Apache Tika API in the contrib/extraction libraries</Why>
</ControlledSource>
<ControlledSource href="http://eclipse.org/jetty">
<Manufacturer>The Eclipse Foundation</Manufacturer>
<Why>SSL library for Jetty</Why>
</ControlledSource>
</Version>
</Product>
</Project>
{code}
was:
Hi - apologies for finding this..
I just noticed on
http://www.apache.org/licenses/exports/
includes US export classified tools from ASF:
Apache HttpComponents Core 4.0 and later
Apache HttpComponents Client 4.0 and later
Apache Hadoop 17.0 and later
See also:
http://www.apache.org/dev/crypto.html#faq-manyproducts
We redistribute Apache HTTP Components in the Jena and Fuseki binary distributions. We don't distribute Hadoop - we only link to it from Elephas.
Reading ASF's FAQ it is not clear if we would need to be listed just from having a <dependency> on such a classified item.
Would we therefore also need to also declare Jena as classified? Or is the transitivity broken because Jena only use the encryption (e.g. access https:// JSON-LD contexts)?
(This transitivity thing could mean anyone in the US distributing software using Jena would be US Export regulated. I hope I am wrong.. worth checking with LEGAL I think)
BTW this was discussed in 2011 - but I believe we since removed BouncyCastle dependency:
http://mail-archives.apache.org/mod_mbox/jena-dev/201108.mbox/%3C4E3FF7E8.1060206@epimorphics.com%3E
> Is Jena US Export classified due to encryption in dependencies?
> ---------------------------------------------------------------
>
> Key: JENA-1169
> URL: https://issues.apache.org/jira/browse/JENA-1169
> Project: Apache Jena
> Issue Type: Bug
> Components: Build
> Reporter: Stian Soiland-Reyes
>
> Hi - apologies for finding this..
> I just noticed on
> http://www.apache.org/licenses/exports/
> includes US export classified tools from ASF:
> Apache HttpComponents Core 4.0 and later
> Apache HttpComponents Client 4.0 and later
> Apache Hadoop 17.0 and later
> See also:
> http://www.apache.org/dev/crypto.html#faq-manyproducts
> We redistribute Apache HTTP Components in the Jena and Fuseki binary distributions. We don't distribute Hadoop - we only link to it from Elephas.
> Reading ASF's FAQ it is not clear if we would need to be listed just from having a <dependency> on such a classified item.
> Would we therefore also need to also declare Jena as classified? Or is the transitivity broken because Jena only use the encryption (e.g. access https:// JSON-LD contexts)?
> (This transitivity thing could mean anyone in the US distributing software using Jena would be US Export regulated. I hope I am wrong.. worth checking with LEGAL I think)
> BTW this was discussed in 2011 - but I believe we since removed BouncyCastle dependency:
> http://mail-archives.apache.org/mod_mbox/jena-dev/201108.mbox/%3C4E3FF7E8.1060206@epimorphics.com%3E
> ## Draft eccnmatrix.xml additions
> Add to
> {code}
> <Project id="jena" href="http://jena.apache.org">
> <Name>Apache Jena</Name>
> <Contact><Name>Andy Seaborne</Name></Contact>
> <Product>
> <Name>Apache Jena</Name>
> <Version>
> <Names>development</Names>
> <ECCN>5D002</ECCN>
> <ControlledSource href="https://git-wip-us.apache.org/repos/asf/jena.git">
> <Manufacturer>ASF</Manufacturer>
> <Why>Use Apache HTTPComponents Client</Why>
> </ControlledSource>
> <ControlledSource href="http://svn.apache.org/repos/asf/httpcomponents/httpcore/">
> <Manufacturer>ASF</Manufacturer>
> <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
> </ControlledSource>
> <ControlledSource href="http://archive.apache.org/dist/httpcomponents/httpcore/">
> <Manufacturer>ASF</Manufacturer>
> <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
> </ControlledSource>
> </Version>
> <Version>
> <Names>2.7.0-incubating and later</Names>
> <ControlledSource href="http://archive.apache.org/dist/jena/source/">
> <Manufacturer>ASF</Manufacturer>
> <Why>Use Apache HTTPComponents Client</Why>
> </ControlledSource>
> <ControlledSource href="http://archive.apache.org/dist/jena/binaries/">
> <Manufacturer>ASF</Manufacturer>
> <Why>Include Apache HTTPComponents Client</Why>
> </ControlledSource>
> </Version>
> </Product>
> <Product>
> <Name>Apache Jena Fuseki</Name>
> <Version>
> <Names>development</Names>
> <ECCN>5D002</ECCN>
> <ControlledSource href="https://git-wip-us.apache.org/repos/asf/jena.git">
> <Manufacturer>ASF</Manufacturer>
> <Why>Use Apache HTTPComponents Client, Apache Shiro</Why>
> </ControlledSource>
> <ControlledSource href="http://svn.apache.org/repos/asf/httpcomponents/httpcore/">
> <Manufacturer>ASF</Manufacturer>
> <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
> </ControlledSource>
> <ControlledSource href="http://archive.apache.org/dist/httpcomponents/httpcore/">
> <Manufacturer>ASF</Manufacturer>
> <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
> </ControlledSource>
> <ControlledSource href="http://archive.apache.org/dist/shiro/">
> <Manufacturer>ASF</Manufacturer>
> <Why>Designed for use with Java Cryptography Extensions (JCE)</Why>
> </ControlledSource>
> </Version>
> <Version>
> <Names>0.2.1-incubating and later</Names>
> <ControlledSource href="http://archive.apache.org/dist/jena/source/">
> <Manufacturer>ASF</Manufacturer>
> <Why>Use Apache HTTPComponents Client, Apache Shiro</Why>
> </ControlledSource>
> <ControlledSource href="http://archive.apache.org/dist/jena/binaries/">
> <Manufacturer>ASF</Manufacturer>
> <Why>Include Apache HTTPComponents, Apache Shiro, Apache Solr, Jetty</Why>
> </ControlledSource>
> <ControlledSource href="http://svn.apache.org/repos/asf/httpcomponents/httpcore/">
> <Manufacturer>ASF</Manufacturer>
> <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
> </ControlledSource>
> <ControlledSource href="http://archive.apache.org/dist/httpcomponents/httpcore/">
> <Manufacturer>ASF</Manufacturer>
> <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why>
> </ControlledSource>
> <ControlledSource href="http://archive.apache.org/dist/shiro/">
> <Manufacturer>ASF</Manufacturer>
> <Why>Designed for use with Java Cryptography Extensions (JCE)</Why>
> </ControlledSource>
> <ControlledSource href="http://www.apache.org/dist/lucene/solr/">
> <Manufacturer>ASF</Manufacturer>
> <Why>Designed for use with the Apache Tika API in the contrib/extraction libraries</Why>
> </ControlledSource>
> <ControlledSource href="http://eclipse.org/jetty">
> <Manufacturer>The Eclipse Foundation</Manufacturer>
> <Why>SSL library for Jetty</Why>
> </ControlledSource>
> </Version>
> </Product>
> </Project>
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)