You are viewing a plain text version of this content. The canonical link for it is here.
Posted to legal-discuss@apache.org by sebb <se...@gmail.com> on 2021/05/19 11:38:16 UTC
Outdated ECCN page
The ECCN Page at https://www.apache.org/licenses/exports/ is very out of date.
There are many references to Incubator projects that have graduated,
and a lot of the links are broken.
Also a few of the references to dependencies don't use the canonical
sources, e.g. some of the references to Bouncy Castle point to copies
in ASF SVN
What needs to be done about this, if anything?
Maybe the table needs a 'last-checked' date for each project.
Sebb.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Outdated ECCN page
Posted by Dave Fisher <wa...@apache.org>.
Let’s keep in mind that with the new site we are changing data formats from XML to YAML and as a consequence there are two processes that need improvement.
(1) Adding and updating entries.
(2) Creating the bisnotice email.
Please see https://github.com/apache/www-site/tree/main/data/eccn
The new location for the page source is here:
https://github.com/apache/www-site/blob/main/content/licenses/exports/index.ezmd
https://github.com/apache/www-site/blob/main/content/licenses/exports/include/main.md
The eccnmatrix.yaml file is processed into the sequences used on index.ezmd here:
https://github.com/apache/www-site/blob/main/theme/plugins/asfdata.py#L368 (exact line number may change)
A preview branch of www-site can be made and used to work on changes:
https://github.com/apache/www-site/blob/main/docs/branches.md
All ASF Members have write access.
All The Best,
Dave
> On May 19, 2021, at 9:53 AM, Matt Sicker <bo...@gmail.com> wrote:
>
> There may also be confusion around what necessitates addition to this
> list. It almost seems like every project that depends on an HTTP
> server or client library with TLS would need to mention their crypto
> dependencies. I originally thought this only applied to projects that
> exposed crypto APIs or bundled their own encryption algorithms.
>
> On Wed, 19 May 2021 at 11:35, Roman Shaposhnik <ro...@shaposhnik.org> wrote:
>>
>> On Wed, May 19, 2021 at 4:38 AM sebb <se...@gmail.com> wrote:
>>>
>>> The ECCN Page at https://www.apache.org/licenses/exports/ is very out of date.
>>>
>>> There are many references to Incubator projects that have graduated,
>>> and a lot of the links are broken.
>>>
>>> Also a few of the references to dependencies don't use the canonical
>>> sources, e.g. some of the references to Bouncy Castle point to copies
>>> in ASF SVN
>>>
>>> What needs to be done about this, if anything?
>>
>> Good question. ASF (unlike lets say LF) relies on PMCs to keep this
>> up-to-date (and frankly add new entries to it). I guess we can start with
>> a friendly reminder to committer@ ? board@ ? suggesting that Chairs
>> go and review it.
>>
>> Outside of that -- I don't think we can do much.
>>
>>> Maybe the table needs a 'last-checked' date for each project.
>>
>> I think we should simplify, not complicate. The golden standard so far
>> seems to be how LF does it:
>> https://www.linuxfoundation.org/en/export/
>>
>> As you can see they are very opaque as to where the source is actually
>> located, but they do list other things like Submission Date.
>>
>> Thanks,
>> Roman.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
>> For additional commands, e-mail: legal-discuss-help@apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Outdated ECCN page
Posted by Matt Sicker <bo...@gmail.com>.
There may also be confusion around what necessitates addition to this
list. It almost seems like every project that depends on an HTTP
server or client library with TLS would need to mention their crypto
dependencies. I originally thought this only applied to projects that
exposed crypto APIs or bundled their own encryption algorithms.
On Wed, 19 May 2021 at 11:35, Roman Shaposhnik <ro...@shaposhnik.org> wrote:
>
> On Wed, May 19, 2021 at 4:38 AM sebb <se...@gmail.com> wrote:
> >
> > The ECCN Page at https://www.apache.org/licenses/exports/ is very out of date.
> >
> > There are many references to Incubator projects that have graduated,
> > and a lot of the links are broken.
> >
> > Also a few of the references to dependencies don't use the canonical
> > sources, e.g. some of the references to Bouncy Castle point to copies
> > in ASF SVN
> >
> > What needs to be done about this, if anything?
>
> Good question. ASF (unlike lets say LF) relies on PMCs to keep this
> up-to-date (and frankly add new entries to it). I guess we can start with
> a friendly reminder to committer@ ? board@ ? suggesting that Chairs
> go and review it.
>
> Outside of that -- I don't think we can do much.
>
> > Maybe the table needs a 'last-checked' date for each project.
>
> I think we should simplify, not complicate. The golden standard so far
> seems to be how LF does it:
> https://www.linuxfoundation.org/en/export/
>
> As you can see they are very opaque as to where the source is actually
> located, but they do list other things like Submission Date.
>
> Thanks,
> Roman.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Outdated ECCN page
Posted by sebb <se...@gmail.com>.
On Wed, 19 May 2021 at 17:35, Roman Shaposhnik <ro...@shaposhnik.org> wrote:
>
> On Wed, May 19, 2021 at 4:38 AM sebb <se...@gmail.com> wrote:
> >
> > The ECCN Page at https://www.apache.org/licenses/exports/ is very out of date.
> >
> > There are many references to Incubator projects that have graduated,
> > and a lot of the links are broken.
> >
> > Also a few of the references to dependencies don't use the canonical
> > sources, e.g. some of the references to Bouncy Castle point to copies
> > in ASF SVN
> >
> > What needs to be done about this, if anything?
>
> Good question. ASF (unlike lets say LF) relies on PMCs to keep this
> up-to-date (and frankly add new entries to it). I guess we can start with
> a friendly reminder to committer@ ? board@ ? suggesting that Chairs
> go and review it.
pmcs@ and ppmcs@ might be better.
> Outside of that -- I don't think we can do much.
>
> > Maybe the table needs a 'last-checked' date for each project.
>
> I think we should simplify, not complicate.
The date would make it simpler to determine if the entry needs checking or not.
> The golden standard so far
> seems to be how LF does it:
> https://www.linuxfoundation.org/en/export/
>
> As you can see they are very opaque as to where the source is actually
> located, but they do list other things like Submission Date.
Having such date would make it easier to determine whether the info is
likely to be out of date or not.
> Thanks,
> Roman.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org
Re: Outdated ECCN page
Posted by Roman Shaposhnik <ro...@shaposhnik.org>.
On Wed, May 19, 2021 at 4:38 AM sebb <se...@gmail.com> wrote:
>
> The ECCN Page at https://www.apache.org/licenses/exports/ is very out of date.
>
> There are many references to Incubator projects that have graduated,
> and a lot of the links are broken.
>
> Also a few of the references to dependencies don't use the canonical
> sources, e.g. some of the references to Bouncy Castle point to copies
> in ASF SVN
>
> What needs to be done about this, if anything?
Good question. ASF (unlike lets say LF) relies on PMCs to keep this
up-to-date (and frankly add new entries to it). I guess we can start with
a friendly reminder to committer@ ? board@ ? suggesting that Chairs
go and review it.
Outside of that -- I don't think we can do much.
> Maybe the table needs a 'last-checked' date for each project.
I think we should simplify, not complicate. The golden standard so far
seems to be how LF does it:
https://www.linuxfoundation.org/en/export/
As you can see they are very opaque as to where the source is actually
located, but they do list other things like Submission Date.
Thanks,
Roman.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org