You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hop.apache.org by Matt Casters <ma...@neo4j.com.INVALID> on 2021/01/27 20:27:37 UTC
Password encoders
Dear Hopiverse,
I took the liberty to push out pull request 586
<https://github.com/apache/incubator-hop/pull/586>. It synchronizes the
password encoding of the metadata with the rest of the Hop platform.
Mistakes of the past are best not repeated...
To test this fairly small change I then wrote an AES two way password
encoder plugin also included in the PR.
I wrote the unit tests I thought were needed and wrote the documentation
<https://github.com/apache/incubator-hop/blob/43a522b8c7a9f7a03d1c941fb99ebd9468f7f89e/plugins/misc/passwords/src/main/doc/aespasswords.adoc>
to go along with it... but I would appreciate an extra couple of eyes to
see if it all works as expected to be on the safe side.
Thanks in advance,
Matt
Re: Password encoders
Posted by Matt Casters <ma...@neo4j.com.INVALID>.
Now that I've seen the list of projects here
<https://www.apache.org/licenses/exports/> I sort of want Hop to be on that
list :-)
In all seriousness I don't think that the AES password encoder is going to
be the issue. I've set the algorithm to 128 bit since it's a plugin and
people can write their own version with higher encryption. I knew from my
previous job that lots of bits lead to lots of export restrictions.
That being said, there are other things in the Hop codebase like the PGP
transforms and actions.
I'll go over the possible concerns we have with Hans and put those in
HOP-2469 <https://issues.apache.org/jira/browse/HOP-2469>.
Thanks!
Matt
On Thu, Jan 28, 2021 at 8:02 PM Julian Hyde <jh...@gmail.com> wrote:
> It’s possible that Hop is not using strong encryption and therefore
> doesn’t trigger the policy.
>
> Apologies if this was an unnecessary fire drill. It’s best to be on the
> safe side, given that US federal regulations are involved.
>
> I suggest that some PPMC members (you and Matt?) review the code and the
> policy, and update the JIRA case with what you find. You can use
> legal-discuss@ if you have questions (and we mentors can help too).
>
> Julian
>
> > On Jan 28, 2021, at 12:55 AM, Hans Van Akelyen <
> hans.van.akelyen@gmail.com> wrote:
> >
> > Hej Julian,
> >
> > Thanks for pointing this out, to be on the safe side we will add Hop to
> the
> > list. We have some references to javax.crypto too.
> >
> > Cheers,
> > Hans
> >
> >> On Wed, Jan 27, 2021 at 10:13 PM Matt Casters
> >> <ma...@neo4j.com.invalid> wrote:
> >>
> >> Ah I see it refers to the America export restrictions. Those are indeed
> >> capped at 512 bits for asymmetric encryption. The one I've used for the
> >> plugin is 128 bits.
> >> I don't think the JVM ships with an algorithm over 512 bits for
> precisely
> >> that same reason.
> >>
> >> On Wed, Jan 27, 2021 at 10:10 PM Matt Casters <ma...@neo4j.com>
> >> wrote:
> >>
> >>> Just to clarify: this is not implementing an encryption algorithm.
> It's
> >>> merely using one of the standard AES algorithms implemented in the JRE.
> >>>
> >>> On Wed, Jan 27, 2021 at 9:51 PM Julian Hyde <jh...@gmail.com>
> >>> wrote:
> >>>
> >>>> I have logged https://issues.apache.org/jira/browse/HOP-2469 <
> >>>> https://issues.apache.org/jira/browse/HOP-2469>. Please review. We
> need
> >>>> to know ASAP whether we are out of compliance with ASF encryption
> >> policy.
> >>>>
> >>>> Julian
> >>>>
> >>>>
> >>>>> On Jan 27, 2021, at 12:38 PM, Julian Hyde <jh...@gmail.com>
> >>>> wrote:
> >>>>>
> >>>>> If an Apache release includes cryptography we need to declare it. See
> >>>> https://infra.apache.org/crypto.html <
> >>>> https://infra.apache.org/crypto.html>.
> >>>>>
> >>>>> Julian
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>> On Jan 27, 2021, at 12:27 PM, Matt Casters <matt.casters@neo4j.com
> >> .INVALID
> >>>> <ma...@neo4j.com.INVALID>> wrote:
> >>>>>>
> >>>>>> Dear Hopiverse,
> >>>>>>
> >>>>>> I took the liberty to push out pull request 586
> >>>>>> <https://github.com/apache/incubator-hop/pull/586 <
> >>>> https://github.com/apache/incubator-hop/pull/586>>. It synchronizes
> >> the
> >>>>>> password encoding of the metadata with the rest of the Hop platform.
> >>>>>> Mistakes of the past are best not repeated...
> >>>>>>
> >>>>>> To test this fairly small change I then wrote an AES two way
> password
> >>>>>> encoder plugin also included in the PR.
> >>>>>> I wrote the unit tests I thought were needed and wrote the
> >>>> documentation
> >>>>>> <
> >>>>
> >>
> https://github.com/apache/incubator-hop/blob/43a522b8c7a9f7a03d1c941fb99ebd9468f7f89e/plugins/misc/passwords/src/main/doc/aespasswords.adoc
> >>>> <
> >>>>
> >>
> https://github.com/apache/incubator-hop/blob/43a522b8c7a9f7a03d1c941fb99ebd9468f7f89e/plugins/misc/passwords/src/main/doc/aespasswords.adoc
> >>>>>>
> >>>>>> to go along with it... but I would appreciate an extra couple of
> eyes
> >>>> to
> >>>>>> see if it all works as expected to be on the safe side.
> >>>>>>
> >>>>>> Thanks in advance,
> >>>>>>
> >>>>>> Matt
> >>>>>
> >>>>
> >>>>
> >>>
> >>> --
> >>> Neo4j Chief Solutions Architect
> >>> *✉ *matt.casters@neo4j.com
> >>> ☎ +32486972937
> >>>
> >>>
> >>>
> >>>
> >>
> >> --
> >> Neo4j Chief Solutions Architect
> >> *✉ *matt.casters@neo4j.com
> >> ☎ +32486972937
> >>
>
--
Neo4j Chief Solutions Architect
*✉ *matt.casters@neo4j.com
☎ +32486972937
Re: Password encoders
Posted by Julian Hyde <jh...@gmail.com>.
It’s possible that Hop is not using strong encryption and therefore doesn’t trigger the policy.
Apologies if this was an unnecessary fire drill. It’s best to be on the safe side, given that US federal regulations are involved.
I suggest that some PPMC members (you and Matt?) review the code and the policy, and update the JIRA case with what you find. You can use legal-discuss@ if you have questions (and we mentors can help too).
Julian
> On Jan 28, 2021, at 12:55 AM, Hans Van Akelyen <ha...@gmail.com> wrote:
>
> Hej Julian,
>
> Thanks for pointing this out, to be on the safe side we will add Hop to the
> list. We have some references to javax.crypto too.
>
> Cheers,
> Hans
>
>> On Wed, Jan 27, 2021 at 10:13 PM Matt Casters
>> <ma...@neo4j.com.invalid> wrote:
>>
>> Ah I see it refers to the America export restrictions. Those are indeed
>> capped at 512 bits for asymmetric encryption. The one I've used for the
>> plugin is 128 bits.
>> I don't think the JVM ships with an algorithm over 512 bits for precisely
>> that same reason.
>>
>> On Wed, Jan 27, 2021 at 10:10 PM Matt Casters <ma...@neo4j.com>
>> wrote:
>>
>>> Just to clarify: this is not implementing an encryption algorithm. It's
>>> merely using one of the standard AES algorithms implemented in the JRE.
>>>
>>> On Wed, Jan 27, 2021 at 9:51 PM Julian Hyde <jh...@gmail.com>
>>> wrote:
>>>
>>>> I have logged https://issues.apache.org/jira/browse/HOP-2469 <
>>>> https://issues.apache.org/jira/browse/HOP-2469>. Please review. We need
>>>> to know ASAP whether we are out of compliance with ASF encryption
>> policy.
>>>>
>>>> Julian
>>>>
>>>>
>>>>> On Jan 27, 2021, at 12:38 PM, Julian Hyde <jh...@gmail.com>
>>>> wrote:
>>>>>
>>>>> If an Apache release includes cryptography we need to declare it. See
>>>> https://infra.apache.org/crypto.html <
>>>> https://infra.apache.org/crypto.html>.
>>>>>
>>>>> Julian
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> On Jan 27, 2021, at 12:27 PM, Matt Casters <matt.casters@neo4j.com
>> .INVALID
>>>> <ma...@neo4j.com.INVALID>> wrote:
>>>>>>
>>>>>> Dear Hopiverse,
>>>>>>
>>>>>> I took the liberty to push out pull request 586
>>>>>> <https://github.com/apache/incubator-hop/pull/586 <
>>>> https://github.com/apache/incubator-hop/pull/586>>. It synchronizes
>> the
>>>>>> password encoding of the metadata with the rest of the Hop platform.
>>>>>> Mistakes of the past are best not repeated...
>>>>>>
>>>>>> To test this fairly small change I then wrote an AES two way password
>>>>>> encoder plugin also included in the PR.
>>>>>> I wrote the unit tests I thought were needed and wrote the
>>>> documentation
>>>>>> <
>>>>
>> https://github.com/apache/incubator-hop/blob/43a522b8c7a9f7a03d1c941fb99ebd9468f7f89e/plugins/misc/passwords/src/main/doc/aespasswords.adoc
>>>> <
>>>>
>> https://github.com/apache/incubator-hop/blob/43a522b8c7a9f7a03d1c941fb99ebd9468f7f89e/plugins/misc/passwords/src/main/doc/aespasswords.adoc
>>>>>>
>>>>>> to go along with it... but I would appreciate an extra couple of eyes
>>>> to
>>>>>> see if it all works as expected to be on the safe side.
>>>>>>
>>>>>> Thanks in advance,
>>>>>>
>>>>>> Matt
>>>>>
>>>>
>>>>
>>>
>>> --
>>> Neo4j Chief Solutions Architect
>>> *✉ *matt.casters@neo4j.com
>>> ☎ +32486972937
>>>
>>>
>>>
>>>
>>
>> --
>> Neo4j Chief Solutions Architect
>> *✉ *matt.casters@neo4j.com
>> ☎ +32486972937
>>
Re: Password encoders
Posted by Hans Van Akelyen <ha...@gmail.com>.
Hej Julian,
Thanks for pointing this out, to be on the safe side we will add Hop to the
list. We have some references to javax.crypto too.
Cheers,
Hans
On Wed, Jan 27, 2021 at 10:13 PM Matt Casters
<ma...@neo4j.com.invalid> wrote:
> Ah I see it refers to the America export restrictions. Those are indeed
> capped at 512 bits for asymmetric encryption. The one I've used for the
> plugin is 128 bits.
> I don't think the JVM ships with an algorithm over 512 bits for precisely
> that same reason.
>
> On Wed, Jan 27, 2021 at 10:10 PM Matt Casters <ma...@neo4j.com>
> wrote:
>
> > Just to clarify: this is not implementing an encryption algorithm. It's
> > merely using one of the standard AES algorithms implemented in the JRE.
> >
> > On Wed, Jan 27, 2021 at 9:51 PM Julian Hyde <jh...@gmail.com>
> > wrote:
> >
> >> I have logged https://issues.apache.org/jira/browse/HOP-2469 <
> >> https://issues.apache.org/jira/browse/HOP-2469>. Please review. We need
> >> to know ASAP whether we are out of compliance with ASF encryption
> policy.
> >>
> >> Julian
> >>
> >>
> >> > On Jan 27, 2021, at 12:38 PM, Julian Hyde <jh...@gmail.com>
> >> wrote:
> >> >
> >> > If an Apache release includes cryptography we need to declare it. See
> >> https://infra.apache.org/crypto.html <
> >> https://infra.apache.org/crypto.html>.
> >> >
> >> > Julian
> >> >
> >> >
> >> >
> >> >
> >> >> On Jan 27, 2021, at 12:27 PM, Matt Casters <matt.casters@neo4j.com
> .INVALID
> >> <ma...@neo4j.com.INVALID>> wrote:
> >> >>
> >> >> Dear Hopiverse,
> >> >>
> >> >> I took the liberty to push out pull request 586
> >> >> <https://github.com/apache/incubator-hop/pull/586 <
> >> https://github.com/apache/incubator-hop/pull/586>>. It synchronizes
> the
> >> >> password encoding of the metadata with the rest of the Hop platform.
> >> >> Mistakes of the past are best not repeated...
> >> >>
> >> >> To test this fairly small change I then wrote an AES two way password
> >> >> encoder plugin also included in the PR.
> >> >> I wrote the unit tests I thought were needed and wrote the
> >> documentation
> >> >> <
> >>
> https://github.com/apache/incubator-hop/blob/43a522b8c7a9f7a03d1c941fb99ebd9468f7f89e/plugins/misc/passwords/src/main/doc/aespasswords.adoc
> >> <
> >>
> https://github.com/apache/incubator-hop/blob/43a522b8c7a9f7a03d1c941fb99ebd9468f7f89e/plugins/misc/passwords/src/main/doc/aespasswords.adoc
> >> >>
> >> >> to go along with it... but I would appreciate an extra couple of eyes
> >> to
> >> >> see if it all works as expected to be on the safe side.
> >> >>
> >> >> Thanks in advance,
> >> >>
> >> >> Matt
> >> >
> >>
> >>
> >
> > --
> > Neo4j Chief Solutions Architect
> > *✉ *matt.casters@neo4j.com
> > ☎ +32486972937
> >
> >
> >
> >
>
> --
> Neo4j Chief Solutions Architect
> *✉ *matt.casters@neo4j.com
> ☎ +32486972937
>
Re: Password encoders
Posted by Matt Casters <ma...@neo4j.com.INVALID>.
Ah I see it refers to the America export restrictions. Those are indeed
capped at 512 bits for asymmetric encryption. The one I've used for the
plugin is 128 bits.
I don't think the JVM ships with an algorithm over 512 bits for precisely
that same reason.
On Wed, Jan 27, 2021 at 10:10 PM Matt Casters <ma...@neo4j.com>
wrote:
> Just to clarify: this is not implementing an encryption algorithm. It's
> merely using one of the standard AES algorithms implemented in the JRE.
>
> On Wed, Jan 27, 2021 at 9:51 PM Julian Hyde <jh...@gmail.com>
> wrote:
>
>> I have logged https://issues.apache.org/jira/browse/HOP-2469 <
>> https://issues.apache.org/jira/browse/HOP-2469>. Please review. We need
>> to know ASAP whether we are out of compliance with ASF encryption policy.
>>
>> Julian
>>
>>
>> > On Jan 27, 2021, at 12:38 PM, Julian Hyde <jh...@gmail.com>
>> wrote:
>> >
>> > If an Apache release includes cryptography we need to declare it. See
>> https://infra.apache.org/crypto.html <
>> https://infra.apache.org/crypto.html>.
>> >
>> > Julian
>> >
>> >
>> >
>> >
>> >> On Jan 27, 2021, at 12:27 PM, Matt Casters <matt.casters@neo4j.com.INVALID
>> <ma...@neo4j.com.INVALID>> wrote:
>> >>
>> >> Dear Hopiverse,
>> >>
>> >> I took the liberty to push out pull request 586
>> >> <https://github.com/apache/incubator-hop/pull/586 <
>> https://github.com/apache/incubator-hop/pull/586>>. It synchronizes the
>> >> password encoding of the metadata with the rest of the Hop platform.
>> >> Mistakes of the past are best not repeated...
>> >>
>> >> To test this fairly small change I then wrote an AES two way password
>> >> encoder plugin also included in the PR.
>> >> I wrote the unit tests I thought were needed and wrote the
>> documentation
>> >> <
>> https://github.com/apache/incubator-hop/blob/43a522b8c7a9f7a03d1c941fb99ebd9468f7f89e/plugins/misc/passwords/src/main/doc/aespasswords.adoc
>> <
>> https://github.com/apache/incubator-hop/blob/43a522b8c7a9f7a03d1c941fb99ebd9468f7f89e/plugins/misc/passwords/src/main/doc/aespasswords.adoc
>> >>
>> >> to go along with it... but I would appreciate an extra couple of eyes
>> to
>> >> see if it all works as expected to be on the safe side.
>> >>
>> >> Thanks in advance,
>> >>
>> >> Matt
>> >
>>
>>
>
> --
> Neo4j Chief Solutions Architect
> *✉ *matt.casters@neo4j.com
> ☎ +32486972937
>
>
>
>
--
Neo4j Chief Solutions Architect
*✉ *matt.casters@neo4j.com
☎ +32486972937
Re: Password encoders
Posted by Matt Casters <ma...@neo4j.com.INVALID>.
Just to clarify: this is not implementing an encryption algorithm. It's
merely using one of the standard AES algorithms implemented in the JRE.
On Wed, Jan 27, 2021 at 9:51 PM Julian Hyde <jh...@gmail.com> wrote:
> I have logged https://issues.apache.org/jira/browse/HOP-2469 <
> https://issues.apache.org/jira/browse/HOP-2469>. Please review. We need
> to know ASAP whether we are out of compliance with ASF encryption policy.
>
> Julian
>
>
> > On Jan 27, 2021, at 12:38 PM, Julian Hyde <jh...@gmail.com>
> wrote:
> >
> > If an Apache release includes cryptography we need to declare it. See
> https://infra.apache.org/crypto.html <https://infra.apache.org/crypto.html
> >.
> >
> > Julian
> >
> >
> >
> >
> >> On Jan 27, 2021, at 12:27 PM, Matt Casters <matt.casters@neo4j.com.INVALID
> <ma...@neo4j.com.INVALID>> wrote:
> >>
> >> Dear Hopiverse,
> >>
> >> I took the liberty to push out pull request 586
> >> <https://github.com/apache/incubator-hop/pull/586 <
> https://github.com/apache/incubator-hop/pull/586>>. It synchronizes the
> >> password encoding of the metadata with the rest of the Hop platform.
> >> Mistakes of the past are best not repeated...
> >>
> >> To test this fairly small change I then wrote an AES two way password
> >> encoder plugin also included in the PR.
> >> I wrote the unit tests I thought were needed and wrote the documentation
> >> <
> https://github.com/apache/incubator-hop/blob/43a522b8c7a9f7a03d1c941fb99ebd9468f7f89e/plugins/misc/passwords/src/main/doc/aespasswords.adoc
> <
> https://github.com/apache/incubator-hop/blob/43a522b8c7a9f7a03d1c941fb99ebd9468f7f89e/plugins/misc/passwords/src/main/doc/aespasswords.adoc
> >>
> >> to go along with it... but I would appreciate an extra couple of eyes to
> >> see if it all works as expected to be on the safe side.
> >>
> >> Thanks in advance,
> >>
> >> Matt
> >
>
>
--
Neo4j Chief Solutions Architect
*✉ *matt.casters@neo4j.com
☎ +32486972937
Re: Password encoders
Posted by Julian Hyde <jh...@gmail.com>.
I have logged https://issues.apache.org/jira/browse/HOP-2469 <https://issues.apache.org/jira/browse/HOP-2469>. Please review. We need to know ASAP whether we are out of compliance with ASF encryption policy.
Julian
> On Jan 27, 2021, at 12:38 PM, Julian Hyde <jh...@gmail.com> wrote:
>
> If an Apache release includes cryptography we need to declare it. See https://infra.apache.org/crypto.html <https://infra.apache.org/crypto.html>.
>
> Julian
>
>
>
>
>> On Jan 27, 2021, at 12:27 PM, Matt Casters <matt.casters@neo4j.com.INVALID <ma...@neo4j.com.INVALID>> wrote:
>>
>> Dear Hopiverse,
>>
>> I took the liberty to push out pull request 586
>> <https://github.com/apache/incubator-hop/pull/586 <https://github.com/apache/incubator-hop/pull/586>>. It synchronizes the
>> password encoding of the metadata with the rest of the Hop platform.
>> Mistakes of the past are best not repeated...
>>
>> To test this fairly small change I then wrote an AES two way password
>> encoder plugin also included in the PR.
>> I wrote the unit tests I thought were needed and wrote the documentation
>> <https://github.com/apache/incubator-hop/blob/43a522b8c7a9f7a03d1c941fb99ebd9468f7f89e/plugins/misc/passwords/src/main/doc/aespasswords.adoc <https://github.com/apache/incubator-hop/blob/43a522b8c7a9f7a03d1c941fb99ebd9468f7f89e/plugins/misc/passwords/src/main/doc/aespasswords.adoc>>
>> to go along with it... but I would appreciate an extra couple of eyes to
>> see if it all works as expected to be on the safe side.
>>
>> Thanks in advance,
>>
>> Matt
>
Re: Password encoders
Posted by Julian Hyde <jh...@gmail.com>.
If an Apache release includes cryptography we need to declare it. See https://infra.apache.org/crypto.html <https://infra.apache.org/crypto.html>.
Julian
> On Jan 27, 2021, at 12:27 PM, Matt Casters <ma...@neo4j.com.INVALID> wrote:
>
> Dear Hopiverse,
>
> I took the liberty to push out pull request 586
> <https://github.com/apache/incubator-hop/pull/586>. It synchronizes the
> password encoding of the metadata with the rest of the Hop platform.
> Mistakes of the past are best not repeated...
>
> To test this fairly small change I then wrote an AES two way password
> encoder plugin also included in the PR.
> I wrote the unit tests I thought were needed and wrote the documentation
> <https://github.com/apache/incubator-hop/blob/43a522b8c7a9f7a03d1c941fb99ebd9468f7f89e/plugins/misc/passwords/src/main/doc/aespasswords.adoc>
> to go along with it... but I would appreciate an extra couple of eyes to
> see if it all works as expected to be on the safe side.
>
> Thanks in advance,
>
> Matt