You are viewing a plain text version of this content. The canonical link for it is here.
Posted to legal-discuss@apache.org by Andreas Neumann <an...@apache.org> on 2014/01/17 02:03:06 UTC
Cryptography audit for Twill
Hi,
I am trying to complete the IP clearance for Twill and I am slightly
confused by the cryptography part of that (
https://issues.apache.org/jira/browse/TWILL-28).
Twill does not explicitly contain cryptographic code, except that:
- It uses java.util.UUID.randomUUID() to generate random ids. This
method uses "a cryptographically strong pseudo random number generator."
Since it is part of Java, I assume that is nothing to worry about.
- It uses Hadoop, which uses encryption. The only thing twill does here
is store delegation tokens on HDFS and read them back.
So is there anything to do for this? Do I need to add Twill to the export
list at http://www.apache.org/licenses/exports/ ? Do we need to include a
crypto notice in our README? It is not clear to me after reading the
document at http://www.apache.org/dev/crypto.html
Thanks for your help
-Andreas.
Re: Cryptography audit for Twill
Posted by Dave Fisher <da...@comcast.net>.
Hi Andreas,
On Jan 20, 2014, at 10:39 AM, Andreas Neumann wrote:
> If anybody reads this, do you have advice for us?
> Thanks -Andreas.
>
>
> On Thu, Jan 16, 2014 at 5:03 PM, Andreas Neumann <an...@apache.org> wrote:
> Hi,
>
> I am trying to complete the IP clearance for Twill and I am slightly confused by the cryptography part of that (https://issues.apache.org/jira/browse/TWILL-28).
>
> Twill does not explicitly contain cryptographic code, except that:
> It uses java.util.UUID.randomUUID() to generate random ids. This method uses "a cryptographically strong pseudo random number generator." Since it is part of Java, I assume that is nothing to worry about.
> It uses Hadoop, which uses encryption. The only thing twill does here is store delegation tokens on HDFS and read them back.
> So is there anything to do for this? Do I need to add Twill to the export list at http://www.apache.org/licenses/exports/ ?
I looked at the page: http://www.apache.org/licenses/exports/
It looks like when there is a dependency like this then there is a reference.
E.G. Apache Solr on Apache Tika ...
Apache Solr development 5D002 ASF
1.4 and later 5D002 ASF, Apache Tika
Apache Tika development 5D002 ASF
0.2-incubating and later 5D002 ASF, Bouncy Castle, Bouncy Castle
I will note that this file has a number of TLPs listed in the Incubator or as subprojects. There is an update missing.
> Do we need to include a crypto notice in our README? It is not clear to me after reading the document at http://www.apache.org/dev/crypto.html
I looked at Accumulo and they include one in their README.
Regards,
Dave
>
> Thanks for your help
> -Andreas.
>
>
Re: Cryptography audit for Twill
Posted by Andreas Neumann <an...@apache.org>.
If anybody reads this, do you have advice for us?
Thanks -Andreas.
On Thu, Jan 16, 2014 at 5:03 PM, Andreas Neumann <an...@apache.org> wrote:
> Hi,
>
> I am trying to complete the IP clearance for Twill and I am slightly
> confused by the cryptography part of that (
> https://issues.apache.org/jira/browse/TWILL-28).
>
> Twill does not explicitly contain cryptographic code, except that:
>
> - It uses java.util.UUID.randomUUID() to generate random ids. This
> method uses "a cryptographically strong pseudo random number generator."
> Since it is part of Java, I assume that is nothing to worry about.
> - It uses Hadoop, which uses encryption. The only thing twill does
> here is store delegation tokens on HDFS and read them back.
>
> So is there anything to do for this? Do I need to add Twill to the export
> list at http://www.apache.org/licenses/exports/ ? Do we need to include a
> crypto notice in our README? It is not clear to me after reading the
> document at http://www.apache.org/dev/crypto.html
>
> Thanks for your help
> -Andreas.
>
>
Re: Cryptography audit for Twill
Posted by Andrew Purtell <ap...@apache.org>.
When considering adding features based on cryptography for Apache HBase I
posted a query on this mailing list and received an "IANAL" answer, which
was unfortunately unhelpful. We can forgive Twill for taking a maybe overly
conservative position given what we have here is another volunteered
personal opinion. I share that view but my opinion is worthless because I
am neither a lawyer, nor one representing the Foundation. The material on
http://www.apache.org/dev/crypto.html carries this ominous disclaimer:
"Note - the regulations covering US export control laws for encryption were
changed on June 25th 2010. This page describes the previous process. Until
an updated version has been drawn up and approved by the Apache VP Legal
Affairs, projects should check with the legal-discuss list before
proceeding."
It's fair to say at this point the Foundation does not provide effective
guidance for use of cryptographic functions, or even what that means.
On Mon, Jan 20, 2014 at 4:37 PM, Kevan Miller <ke...@gmail.com>wrote:
>
>
> On Thu Jan 16 2014 at 7:59:44 PM, Andreas Neumann <an...@apache.org> wrote:
>
>> Hi,
>>
>> I am trying to complete the IP clearance for Twill and I am slightly
>> confused by the cryptography part of that (
>> https://issues.apache.org/jira/browse/TWILL-28).
>>
>> Twill does not explicitly contain cryptographic code, except that:
>>
>> - It uses java.util.UUID.randomUUID() to generate random ids. This
>> method uses "a cryptographically strong pseudo random number generator."
>> Since it is part of Java, I assume that is nothing to worry about.
>> - It uses Hadoop, which uses encryption. The only thing twill does
>> here is store delegation tokens on HDFS and read them back.
>>
>> So is there anything to do for this? Do I need to add Twill to the export
>> list at http://www.apache.org/licenses/exports/ ? Do we need to include
>> a crypto notice in our README? It is not clear to me after reading the
>> document at http://www.apache.org/dev/crypto.html
>>
>
> How would you evaluate the following statement with regard to TWILL?
>
> PMCs considering including cryptographic functionality within their
> products or specially designing their products to use other software with
> cryptographic functionality should take the following steps *before
> placing such code on any ASF server, including commits to subversion *:
>
> My personal opinion: using java.util.UUID.randomUUID() to generate a
> unique id is not cryptographic functionality. Note: being part of Java or
> not is not necessarily relevant...
>
> I don't have enough context to offer an opinion on 'store delegation
> tokens on HDFS and read them back'. Was TWILL "specially designing their
> products to use other software with cryptographic functionality"? Answer
> that, and I think you have your answer.
>
> --kevan
>
--
Best regards,
- Andy
Problems worthy of attack prove their worth by hitting back. - Piet Hein
(via Tom White)
Cryptography audit for Twill
Posted by Kevan Miller <ke...@gmail.com>.
On Thu Jan 16 2014 at 7:59:44 PM, Andreas Neumann <an...@apache.org> wrote:
> Hi,
>
> I am trying to complete the IP clearance for Twill and I am slightly
> confused by the cryptography part of that (
> https://issues.apache.org/jira/browse/TWILL-28).
>
> Twill does not explicitly contain cryptographic code, except that:
>
> - It uses java.util.UUID.randomUUID() to generate random ids. This
> method uses "a cryptographically strong pseudo random number generator."
> Since it is part of Java, I assume that is nothing to worry about.
> - It uses Hadoop, which uses encryption. The only thing twill does
> here is store delegation tokens on HDFS and read them back.
>
> So is there anything to do for this? Do I need to add Twill to the export
> list at http://www.apache.org/licenses/exports/ ? Do we need to include a
> crypto notice in our README? It is not clear to me after reading the
> document at http://www.apache.org/dev/crypto.html
>
How would you evaluate the following statement with regard to TWILL?
PMCs considering including cryptographic functionality within their
products or specially designing their products to use other software with
cryptographic functionality should take the following steps *before placing
such code on any ASF server, including commits to subversion *:
My personal opinion: using java.util.UUID.randomUUID() to generate a unique
id is not cryptographic functionality. Note: being part of Java or not is
not necessarily relevant...
I don't have enough context to offer an opinion on 'store delegation tokens
on HDFS and read them back'. Was TWILL "specially designing their products to
use other software with cryptographic functionality"? Answer that, and I
think you have your answer.
--kevan