You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@airavata.apache.org by Chathura Herath <ch...@cs.indiana.edu> on 2011/12/30 00:10:32 UTC
layout-1.0.4.jar under LGPL and why is it there
Hi Suresh,
I am vetting all the jar files an i see that layout-1.0.4.jar is under
LGPL which is NOT Apache compatible. I see no reason why that jar
should be there, the source compiled without the layout-1.0.4.jar so i
am guessing it was put there by a mistake.
I ve created a blocker for release and will fix this.
AIRAVATA-256
On Wed, Dec 28, 2011 at 1:49 AM, Suresh Marru <sm...@cs.indiana.edu> wrote:
> Hi Chathura,
>
> I am sorry I am slacking on release more than I expected. I followed the export control procedures, and tracked progress on - https://issues.apache.org/jira/browse/AIRAVATA-7. Good to double check, but my opinion is we are done with required steps for Airavata as per - http://www.apache.org/dev/crypto.html and added the dependencies to - http://www.apache.org/licenses/exports/
>
> Suresh
>
> On Dec 28, 2011, at 9:24 AM, Chathura Herath wrote:
>
>> Hi,
>>
>> I am with the Apache Airavata incubator project and i am going through
>> the release checklist and I want some advice on the export control
>> issues related to some security jars.
>>
>> We have jce-jdk.jar[1] and criptix.jar[2] as dependencies in the distribution.
>>
>> 1) Will US export control w.r.t. cryptographic algorithms will
>> prevent us from shipping criptix jar. I ve pasted the license
>> agreement in [4].
>> 2) Java jce jar download page explicitly mentions download will be
>> for US and Canada only[4]. Does this mean we will not be able to
>> package it but rather ask the use to manually provide the jar
>> location.
>> 3) If we could simply package them as is, Will there be a special
>> download disclaimer that we need to add. In that case should we avoid
>> mirrors?
>>
>> I researched usage of these jar in the history and i came across
>> (http://mail-archives.apache.org/mod_mbox/turbine-dev/200201.mbox/%3Ca1bmh5$21t$1@forge.intermeta.de%3E);
>> though it was not clear whether the focus on export license was
>> resoled explicitly.
>>
>> Although with some work we may be able to continue the release without
>> these jars in the first release, going forward we will have these jar
>> dependencies to interact with Grid Security Infrastructure. Any
>> insight/advice/suggestion is greatly appreciated.
>>
>> Thanks and Happy holidays.
>>
>> --
>> Chathura Herath Ph.D.
>> https://www.cs.indiana.edu/~cherath/
>> http://chathurah.blogspot.com/
>>
>>
>>
>>
>>
>>
>> [1] http://docs.oracle.com/javase/1.5.0/docs/guide/security/jce/JCERefGuide.html
>> [2]http://sourceforge.net/projects/cryptix-asn1/, http://www.cryptix.org/
>>
>> [3]JCE 1.2.2 Software, Jurisdiction Policy files, and Documentation
>>
>> RESTRICTED TO THE UNITED STATES AND CANADA. If you do not reside in
>> the United States or Canada, you will not be able to download this
>> software.
>>
>> [4]Cryptix General License
>>
>> Copyright (c) 1995-2005 The Cryptix Foundation Limited.
>> All rights reserved.
>>
>> Redistribution and use in source and binary forms, with or without
>> modification, are permitted provided that the following conditions are
>> met:
>>
>> 1. Redistributions of source code must retain the copyright notice,
>> this list of conditions and the following disclaimer.
>> 2. Redistributions in binary form must reproduce the above copyright
>> notice, this list of conditions and the following disclaimer in
>> the documentation and/or other materials provided with the
>> distribution.
>>
>> THIS SOFTWARE IS PROVIDED BY THE CRYPTIX FOUNDATION LIMITED AND
>> CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
>> INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
>> MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
>> IN NO EVENT SHALL THE CRYPTIX FOUNDATION LIMITED OR CONTRIBUTORS BE
>> LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
>> CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
>> SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
>> BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
>> WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
>> OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
>> IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIcBAEBAgAGBQJO+rvoAAoJEHmz9P1hfdutOBQP/3isr0SvbyX80xWS10zG+RUx
> y8BNMiShGEkJHxdzLNw4ik5QSKshP3symXiPZz1yga1nn428vr+glRsBimd/uXq6
> 3LgcvixlSODFBCc1degB8YqMTKQUCbWkf2mlSfQeC1apWMi/coUljBuYsGR6gOlj
> o1O6aSdGiieVbqxAgYKrPBU2wRZiIkxthABV/gTZENysYrVu62jWnBBsFpWsINh2
> +WaGKc9IofEBucp60ENKrtXtBHzX9akytCC+x8VsyoLXMEILq2EA1jvqf5xEh52m
> /pYM2qXkAJDuvIqYaJ0QNMjlWb5PmI4saWj7dBkqgWgjw18sO0Y8Rbn9YFh+Y9C3
> MNia6cf4q+Xac5DwjorLtjrybOaS8mOAi7+lqAnM5L/kgw0bi+/9Gup8jDe6W78W
> 48FFR6M4d2mRtzhxu+lauuZk50tgDz2nyqkZcTUOpPjzJKK78612MMDXFRW9BKos
> a/eYKVGwfTN1Odq8HV3gQL6tSTNrnVQ40cvumn0iXYJ89evB8KNfGVFSZTxpTa+x
> EMscbrSMvWU7Ai2eyv0fap/bQpUR7uRiwN23+G0HVvSJPaQdsCPNOZ4yxZEAjrkt
> 580dzKvGbsRsqlAX2/bL4OJSdiy/ATBTsWkGGnqGRnzNpW7eHrmMuHAb8O7LXwCI
> 5uM4Ag2ljVxe6NlVXSB+
> =yREp
> -----END PGP SIGNATURE-----
>
--
Chathura Herath
http://people.apache.org/~chathura/
http://chathurah.blogspot.com/
Re: layout-1.0.4.jar under LGPL and why is it there
Posted by Suresh Marru <sm...@cs.indiana.edu>.
Hi Chathura,
Glad you found this. It would have been a real blunder to let this jar in. Since this is a legacy dependency, the removal is the right way, if we really need it, then we should look for compatible license alternatives. I am going through all the threads and march on the release now.
Suresh
On Dec 30, 2011, at 4:40 AM, Chathura Herath wrote:
> Hi Suresh,
>
> I am vetting all the jar files an i see that layout-1.0.4.jar is under
> LGPL which is NOT Apache compatible. I see no reason why that jar
> should be there, the source compiled without the layout-1.0.4.jar so i
> am guessing it was put there by a mistake.
>
> I ve created a blocker for release and will fix this.
>
> AIRAVATA-256
>
> On Wed, Dec 28, 2011 at 1:49 AM, Suresh Marru <sm...@cs.indiana.edu> wrote:
>> Hi Chathura,
>>
>> I am sorry I am slacking on release more than I expected. I followed the export control procedures, and tracked progress on - https://issues.apache.org/jira/browse/AIRAVATA-7. Good to double check, but my opinion is we are done with required steps for Airavata as per - http://www.apache.org/dev/crypto.html and added the dependencies to - http://www.apache.org/licenses/exports/
>>
>> Suresh
>>
>> On Dec 28, 2011, at 9:24 AM, Chathura Herath wrote:
>>
>>> Hi,
>>>
>>> I am with the Apache Airavata incubator project and i am going through
>>> the release checklist and I want some advice on the export control
>>> issues related to some security jars.
>>>
>>> We have jce-jdk.jar[1] and criptix.jar[2] as dependencies in the distribution.
>>>
>>> 1) Will US export control w.r.t. cryptographic algorithms will
>>> prevent us from shipping criptix jar. I ve pasted the license
>>> agreement in [4].
>>> 2) Java jce jar download page explicitly mentions download will be
>>> for US and Canada only[4]. Does this mean we will not be able to
>>> package it but rather ask the use to manually provide the jar
>>> location.
>>> 3) If we could simply package them as is, Will there be a special
>>> download disclaimer that we need to add. In that case should we avoid
>>> mirrors?
>>>
>>> I researched usage of these jar in the history and i came across
>>> (http://mail-archives.apache.org/mod_mbox/turbine-dev/200201.mbox/%3Ca1bmh5$21t$1@forge.intermeta.de%3E);
>>> though it was not clear whether the focus on export license was
>>> resoled explicitly.
>>>
>>> Although with some work we may be able to continue the release without
>>> these jars in the first release, going forward we will have these jar
>>> dependencies to interact with Grid Security Infrastructure. Any
>>> insight/advice/suggestion is greatly appreciated.
>>>
>>> Thanks and Happy holidays.
>>>
>>> --
>>> Chathura Herath Ph.D.
>>> https://www.cs.indiana.edu/~cherath/
>>> http://chathurah.blogspot.com/
>>>
>>>
>>>
>>>
>>>
>>>
>>> [1] http://docs.oracle.com/javase/1.5.0/docs/guide/security/jce/JCERefGuide.html
>>> [2]http://sourceforge.net/projects/cryptix-asn1/, http://www.cryptix.org/
>>>
>>> [3]JCE 1.2.2 Software, Jurisdiction Policy files, and Documentation
>>>
>>> RESTRICTED TO THE UNITED STATES AND CANADA. If you do not reside in
>>> the United States or Canada, you will not be able to download this
>>> software.
>>>
>>> [4]Cryptix General License
>>>
>>> Copyright (c) 1995-2005 The Cryptix Foundation Limited.
>>> All rights reserved.
>>>
>>> Redistribution and use in source and binary forms, with or without
>>> modification, are permitted provided that the following conditions are
>>> met:
>>>
>>> 1. Redistributions of source code must retain the copyright notice,
>>> this list of conditions and the following disclaimer.
>>> 2. Redistributions in binary form must reproduce the above copyright
>>> notice, this list of conditions and the following disclaimer in
>>> the documentation and/or other materials provided with the
>>> distribution.
>>>
>>> THIS SOFTWARE IS PROVIDED BY THE CRYPTIX FOUNDATION LIMITED AND
>>> CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
>>> INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
>>> MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
>>> IN NO EVENT SHALL THE CRYPTIX FOUNDATION LIMITED OR CONTRIBUTORS BE
>>> LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
>>> CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
>>> SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
>>> BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
>>> WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
>>> OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
>>> IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>>
>> iQIcBAEBAgAGBQJO+rvoAAoJEHmz9P1hfdutOBQP/3isr0SvbyX80xWS10zG+RUx
>> y8BNMiShGEkJHxdzLNw4ik5QSKshP3symXiPZz1yga1nn428vr+glRsBimd/uXq6
>> 3LgcvixlSODFBCc1degB8YqMTKQUCbWkf2mlSfQeC1apWMi/coUljBuYsGR6gOlj
>> o1O6aSdGiieVbqxAgYKrPBU2wRZiIkxthABV/gTZENysYrVu62jWnBBsFpWsINh2
>> +WaGKc9IofEBucp60ENKrtXtBHzX9akytCC+x8VsyoLXMEILq2EA1jvqf5xEh52m
>> /pYM2qXkAJDuvIqYaJ0QNMjlWb5PmI4saWj7dBkqgWgjw18sO0Y8Rbn9YFh+Y9C3
>> MNia6cf4q+Xac5DwjorLtjrybOaS8mOAi7+lqAnM5L/kgw0bi+/9Gup8jDe6W78W
>> 48FFR6M4d2mRtzhxu+lauuZk50tgDz2nyqkZcTUOpPjzJKK78612MMDXFRW9BKos
>> a/eYKVGwfTN1Odq8HV3gQL6tSTNrnVQ40cvumn0iXYJ89evB8KNfGVFSZTxpTa+x
>> EMscbrSMvWU7Ai2eyv0fap/bQpUR7uRiwN23+G0HVvSJPaQdsCPNOZ4yxZEAjrkt
>> 580dzKvGbsRsqlAX2/bL4OJSdiy/ATBTsWkGGnqGRnzNpW7eHrmMuHAb8O7LXwCI
>> 5uM4Ag2ljVxe6NlVXSB+
>> =yREp
>> -----END PGP SIGNATURE-----
>>
>
>
>
> --
> Chathura Herath
> http://people.apache.org/~chathura/
> http://chathurah.blogspot.com/
Re: layout-1.0.4.jar under LGPL and why is it there
Posted by Saminda Wijeratne <sa...@gmail.com>.
It seems the layout-1.0.4.jar is no longer required. I removed it as a
dependency from the branch+trunk build.
Saminda
On Thu, Dec 29, 2011 at 3:28 PM, Chathura Herath <ch...@cs.indiana.edu>wrote:
> Suresh,
>
> Another issue to resolve is jsr173 jar which is under BEA liscense
>
> Previous discussions suggest that BEA jsr is NOT Apache compatible [1]
>
> Geronimo uses jst173 api jars from woodsotx which is Apache
> compatible. And i suggest we move to that. IMO this is also a blocker
> and we will fix this.
>
> I ve created AIRAVATA-257 for this.
>
>
>
>
>
> [1]
> http://mail-archives.apache.org/mod_mbox/www-legal-discuss/200604.mbox/%3C9186D1D624F88F469BE0CC4F2DDB970B774C4C@repbex02.amer.bea.com%3E
>
> [2]
> http://mail-archives.apache.org/mod_mbox/poi-dev/200902.mbox/%3C510143ac0902230201t4e6b41b2ufff7971101698ce5@mail.gmail.com%3E
>
>
> On Thu, Dec 29, 2011 at 6:10 PM, Chathura Herath <ch...@cs.indiana.edu>
> wrote:
> > Hi Suresh,
> >
> > I am vetting all the jar files an i see that layout-1.0.4.jar is under
> > LGPL which is NOT Apache compatible. I see no reason why that jar
> > should be there, the source compiled without the layout-1.0.4.jar so i
> > am guessing it was put there by a mistake.
> >
> > I ve created a blocker for release and will fix this.
> >
> > AIRAVATA-256
> >
> > On Wed, Dec 28, 2011 at 1:49 AM, Suresh Marru <sm...@cs.indiana.edu>
> wrote:
> >> Hi Chathura,
> >>
> >> I am sorry I am slacking on release more than I expected. I followed
> the export control procedures, and tracked progress on -
> https://issues.apache.org/jira/browse/AIRAVATA-7. Good to double check,
> but my opinion is we are done with required steps for Airavata as per -
> http://www.apache.org/dev/crypto.html and added the dependencies to -
> http://www.apache.org/licenses/exports/
> >>
> >> Suresh
> >>
> >> On Dec 28, 2011, at 9:24 AM, Chathura Herath wrote:
> >>
> >>> Hi,
> >>>
> >>> I am with the Apache Airavata incubator project and i am going through
> >>> the release checklist and I want some advice on the export control
> >>> issues related to some security jars.
> >>>
> >>> We have jce-jdk.jar[1] and criptix.jar[2] as dependencies in the
> distribution.
> >>>
> >>> 1) Will US export control w.r.t. cryptographic algorithms will
> >>> prevent us from shipping criptix jar. I ve pasted the license
> >>> agreement in [4].
> >>> 2) Java jce jar download page explicitly mentions download will be
> >>> for US and Canada only[4]. Does this mean we will not be able to
> >>> package it but rather ask the use to manually provide the jar
> >>> location.
> >>> 3) If we could simply package them as is, Will there be a special
> >>> download disclaimer that we need to add. In that case should we avoid
> >>> mirrors?
> >>>
> >>> I researched usage of these jar in the history and i came across
> >>> (
> http://mail-archives.apache.org/mod_mbox/turbine-dev/200201.mbox/%3Ca1bmh5$21t$1@forge.intermeta.de%3E
> );
> >>> though it was not clear whether the focus on export license was
> >>> resoled explicitly.
> >>>
> >>> Although with some work we may be able to continue the release without
> >>> these jars in the first release, going forward we will have these jar
> >>> dependencies to interact with Grid Security Infrastructure. Any
> >>> insight/advice/suggestion is greatly appreciated.
> >>>
> >>> Thanks and Happy holidays.
> >>>
> >>> --
> >>> Chathura Herath Ph.D.
> >>> https://www.cs.indiana.edu/~cherath/
> >>> http://chathurah.blogspot.com/
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> [1]
> http://docs.oracle.com/javase/1.5.0/docs/guide/security/jce/JCERefGuide.html
> >>> [2]http://sourceforge.net/projects/cryptix-asn1/,
> http://www.cryptix.org/
> >>>
> >>> [3]JCE 1.2.2 Software, Jurisdiction Policy files, and Documentation
> >>>
> >>> RESTRICTED TO THE UNITED STATES AND CANADA. If you do not reside in
> >>> the United States or Canada, you will not be able to download this
> >>> software.
> >>>
> >>> [4]Cryptix General License
> >>>
> >>> Copyright (c) 1995-2005 The Cryptix Foundation Limited.
> >>> All rights reserved.
> >>>
> >>> Redistribution and use in source and binary forms, with or without
> >>> modification, are permitted provided that the following conditions are
> >>> met:
> >>>
> >>> 1. Redistributions of source code must retain the copyright notice,
> >>> this list of conditions and the following disclaimer.
> >>> 2. Redistributions in binary form must reproduce the above copyright
> >>> notice, this list of conditions and the following disclaimer in
> >>> the documentation and/or other materials provided with the
> >>> distribution.
> >>>
> >>> THIS SOFTWARE IS PROVIDED BY THE CRYPTIX FOUNDATION LIMITED AND
> >>> CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
> >>> INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
> >>> MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
> >>> IN NO EVENT SHALL THE CRYPTIX FOUNDATION LIMITED OR CONTRIBUTORS BE
> >>> LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
> >>> CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
> >>> SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
> >>> BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
> >>> WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
> >>> OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
> >>> IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> >>
> >>
> >> -----BEGIN PGP SIGNATURE-----
> >>
> >> iQIcBAEBAgAGBQJO+rvoAAoJEHmz9P1hfdutOBQP/3isr0SvbyX80xWS10zG+RUx
> >> y8BNMiShGEkJHxdzLNw4ik5QSKshP3symXiPZz1yga1nn428vr+glRsBimd/uXq6
> >> 3LgcvixlSODFBCc1degB8YqMTKQUCbWkf2mlSfQeC1apWMi/coUljBuYsGR6gOlj
> >> o1O6aSdGiieVbqxAgYKrPBU2wRZiIkxthABV/gTZENysYrVu62jWnBBsFpWsINh2
> >> +WaGKc9IofEBucp60ENKrtXtBHzX9akytCC+x8VsyoLXMEILq2EA1jvqf5xEh52m
> >> /pYM2qXkAJDuvIqYaJ0QNMjlWb5PmI4saWj7dBkqgWgjw18sO0Y8Rbn9YFh+Y9C3
> >> MNia6cf4q+Xac5DwjorLtjrybOaS8mOAi7+lqAnM5L/kgw0bi+/9Gup8jDe6W78W
> >> 48FFR6M4d2mRtzhxu+lauuZk50tgDz2nyqkZcTUOpPjzJKK78612MMDXFRW9BKos
> >> a/eYKVGwfTN1Odq8HV3gQL6tSTNrnVQ40cvumn0iXYJ89evB8KNfGVFSZTxpTa+x
> >> EMscbrSMvWU7Ai2eyv0fap/bQpUR7uRiwN23+G0HVvSJPaQdsCPNOZ4yxZEAjrkt
> >> 580dzKvGbsRsqlAX2/bL4OJSdiy/ATBTsWkGGnqGRnzNpW7eHrmMuHAb8O7LXwCI
> >> 5uM4Ag2ljVxe6NlVXSB+
> >> =yREp
> >> -----END PGP SIGNATURE-----
> >>
> >
> >
> >
> > --
> > Chathura Herath
> > http://people.apache.org/~chathura/
> > http://chathurah.blogspot.com/
>
>
>
> --
> Chathura Herath
> http://people.apache.org/~chathura/
> http://chathurah.blogspot.com/
>
Re: layout-1.0.4.jar under LGPL and why is it there
Posted by Chathura Herath <ch...@cs.indiana.edu>.
Suresh,
Another issue to resolve is jsr173 jar which is under BEA liscense
Previous discussions suggest that BEA jsr is NOT Apache compatible [1]
Geronimo uses jst173 api jars from woodsotx which is Apache
compatible. And i suggest we move to that. IMO this is also a blocker
and we will fix this.
I ve created AIRAVATA-257 for this.
[1]http://mail-archives.apache.org/mod_mbox/www-legal-discuss/200604.mbox/%3C9186D1D624F88F469BE0CC4F2DDB970B774C4C@repbex02.amer.bea.com%3E
[2] http://mail-archives.apache.org/mod_mbox/poi-dev/200902.mbox/%3C510143ac0902230201t4e6b41b2ufff7971101698ce5@mail.gmail.com%3E
On Thu, Dec 29, 2011 at 6:10 PM, Chathura Herath <ch...@cs.indiana.edu> wrote:
> Hi Suresh,
>
> I am vetting all the jar files an i see that layout-1.0.4.jar is under
> LGPL which is NOT Apache compatible. I see no reason why that jar
> should be there, the source compiled without the layout-1.0.4.jar so i
> am guessing it was put there by a mistake.
>
> I ve created a blocker for release and will fix this.
>
> AIRAVATA-256
>
> On Wed, Dec 28, 2011 at 1:49 AM, Suresh Marru <sm...@cs.indiana.edu> wrote:
>> Hi Chathura,
>>
>> I am sorry I am slacking on release more than I expected. I followed the export control procedures, and tracked progress on - https://issues.apache.org/jira/browse/AIRAVATA-7. Good to double check, but my opinion is we are done with required steps for Airavata as per - http://www.apache.org/dev/crypto.html and added the dependencies to - http://www.apache.org/licenses/exports/
>>
>> Suresh
>>
>> On Dec 28, 2011, at 9:24 AM, Chathura Herath wrote:
>>
>>> Hi,
>>>
>>> I am with the Apache Airavata incubator project and i am going through
>>> the release checklist and I want some advice on the export control
>>> issues related to some security jars.
>>>
>>> We have jce-jdk.jar[1] and criptix.jar[2] as dependencies in the distribution.
>>>
>>> 1) Will US export control w.r.t. cryptographic algorithms will
>>> prevent us from shipping criptix jar. I ve pasted the license
>>> agreement in [4].
>>> 2) Java jce jar download page explicitly mentions download will be
>>> for US and Canada only[4]. Does this mean we will not be able to
>>> package it but rather ask the use to manually provide the jar
>>> location.
>>> 3) If we could simply package them as is, Will there be a special
>>> download disclaimer that we need to add. In that case should we avoid
>>> mirrors?
>>>
>>> I researched usage of these jar in the history and i came across
>>> (http://mail-archives.apache.org/mod_mbox/turbine-dev/200201.mbox/%3Ca1bmh5$21t$1@forge.intermeta.de%3E);
>>> though it was not clear whether the focus on export license was
>>> resoled explicitly.
>>>
>>> Although with some work we may be able to continue the release without
>>> these jars in the first release, going forward we will have these jar
>>> dependencies to interact with Grid Security Infrastructure. Any
>>> insight/advice/suggestion is greatly appreciated.
>>>
>>> Thanks and Happy holidays.
>>>
>>> --
>>> Chathura Herath Ph.D.
>>> https://www.cs.indiana.edu/~cherath/
>>> http://chathurah.blogspot.com/
>>>
>>>
>>>
>>>
>>>
>>>
>>> [1] http://docs.oracle.com/javase/1.5.0/docs/guide/security/jce/JCERefGuide.html
>>> [2]http://sourceforge.net/projects/cryptix-asn1/, http://www.cryptix.org/
>>>
>>> [3]JCE 1.2.2 Software, Jurisdiction Policy files, and Documentation
>>>
>>> RESTRICTED TO THE UNITED STATES AND CANADA. If you do not reside in
>>> the United States or Canada, you will not be able to download this
>>> software.
>>>
>>> [4]Cryptix General License
>>>
>>> Copyright (c) 1995-2005 The Cryptix Foundation Limited.
>>> All rights reserved.
>>>
>>> Redistribution and use in source and binary forms, with or without
>>> modification, are permitted provided that the following conditions are
>>> met:
>>>
>>> 1. Redistributions of source code must retain the copyright notice,
>>> this list of conditions and the following disclaimer.
>>> 2. Redistributions in binary form must reproduce the above copyright
>>> notice, this list of conditions and the following disclaimer in
>>> the documentation and/or other materials provided with the
>>> distribution.
>>>
>>> THIS SOFTWARE IS PROVIDED BY THE CRYPTIX FOUNDATION LIMITED AND
>>> CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
>>> INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
>>> MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
>>> IN NO EVENT SHALL THE CRYPTIX FOUNDATION LIMITED OR CONTRIBUTORS BE
>>> LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
>>> CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
>>> SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
>>> BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
>>> WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
>>> OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
>>> IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>>
>>
>> -----BEGIN PGP SIGNATURE-----
>>
>> iQIcBAEBAgAGBQJO+rvoAAoJEHmz9P1hfdutOBQP/3isr0SvbyX80xWS10zG+RUx
>> y8BNMiShGEkJHxdzLNw4ik5QSKshP3symXiPZz1yga1nn428vr+glRsBimd/uXq6
>> 3LgcvixlSODFBCc1degB8YqMTKQUCbWkf2mlSfQeC1apWMi/coUljBuYsGR6gOlj
>> o1O6aSdGiieVbqxAgYKrPBU2wRZiIkxthABV/gTZENysYrVu62jWnBBsFpWsINh2
>> +WaGKc9IofEBucp60ENKrtXtBHzX9akytCC+x8VsyoLXMEILq2EA1jvqf5xEh52m
>> /pYM2qXkAJDuvIqYaJ0QNMjlWb5PmI4saWj7dBkqgWgjw18sO0Y8Rbn9YFh+Y9C3
>> MNia6cf4q+Xac5DwjorLtjrybOaS8mOAi7+lqAnM5L/kgw0bi+/9Gup8jDe6W78W
>> 48FFR6M4d2mRtzhxu+lauuZk50tgDz2nyqkZcTUOpPjzJKK78612MMDXFRW9BKos
>> a/eYKVGwfTN1Odq8HV3gQL6tSTNrnVQ40cvumn0iXYJ89evB8KNfGVFSZTxpTa+x
>> EMscbrSMvWU7Ai2eyv0fap/bQpUR7uRiwN23+G0HVvSJPaQdsCPNOZ4yxZEAjrkt
>> 580dzKvGbsRsqlAX2/bL4OJSdiy/ATBTsWkGGnqGRnzNpW7eHrmMuHAb8O7LXwCI
>> 5uM4Ag2ljVxe6NlVXSB+
>> =yREp
>> -----END PGP SIGNATURE-----
>>
>
>
>
> --
> Chathura Herath
> http://people.apache.org/~chathura/
> http://chathurah.blogspot.com/
--
Chathura Herath
http://people.apache.org/~chathura/
http://chathurah.blogspot.com/