You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tika.apache.org by "Allison, Timothy B." <ta...@mitre.org> on 2015/09/09 21:55:47 UTC
update Apache export control matrix and send updated notification?
All,
I recently noticed that our info here [0] is out of date. I think we should update that page to reflect Tika as a top level project. Also, I suspect that when we initially entered our info on that site and sent notification to BIS/NSA (TIKA-118), we were only handling encryption for PDFs. So, I think we should also update the links to include the source repositories for other dependencies that rely on encryption.
From a quick review, my current understanding of the parsers that use encryption in Tika:
a) PDFParser: has own RC4Cipher (for writing...not used by Tika but probably bundled) and relies on Bouncy Castle otherwise
b) POI: can rely on Bouncy Castle but also uses its own encryption algorithms
c) JackcessParser, relies on jackcess-encrypt package which relies on Bouncy Castle
d) PKCs7Parser: relies on Bouncy Castle directly (CMSSignedDataParser)
e) PkgParser: relies on Apache Commons Compress' SevenZFile which uses javax.crypto package
Is the above info correct? Any others?
Given the changes in our code and our dependencies, I figure that we may as well update/resend our notification to BIS/NSA [1].
Does this sound reasonable? I'll open a ticket if so.
Best,
Tim
[0] http://www.apache.org/licenses/exports/
[1] http://www.apache.org/dev/crypto.html#notify