Distributing a build that has a 5D002 classified binary - does that make your distribution need a 5D002 classification (Export control)

[Marshall Schor <ms...@schor.com>]

Hi -

We're planning a release where we plan to include the jar for Apache 
ActiveMQ 4.1.1.  This is listed on the exports page as having ECCN 5D002.

If we include this jar in our release distribution, does this require us 
to classify our "product" under ECCN 5D002?   We do not use any crypto 
APIs ourselves, in our code (but I realize this may not matter).  I 
think the answer is yes, but wanted to be sure... 

If we wanted to avoid tagging our release with ECCN 5D002, is it correct 
that we would need to do 2 things:
a) not distribute anything tagged as ECCN 5D002, and
b) not use interfaces for 5D002 components (that we do not include in 
our distributions) that are specially designed to access crypto 
functionality in these components

Thanks for verifying :-)

-Marshall

---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only.  Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF.  See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Distributing a build that has a 5D002 classified binary - does that make your distribution need a 5D002 classification (Export control)

["William A. Rowe, Jr." <wr...@rowe-clan.net>]

Henri Yandell wrote:
> Did this get answered?

I'm not certain, but ...

> On Fri, May 30, 2008 at 1:43 PM, Marshall Schor <ms...@schor.com> wrote:
>> Hi -
>>
>> We're planning a release where we plan to include the jar for Apache
>> ActiveMQ 4.1.1.  This is listed on the exports page as having ECCN 5D002.
>>
>> If we include this jar in our release distribution, does this require us to
>> classify our "product" under ECCN 5D002?   We do not use any crypto APIs
>> ourselves, in our code (but I realize this may not matter).  I think the
>> answer is yes, but wanted to be sure...

The answer is yes; but if I understand you, your source repository makes no
use of crypto whatsoever, no calls out to an interface that is crypted, so
there is no reason to tag your source tree as a crypto source.

You would point to the ActiveMQ source packages you consume, and to the full
distribution your project ships that includes the ActiveMQ jars.

>> If we wanted to avoid tagging our release with ECCN 5D002, is it correct
>> that we would need to do 2 things:
>> a) not distribute anything tagged as ECCN 5D002, and
>> b) not use interfaces for 5D002 components (that we do not include in our
>> distributions) that are specially designed to access crypto functionality in
>> these components

Sounds right.

---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only.  Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF.  See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org

Re: Distributing a build that has a 5D002 classified binary - does that make your distribution need a 5D002 classification (Export control)

[Henri Yandell <ba...@apache.org>]

Did this get answered?

On Fri, May 30, 2008 at 1:43 PM, Marshall Schor <ms...@schor.com> wrote:
> Hi -
>
> We're planning a release where we plan to include the jar for Apache
> ActiveMQ 4.1.1.  This is listed on the exports page as having ECCN 5D002.
>
> If we include this jar in our release distribution, does this require us to
> classify our "product" under ECCN 5D002?   We do not use any crypto APIs
> ourselves, in our code (but I realize this may not matter).  I think the
> answer is yes, but wanted to be sure...
> If we wanted to avoid tagging our release with ECCN 5D002, is it correct
> that we would need to do 2 things:
> a) not distribute anything tagged as ECCN 5D002, and
> b) not use interfaces for 5D002 components (that we do not include in our
> distributions) that are specially designed to access crypto functionality in
> these components
>
> Thanks for verifying :-)
>
> -Marshall
>
> ---------------------------------------------------------------------
> DISCLAIMER: Discussions on this list are informational and educational
> only.  Statements made on this list are not privileged, do not
> constitute legal advice, and do not necessarily reflect the opinions
> and policies of the ASF.  See <http://www.apache.org/licenses/> for
> official ASF policies and documents.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org
>
>

---------------------------------------------------------------------
DISCLAIMER: Discussions on this list are informational and educational
only.  Statements made on this list are not privileged, do not
constitute legal advice, and do not necessarily reflect the opinions
and policies of the ASF.  See <http://www.apache.org/licenses/> for
official ASF policies and documents.
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org