You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@streampipes.apache.org by Dominik Riemer <ri...@apache.org> on 2021/10/05 15:21:22 UTC
ECCN notice question
Hi all,
this is probably a question to our mentors:
Users in StreamPipes are able to configure data sinks (e.g., a sink that
stores data in a MySQL database). In the configuration, users can (for
example) enter a database password.
I'm currently working on an improved authentication/authorization system for
StreamPipes and as part of this, such passwords should be stored in our
internal database in an encrypted way (and decrypted once a pipeline is
started based on a secret key providing by users as an env variable).
For this, we would import packages from javax.crypto and include a library
called Jasypt [1] for encryption/decryption, which is Apache licensed and
approved for export.
I've read through the ASF regulations on usage of crypto software [2] and
wonder if an ECCN filing for StreamPipes is needed when using this library
or javax.crypto imports?
It would be great to receive some advice on this.
Thanks!
Dominik
[1] https://github.com/jasypt/jasypt
[2] https://infra.apache.org/crypto.html
[3] What is Jasypt's export classification in the United States of America?
Although Jasypt does not implement nor distribute in any of its forms any
cryptographic algorithms, it can use them via the Java Cryptography
Extension API and, as such, it is classified under ECCN code 5D002 and
approved for export under License Exception TSU.
Re: ECCN notice question
Posted by Justin Mclean <ju...@classsoftware.com>.
Hi,
The ASF information we have is a little out of date and I’m not 100% if this process applies anymore. It can be found here.[1]
Kind Regards,
Justin
1. https://apache.org/dev/crypto.html
Re: ECCN notice question
Posted by Dominik Riemer <ri...@apache.org>.
Hi,
does anybody know how to proceed with this?
If not, should I forward this question to the legal list or Infra?
Dominik
On 2021/10/05 15:21:22, "Dominik Riemer" <ri...@apache.org> wrote:
> Hi all,
>
>
>
> this is probably a question to our mentors:
>
> Users in StreamPipes are able to configure data sinks (e.g., a sink that
> stores data in a MySQL database). In the configuration, users can (for
> example) enter a database password.
>
> I'm currently working on an improved authentication/authorization system for
> StreamPipes and as part of this, such passwords should be stored in our
> internal database in an encrypted way (and decrypted once a pipeline is
> started based on a secret key providing by users as an env variable).
>
>
>
> For this, we would import packages from javax.crypto and include a library
> called Jasypt [1] for encryption/decryption, which is Apache licensed and
> approved for export.
>
> I've read through the ASF regulations on usage of crypto software [2] and
> wonder if an ECCN filing for StreamPipes is needed when using this library
> or javax.crypto imports?
>
>
>
> It would be great to receive some advice on this.
>
>
>
> Thanks!
>
> Dominik
>
>
>
>
>
> [1] https://github.com/jasypt/jasypt
>
> [2] https://infra.apache.org/crypto.html
>
> [3] What is Jasypt's export classification in the United States of America?
> Although Jasypt does not implement nor distribute in any of its forms any
> cryptographic algorithms, it can use them via the Java Cryptography
> Extension API and, as such, it is classified under ECCN code 5D002 and
> approved for export under License Exception TSU.
>
>
>
>
>
>
>
>