You are viewing a plain text version of this content. The canonical link for it is here.
Posted to legal-discuss@apache.org by "Roman Shaposhnik (JIRA)" <ji...@apache.org> on 2018/11/30 02:33:00 UTC
[jira] [Commented] (LEGAL-425) Usage of Conscrypt JAR file in Solr
distribution
[ https://issues.apache.org/jira/browse/LEGAL-425?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16704161#comment-16704161 ]
Roman Shaposhnik commented on LEGAL-425:
----------------------------------------
First of all, Apache Software Foundation is ONLY in business of distributing source code to public. From that perspective you're fine.
If you would like to keep distributing convenience binariesĀ I suggest you cut that dependency out. Will that work?
> Usage of Conscrypt JAR file in Solr distribution
> ------------------------------------------------
>
> Key: LEGAL-425
> URL: https://issues.apache.org/jira/browse/LEGAL-425
> Project: Legal Discuss
> Issue Type: Question
> Reporter: Uwe Schindler
> Priority: Major
>
> Apache Solr still has Java 8 as a minimum requirement. To provide HTTP/2 support in the distribution with TLS, the bundled Jetty Server and Jetty Client (for SolrJ) has to be configured to use the Google Conscrypt library (see [https://github.com/google/conscrypt]) and enable it on startup.
> The Conscrypt library itsself is Apache License 2. But its binary JAR file contains native code from BoringSSL, a fork of OpenSSL. As the status of licenses in OpenSSL and especially in BoringSSL, we are not sure how to handle that. Our own code only links against ASF2 licensed code (Conscrypt), so the Source.ZIP files of Lucene/Solr are perfectly fine, but the binary distribution would ship with the JAR file that contains the ASF2 licensed library that ships with some binary .so/.dll blobs inside).
> The Jetty webserver does not bundle Conscrypt and only allows the user to enable HTTP2 if the user manually downloads conscrypt (see [https://www.eclipse.org/jetty/documentation/9.4.x/jetty-ssl-distribution.html#jetty-conscrypt-distribution]).
> How should we handle this: are we safe to provide Conscypt in the binary distribution? Or should we handle it like Jetty with a download script in distribution? Or should we disable HTTP/2 on Java 8 and don't ship or support this library?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
For additional commands, e-mail: legal-discuss-help@apache.org