Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Done
-
None
-
None
Description
Hi - apologies for finding this..
I just noticed on
http://www.apache.org/licenses/exports/
includes US export classified tools from ASF:
Apache HttpComponents Core 4.0 and later
Apache HttpComponents Client 4.0 and later
Apache Hadoop 17.0 and later
See also:
http://www.apache.org/dev/crypto.html#faq-manyproducts
We redistribute Apache HTTP Components in the Jena and Fuseki binary distributions. We don't distribute Hadoop - we only link to it from Elephas.
Reading ASF's FAQ it is not clear if we would need to be listed just from having a <dependency> on such a classified item.
Would we therefore also need to also declare Jena as classified? Or is the transitivity broken because Jena only use the encryption (e.g. access https:// JSON-LD contexts)?
(This transitivity thing could mean anyone in the US distributing software using Jena would be US Export regulated. I hope I am wrong.. worth checking with LEGAL I think)
BTW this was discussed in 2011 - but I believe we since removed BouncyCastle dependency:
http://mail-archives.apache.org/mod_mbox/jena-dev/201108.mbox/%3C4E3FF7E8.1060206@epimorphics.com%3E
Draft eccnmatrix.xml additions
To be added to https://svn.apache.org/repos/asf/infrastructure/site/trunk/content/licenses/exports/index.page/eccnmatrix.xml
and then published to http://www.apache.org/licenses/exports/
See http://www.apache.org/dev/crypto.html#sources
<Project id="jena" href="http://jena.apache.org"> <Name>Apache Jena</Name> <Contact><Name>Andy Seaborne</Name></Contact> <Product> <Name>Apache Jena</Name> <Version> <Names>development</Names> <ECCN>5D002</ECCN> <ControlledSource href="https://git-wip-us.apache.org/repos/asf/jena.git"> <Manufacturer>ASF</Manufacturer> <Why>Use Apache HTTPComponents Client</Why> </ControlledSource> <ControlledSource href="http://svn.apache.org/repos/asf/httpcomponents/httpcore/"> <Manufacturer>ASF</Manufacturer> <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why> </ControlledSource> <ControlledSource href="http://archive.apache.org/dist/httpcomponents/httpcore/"> <Manufacturer>ASF</Manufacturer> <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why> </ControlledSource> </Version> <Version> <Names>2.7.0-incubating and later</Names> <ECCN>5D002</ECCN> <ControlledSource href="http://archive.apache.org/dist/jena/source/"> <Manufacturer>ASF</Manufacturer> <Why>Use Apache HTTPComponents Client</Why> </ControlledSource> <ControlledSource href="http://archive.apache.org/dist/jena/binaries/"> <Manufacturer>ASF</Manufacturer> <Why>Include Apache HTTPComponents Client</Why> </ControlledSource> </Version> </Product> <Product> <Name>Apache Jena Fuseki</Name> <Version> <Names>development</Names> <ECCN>5D002</ECCN> <ControlledSource href="https://git-wip-us.apache.org/repos/asf/jena.git"> <Manufacturer>ASF</Manufacturer> <Why>Use Apache HTTPComponents Client, Apache Shiro</Why> </ControlledSource> <ControlledSource href="http://svn.apache.org/repos/asf/httpcomponents/httpcore/"> <Manufacturer>ASF</Manufacturer> <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why> </ControlledSource> <ControlledSource href="http://archive.apache.org/dist/httpcomponents/httpcore/"> <Manufacturer>ASF</Manufacturer> <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why> </ControlledSource> <ControlledSource href="http://archive.apache.org/dist/shiro/"> <Manufacturer>ASF</Manufacturer> <Why>Designed for use with Java Cryptography Extensions (JCE)</Why> </ControlledSource> </Version> <Version> <Names>0.2.1-incubating and later</Names> <ECCN>5D002</ECCN> <ControlledSource href="http://archive.apache.org/dist/jena/source/"> <Manufacturer>ASF</Manufacturer> <Why>Use Apache HTTPComponents Client, Apache Shiro</Why> </ControlledSource> <ControlledSource href="http://archive.apache.org/dist/jena/binaries/"> <Manufacturer>ASF</Manufacturer> <Why>Include Apache HTTPComponents, Apache Shiro, Apache Solr, Jetty</Why> </ControlledSource> <ControlledSource href="http://svn.apache.org/repos/asf/httpcomponents/httpcore/"> <Manufacturer>ASF</Manufacturer> <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why> </ControlledSource> <ControlledSource href="http://archive.apache.org/dist/httpcomponents/httpcore/"> <Manufacturer>ASF</Manufacturer> <Why>Designed for use with Java Secure Socket Extension (JSSE)</Why> </ControlledSource> <ControlledSource href="http://archive.apache.org/dist/shiro/"> <Manufacturer>ASF</Manufacturer> <Why>Designed for use with Java Cryptography Extensions (JCE)</Why> </ControlledSource> <ControlledSource href="http://www.apache.org/dist/lucene/solr/"> <Manufacturer>ASF</Manufacturer> <Why>Designed for use with the Apache Tika API in the contrib/extraction libraries</Why> </ControlledSource> <ControlledSource href="http://eclipse.org/jetty"> <Manufacturer>The Eclipse Foundation</Manufacturer> <Why>SSL library for Jetty</Why> </ControlledSource> </Version> </Product> </Project>
Attachments
Issue Links
- is related to
-
LEGAL-250 US Export declaration of transitive dependencies?
-
- Closed
-
- links to
