incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stian Soiland-Reyes <>
Subject Re: ECCN cryptography reporting?
Date Mon, 02 May 2016 16:45:12 GMT

We did a dependency clean-up (but not upgrade) as part of license
review. We want to delay some of the upgrades (e.g. to OSGI 5) until
after getting the first full command line release out as this is what
pulls together everything in its lib/.

(Thus this is also why we need to do the encryption review now).

I used

mvn dependency:tree -DoutputFile=`pwd`/target/tree.txt -DappendOutput=true

to check what dependencies we are using across modules - obviously all
the Apache ones are easy to check against

but it's harder to check if any of the others are classified or not
beyond heavy googling - e.g.
Jetty is apparantly classified according to

I wonder if Apache Whisker folks would have any thoughts on how
generating/checking for encryption export dependencies should be
simplified - you would think something like a
META-INF/EXPORT-RESTRICTED in the dependency JARs would work.
(Although some projects put their encryption classification in NOTICE
- I understand this is discouraged?)

Emma seems a bit abandoned (e.g. no Maven 2 plugin) - I know Commons
now use Cobertura and/or JaCoCo - but perhaps those are better to
check coverage of your own code rather than the dependencies.

On 2 May 2016 at 11:22, Martin Gainty <> wrote:
> with other apache products to reduce code bloat and reduce deprecated packages you might
want to run
> maven dependency:treemvn dependency:tree -Dverbose
> compare delta(s) with
> emma code coverage
> as I have some spare cycles let me know if I can be of any assistance
> Thanks Stian
> Martin
>> From:
>> Date: Mon, 2 May 2016 03:23:42 +0100
>> Subject: ECCN cryptography reporting?
>> To:
>> Hi,
>> Taverna is preparing its cryptography registration for US Export purposes:
>> We want to have this sorted before we make the next release candidate
>> - but we're awaiting LEGAL-250 to see if we can reduce the list of
>> transitive dependencies in this list - it feels excessive if "anything
>> that can do https" needs to be listed (that would presumably affect
>> many more projects)
>> See also and already classified
>> ASF products on
>> Formally - would it need to be the Incubator PMC chair sending the
>> ECCN encryption email?
>> I'll let you know when it's ready to send.
>> --
>> Stian Soiland-Reyes
>> Apache Taverna (incubating), Apache Commons RDF (incubating)
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:
>> For additional commands, e-mail:

Stian Soiland-Reyes
Apache Taverna (incubating), Apache Commons RDF (incubating)

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message