incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stian Soiland-Reyes <st...@apache.org>
Subject Re: ECCN cryptography reporting?
Date Mon, 02 May 2016 16:45:12 GMT
Thanks!

We did a dependency clean-up (but not upgrade) as part of license
review. We want to delay some of the upgrades (e.g. to OSGI 5) until
after getting the first full command line release out as this is what
pulls together everything in its lib/.

(Thus this is also why we need to do the encryption review now).


I used

mvn dependency:tree -DoutputFile=`pwd`/target/tree.txt -DappendOutput=true

to check what dependencies we are using across modules - obviously all
the Apache ones are easy to check against
http://www.apache.org/licenses/exports/

but it's harder to check if any of the others are classified or not
beyond heavy googling - e.g.
Jetty is apparantly classified according to
https://dev.eclipse.org/mhonarc/lists/jetty-users/msg05898.html


I wonder if Apache Whisker folks would have any thoughts on how
generating/checking for encryption export dependencies should be
simplified - you would think something like a
META-INF/EXPORT-RESTRICTED in the dependency JARs would work.
(Although some projects put their encryption classification in NOTICE
- I understand this is discouraged?)


Emma seems a bit abandoned (e.g. no Maven 2 plugin) - I know Commons
now use Cobertura and/or JaCoCo - but perhaps those are better to
check coverage of your own code rather than the dependencies.



On 2 May 2016 at 11:22, Martin Gainty <mgainty@hotmail.com> wrote:
> with other apache products to reduce code bloat and reduce deprecated packages you might
want to run
> maven dependency:treemvn dependency:tree -Dverbose https://maven.apache.org/plugins/maven-dependency-plugin/examples/resolving-conflicts-using-the-dependency-tree.html
> compare delta(s) with
> emma code coveragehttp://emma.sourceforge.net/
> as I have some spare cycles let me know if I can be of any assistance
> Thanks Stian
> Martin
>
>
>
>> From: stain@apache.org
>> Date: Mon, 2 May 2016 03:23:42 +0100
>> Subject: ECCN cryptography reporting?
>> To: general@incubator.apache.org
>>
>> Hi,
>>
>> Taverna is preparing its cryptography registration for US Export purposes:
>>
>> https://cwiki.apache.org/confluence/display/TAVERNADEV/Taverna+Cryptography+review
>>
>>
>> We want to have this sorted before we make the next release candidate
>> - but we're awaiting LEGAL-250 to see if we can reduce the list of
>> transitive dependencies in this list - it feels excessive if "anything
>> that can do https" needs to be listed (that would presumably affect
>> many more projects)
>>
>>
>> See also http://www.apache.org/dev/crypto.html and already classified
>> ASF products on http://www.apache.org/licenses/exports/
>>
>>
>>
>> Formally - would it need to be the Incubator PMC chair sending the
>> ECCN encryption email?
>>
>> I'll let you know when it's ready to send.
>>
>> --
>> Stian Soiland-Reyes
>> Apache Taverna (incubating), Apache Commons RDF (incubating)
>> http://orcid.org/0000-0001-9842-9718
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
>> For additional commands, e-mail: general-help@incubator.apache.org
>>
>



-- 
Stian Soiland-Reyes
Apache Taverna (incubating), Apache Commons RDF (incubating)
http://orcid.org/0000-0001-9842-9718

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message