incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Mclean <jus...@classsoftware.com>
Subject Re: [VOTE]: Release Apache Dubbo (Incubating) 2.6.2 [RC2]
Date Sun, 03 Jun 2018 06:08:09 GMT
Hi,

+1 (binding). There is an security software export issue that needs looking into and probably
acted on.

I checked:
- incubating in name
- signatures and hashed all good
- DISCLAIMER exists
- LICENSE and NOTICE correct
- No unexpected binary files
- Source files have ASF headers (with a couple of exceptions)
- Can compile from source

Re including the full text of the guava license as it is boiler plate ALv2 there's no need
to duplicate that in LICENSE. You may want to include as a text file but there’s no real
need IMO.

On minor issue is that some of the pom files still have "Copyright 1999-2011 Alibaba Group.”
in them this should be updated.

I also just noticed that hessian lite (bundled in the source code) includes some encryption
code. (See files X509Encryption.java and X509Signature.java.) It’s likely that the PPMC
will need to go though this process [1] but I cannot say for sure as I don’t know US regulation
on this well. What’s required is to register the software for export and add a warning that
the code contains encryption software to the README. Note that instruction on that page may
be out of date. Here’s the ASF export list for comparison. [2]

I’m struct by a sense of irony that software that’s been mostly developed in China may
need an US export license to be used in China when hosted for distribution at the ASF. :-)

Thanks,
Justin

1. http://www.apache.org/dev/crypto.html
2. http://www.apache.org/licenses/exports/
---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message