incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Huxing Zhang <hux...@apache.org>
Subject Re: [VOTE]: Release Apache Dubbo (Incubating) 2.6.2 [RC2]
Date Mon, 04 Jun 2018 07:09:07 GMT
Hi,

On Sun, Jun 3, 2018 at 2:08 PM, Justin Mclean <justin@classsoftware.com> wrote:
> Hi,
>
> +1 (binding). There is an security software export issue that needs looking into and
probably acted on.
>
> I checked:
> - incubating in name
> - signatures and hashed all good
> - DISCLAIMER exists
> - LICENSE and NOTICE correct
> - No unexpected binary files
> - Source files have ASF headers (with a couple of exceptions)
> - Can compile from source
>
> Re including the full text of the guava license as it is boiler plate ALv2 there's no
need to duplicate that in LICENSE. You may want to include as a text file but there’s no
real need IMO.
>
> On minor issue is that some of the pom files still have "Copyright 1999-2011 Alibaba
Group.” in them this should be updated.
>
> I also just noticed that hessian lite (bundled in the source code) includes some encryption
code. (See files X509Encryption.java and X509Signature.java.) It’s likely that the PPMC
will need to go though this process [1] but I cannot say for sure as I don’t know US regulation
on this well. What’s required is to register the software for export and add a warning that
the code contains encryption software to the README. Note that instruction on that page may
be out of date. Here’s the ASF export list for comparison. [2]

A preliminary investigation shows these two files is not used
currently (a more careful check will be done later), it can be removed
later. Moreover the overall hessian-lite module is supposed to be
moved out of core repository as discussed on the mailing list.  [1]

>
> I’m struct by a sense of irony that software that’s been mostly developed in China
may need an US export license to be used in China when hosted for distribution at the ASF.
:-)
>
> Thanks,
> Justin
>
> 1. http://www.apache.org/dev/crypto.html
> 2. http://www.apache.org/licenses/exports/
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>

[1] https://lists.apache.org/thread.html/a5e5e1a09cb15b1d508cf22ce2bd674ddc915ffbfe16dda55dbc90ac@%3Cdev.dubbo.apache.org%3E

-- 
Best Regards!
Huxing

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message