On 4 May 2016 at 13:35, Stian Soiland-Reyes <st...@apache.org> wrote: > Hi, > > Sorry for spotting this.. > > > Apache Commons Crypto is not listed on > http://www.apache.org/licenses/exports/ - does it need to be? (One > would assume so..) > > Also it was raised that Commons VFS depends on Bouncy Castle/Apache > Mina/Jetty/SSHD/Hadoop/jsch and has encryption binding for AES128 - > perhaps that also needs to be listed and registered? > > > We only have listed: > > Commons Compress > Commons OpenPGP > > > See guidance on > http://www.apache.org/dev/crypto.html > > > BTW - I've raised https://issues.apache.org/jira/browse/LEGAL-250 to > see if merely using a listed source as a Maven <dependency> means you > also are classified - or if you would need to also bundle the > dependency's binary (which I think we don't do).
It does not matter if the dependency is bundled or not. The page says: " ASF product distributions that contain or are "specially designed" to use cryptography." AFAIK: Compress contains some decryption OpenPGP is "specially designed" to use cryptography. I assume the same is true of Crypto. But note that the rules changed in 2010; the page has yet to be updated. > > > -- > Stian Soiland-Reyes > Apache Taverna (incubating), Apache Commons RDF (incubating) > http://orcid.org/0000-0001-9842-9718 > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
