On Sep 15, 2007, at 10:03 PM, William A. Rowe, Jr. wrote:
Kevan Miller wrote:
That previous discussion was about including a JXTA dependency,
for this one
I think we're just following what we've seen other Apache
projects that
support ws-security are doing, so I guess we were assuming was
ok. Are you
saying its not ok to distribute the BouncyCastle jar (and if so then
is the Geronimo jar a drop in replacement)?
I wasn't aware of other projects using BouncyCastle. I would hope
that
they've considered the patent issues regarding BouncyCastle's
encryption
library.
Those would be a problem if there is encumbered code which has not
been
licensed to the ASF for distribution, and we are aware of those
encumbrances.
So are JXTA/Geronimo/others shipping BouncyCastle? Calling it out
as an
optional dependency? A hard dependency?
Geronimo has no BouncyCastle dependency.
I'm not saying that you cannot ship the BouncyCastle jar.
The board does, if it includes an implementation of IDEA and no patent
grant or license is associated with it.
E.g. those projects which ship openssl binaries must do so by
inhibiting
the IDEA/MDC2/RC5 algorithms, which is trivial. Do the
bouncycastle jar
distros have a similar segregation? An unencumbered flavor we can
ship?
How exactly are the algorithms inhibited in openssl?
If a project includes the BouncyCastle jar (which contains the IDEA
algorithm), but the project cannot be configured to use the IDEA
algorithm, is that "inhibiting"? I think not, but it looks like
that's what other projects have been assuming... IMO, the encumbered
BouncyCastle jar file is still present and could be used in ways the
project may not have intended...
I don't see a an unencumbered BouncyCastle distribution which is not
encumbered.
--kevan
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
