Hi, On Sun, Jun 3, 2018 at 2:08 PM, Justin Mclean <jus...@classsoftware.com> wrote: > Hi, > > +1 (binding). There is an security software export issue that needs looking > into and probably acted on. > > I checked: > - incubating in name > - signatures and hashed all good > - DISCLAIMER exists > - LICENSE and NOTICE correct > - No unexpected binary files > - Source files have ASF headers (with a couple of exceptions) > - Can compile from source > > Re including the full text of the guava license as it is boiler plate ALv2 > there's no need to duplicate that in LICENSE. You may want to include as a > text file but there’s no real need IMO. > > On minor issue is that some of the pom files still have "Copyright 1999-2011 > Alibaba Group.” in them this should be updated. > > I also just noticed that hessian lite (bundled in the source code) includes > some encryption code. (See files X509Encryption.java and X509Signature.java.) > It’s likely that the PPMC will need to go though this process [1] but I > cannot say for sure as I don’t know US regulation on this well. What’s > required is to register the software for export and add a warning that the > code contains encryption software to the README. Note that instruction on > that page may be out of date. Here’s the ASF export list for comparison. [2]
A preliminary investigation shows these two files is not used currently (a more careful check will be done later), it can be removed later. Moreover the overall hessian-lite module is supposed to be moved out of core repository as discussed on the mailing list. [1] > > I’m struct by a sense of irony that software that’s been mostly developed in > China may need an US export license to be used in China when hosted for > distribution at the ASF. :-) > > Thanks, > Justin > > 1. http://www.apache.org/dev/crypto.html > 2. http://www.apache.org/licenses/exports/ > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > [1] https://lists.apache.org/thread.html/a5e5e1a09cb15b1d508cf22ce2bd674ddc915ffbfe16dda55dbc90ac@%3Cdev.dubbo.apache.org%3E -- Best Regards! Huxing --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
