tika-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Allison, Timothy B." <talli...@mitre.org>
Subject update Apache export control matrix and send updated notification?
Date Wed, 09 Sep 2015 19:55:47 GMT
All,

  I recently noticed that our info here [0] is out of date.  I think we should update that
page to reflect Tika as a top level project.  Also, I suspect that when we initially entered
our info on that site and sent notification to BIS/NSA (TIKA-118), we were only handling encryption
for PDFs.  So, I think we should also update the links to include the source repositories
for other dependencies that rely on encryption.

  From a quick review, my current understanding of the parsers that use encryption in Tika:


a) PDFParser: has own RC4Cipher (for writing...not used by Tika but probably bundled) and
relies on Bouncy Castle otherwise

b) POI: can rely on Bouncy Castle but also uses its own encryption algorithms

c) JackcessParser, relies on jackcess-encrypt package which relies on Bouncy Castle

d) PKCs7Parser: relies on Bouncy Castle directly (CMSSignedDataParser)

e) PkgParser: relies on Apache Commons Compress' SevenZFile which uses javax.crypto package


Is the above info correct?  Any others?

  Given the changes in our code and our dependencies, I figure that we may as well update/resend
our notification to BIS/NSA [1].

  Does this sound reasonable?  I'll open a ticket if so.

              Best,

                         Tim

[0] http://www.apache.org/licenses/exports/
[1] http://www.apache.org/dev/crypto.html#notify

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message