Apache Turbine Project Board Report, February 2008


There has been good progress towards resolving the outstanding ECCN issues within the Turbine project. See below for details.

The final tasks relating to Turbine becoming a TLP have finally been completed - the mirrored downloads and archived releases have been moved from jakarta to turbine directories.

Other than this the Turbine project continues on with a fairly low level of activity.

The Turbine project has no board-level issues at this time.

ECCN Status and activity

While this issue has been highlighted by Bill for the current round of reports, it has been on our radar for some time now.

The following areas had the potential to require ECCN registration due to their use of a "symmetric algorithm employing a key length exceeding 56 bits" and/or because they "were designed to work with strong cryptographic libraries":

  1. fulcrum-crypto - used the cryptix library to implement Unix crypt()
  2. The Crypto Service in Turbine Core, from which fulcrum-crypto was extracted - also used the cryptix library
  3. fulcrum-yaafi - supports decryption of strongly encrypted configuration files
  4. fulcrum-pbe - supports strong encryption/decryption of files

In particular, the following actions have taken place:

  • the cryptix dependency has been removed from fulcrum-crypto and Turbine core's Crypto Service (replaced with org.apache.jetspeed.services.security.ldap.UnixCrypt from the JetSpeed Portal project).
  • the exposed interfaces and underlying implementation of fulcrum-yaafi and fulcrum-pbe have been modified to ensure that only DES (56 bit key length) can be used (strong encryption was never used but was available through the exposed interfaces).

It is our understanding that after our next release of the following components, no aspects of the Apache Turbine project will require ECCN registration:

  • fulcrum-crypto-1.0.7 - ETA some time in the next few weeks
  • turbine-2.3.3 - ETA some time in the next month or so
  • fulcrum-yaafi-1.0.6 - ETA some time in the next few weeks
  • fulcrum-pbe-1.0.0 - Not yet a released component so no release required in order to comply.

Community changes

No new committers were voted in since the last board report.

No new PMC members were voted in since the last board report.

Turbine core project

The Turbine Core trunk and turbine-site modules have been updated to ASL 2.0 - this was long overdue and is in preparation for a future release.

The changes to fulcrum-crypto have been backported to the Crypto Service so as to eliminate the ECCN registration requirement for Turbine core.

We are working on releasing Turbine 2.3.3 - this has primarily been waiting on the DB Project's Torque 3.3 release which is likely to appear in the next couple of weeks.

No beta or final releases were made since the last board report.

Fulcrum component project

Mostly ECCN related activity, but progress on migrating from Maven 1.x to Maven 2.x for project builds has commenced.

No beta or final releases were made since the last board report.

META project

No beta or final releases were made since the last board report.