Access to add and change pages is restricted. See: https://cwiki.apache.org/confluence/display/OFBIZ/Wiki+access

This report, for March 2008, is the fourth quarterly report for OFBiz (Open For Business) as a top level project.

The Apache Open For Business Project (Apache OFBiz) is an open source enterprise automation software project. By enterprise automation we mean: ERP, CRM, E-Business / E-Commerce, MRP, SCM, CMMS/EAM, and so on.

We have no issues that require Board assistance at this time.

Community:

- one new committer, Vikas Mayur, was voted in before the last report but his CLA and account had not been finalized; that is now complete

- there are various new contributors and there is increasing traffic on the mailing lists and in Jira issues, but no new candidates for committers have stood out yet

- some concerns about a single company with significant community presence has been voiced as Hotwax Media has 4 people on the PMC (out of 11) and 3 committers that are not PMC members (out of 10); the Hotwax Media leadership (including myself) is aware of this problem and we are making an efforts to grow from outside of the community and to help and encourage other service providers and end-user groups to participate more in the community; 4 of the 6 partners at Hotwax are OFBiz PMC members, and one more is a committer (the other 2 committers being employees), and it is understood that it is important for the OFBiz community and therefore for Hotwax as well that there be diversity and a wide base for stability within the community; any recommendations from the board or others experienced with this sort of thing is welcome

Project:

- more effort is going into automated testing to help with stability and to find problems more quickly as the community grows and more people get involoved

- contributions continue in many areas including tools for more efficient development and analysis, core application improvements and extensions, and certain special purpose applications such as the existing project management app and the new sales force automation one

- Crypto Export Control: OFBiz does use cryptography libraries for various things so as we understand it we have to follow the guidelines for the export control notifications; as part of this we have done the following:

-- a Project listing has been added to https://svn.apache.org/repos/asf/infrastructure/site/trunk/xdocs/licenses/exports
-- an email has been sent to crypt@bis.doc.gov, enc@nsa.gov, web_site@bis.doc.gov, and relevant ASF email addresses for the TSU notice
-- a BIS/TSU exception notice has been added to the README and NOTICE files in the OFBiz trunk and the release4.0 branch

ALL PMC CHAIRS Export Notification policy


William A. Rowe, Jr. writes:
Each and every PMC chairman;

I've sent notices to private@ ws.apache.org and xml.apache.org with
respect to the Export Control Notifications required for any crypto
components, notably Axis/Rampart and XML/Security, based on their
absence from the grid at;

http://www.apache.org/licenses/exports/

If all VP's would ensure that this documentation is reviewed

http://www.apache.org/dev/crypto.html

to determine if your project also falls under these procedures, and
please bring your project into compliance by the next notice date,
I'd appreciate your adding a note to your next board report that this
was reviewed and any reporting deficiency was corrected. You need to
note this is done, but can certainly delegate this task to your PMCs
subproject chairs, and so forth. I simply need you to personally own
that the review is conducted by your next reporting cycle.

Failing that, I'll be seriously harassing your project individually
about this subject, and failing that, infra will have no choice but to
take your distributions offline (wink) I'd like to do this in a single
pass, just reviewing 1/3 of the foundation each month, and bringing
everyone on to the same page by the April board reports.

If your project is covered on the licenses/exports/ page or you have
documented this review by your next board reporting cycle, you will make
everyone most happy (smile)

Many thanks in advance for reviewing this with an eye to your project.
The legal team is very happy to address all of your questions, you can
either subscribe to legal-discuss@apache.org and raise your questions
there, or you can often ping one of us on irc.freenode.net on the #asf
channel. We are here to help decode any confusion (and improve those
pages if something is ambiguous.) Several projects have successfully
followed the procedure, so it should not be all that difficult now.

Bill

  • No labels

6 Comments

  1. Do we need to review something (regarding William A. Rowe's demand), I may help if needed.

    1. Moreover I know there are (still ?) some more constraints in France (for instanec)

    2. Jacques,

      for what I understand, we have to review and provide feedback in our board report about this; however I'm not sure I understand this (the email I've attached should contain all the pointers required) and thus your help would be greatly appreciated.

      Jacopo 

      1. Hi Jacopo,

        OK, I will try to understand, still a little bit obscure for me to (wink)
        I will let you know then...

        1. It seems to me that David (he, as OFBiz PMC chairman, only have the needed rights) should add the following snippet to the https://svn.apache.org/repos/asf/infrastructure/site/trunk/xdocs/licenses/exports/index.xml

          <Project href="http://ofbiz.apache.org/">
          <Name>Apache OFBiz Project</Name>
          <Contact><Name>David E. Jones</Name></Contact>
          <Product>
          <Name>Apache OFBiz</Name>
          <Version>
          <Names>development</Names>
          <ECCN>5D002</ECCN>
          <ControlledSource href="http://svn.apache.org/repos/asf/ofbiz/">
          <Manufacturer>ASF</Manufacturer>
          <Why>designed for use with encryption library</Why>
          </ControlledSource>
          </Version>
          </Product>
          </Project>

          To be reviewed since I'm not exactly sure of what to put in the <why> tag. "designed for use with encryption library" means that the code belongs to the ASF and seems the most relevant to me as we don't use any 3d parties libraries. We really use in code only the HashCrypt class (SHA-1/MD5 One-Way Hash Encryption) for password and the DesCrypt class (DESded (3DES) Two-Way Encryption) in EntityCrypto class. The BlowFishCrypt class ((Two-Way) Byte/String encryption) exists but does not seem to be used. Anyway, all these classes are OFBiz specific code.

          I used geronimo as an example :

          <Project href="http://geronimo.apache.org/">
          <Name>Apache Geronimo Project</Name>
          <Contact><Name>Matt Hogstrom</Name></Contact>
          <Product>
          <Name>Apache Geronimo</Name>
          <Version>
          <Names>development</Names>
          <ECCN>5D002</ECCN>
          <ControlledSource href="http://svn.apache.org/repos/asf/geronimo/">
          <Manufacturer>ASF</Manufacturer>
          <Why>designed for use with encryption library</Why>
          </ControlledSource>
          </Version>
          <Version>
          <Names>1.0 and later</Names>
          <ECCN>5D002</ECCN>
          <ControlledSource href="http://archive.apache.org/dist/geronimo/">
          <Manufacturer>ASF</Manufacturer>
          <Why>designed for use with encryption library</Why>
          </ControlledSource>
          </Version>
          </Product>
          </Project>

          Note that we still have no distribution (no http://archive.apache.org/dist/ofbiz/), hence only one product still in development. At least it's how I understood it...

          The following tasks could be done by any PMC member (but of course checked by the PMC)

          1. I would also like to add that we use javax.crypto.Cipher (don't know if we should consider it as a 3rd party library, though it's obviously not our own code)