Forum: JRuby JRuby without encryption

Hi All,

I'm struggling to figure out a way to be able to use JRuby for a project
inside my company, and since this software will ship everywhere, I need 
to
be able to verify that JRuby doesn't violate export restrictions.  I 
found
this post:

http://old.nabble.com/Re:-Moving-jruby-ossl-into-J...

from last year indicating that BouncyCastle libraries are now bundled in
JRuby (and digging through jruby-complete, I can verify that they are
indeed!).  The libraries are classified as 5D002, which is a red flag 
for
anyone who is directly distributing software outside the US or Canada,
because it means they have to get licenses or license exceptions for 
every
other country (I spent a very informative two hours on the phone with 
the
company attorney specializing in export restrictions this morning).  My
company has done that legwork, but there are some place you just can't 
ship
5D002 software to (sorry Russia and China!).  It's kind of a deal 
breaker.

My project doesn't need anything from OpenSSL.  From reading the post, 
it
is clear that someone (hi Charlie!) has given folks in my position due
consideration, so I'm guessing it's not too hard to strip those pieces 
out.
 Of course, it would be awesome if there were already a distribution
without those pieces.  Perchance is there?  If not, I'm going to try it
myself, and if that's the case, is there interest in me contributing 
back
what that looks like to the community (and how would that work?  Is 
there
any information on the build/packaging mechanisms that create
jruby-complete, and would it be terribly difficult to extend them to 
drop
encryption modules from the distribution?)

Thanks!
Mark

You may be interested to know that Ruboto strips a lot of stuff out of 
JRuby to make it fit an Android device. Within the Ruboto gem there is a 
file called update.rb which does this. It may be a useful example.
...R

Hello there!

On Fri, Mar 15, 2013 at 10:33 AM, Mark McCraw <smmccraw@gmail.com> 
wrote:
> JRuby (and digging through jruby-complete, I can verify that they are
> indeed!).  The libraries are classified as 5D002, which is a red flag for
> anyone who is directly distributing software outside the US or Canada,
> because it means they have to get licenses or license exceptions for every
> other country (I spent a very informative two hours on the phone with the
> company attorney specializing in export restrictions this morning).  My
> company has done that legwork, but there are some place you just can't ship
> 5D002 software to (sorry Russia and China!).  It's kind of a deal breaker.

We have not had a lawyer help us with this (expensive, need to find
someone at Red Hat I support) but my understanding was that since
BouncyCastle is 5D002 with license exemption TSU, exporting just
requires notification that it will be shipped. It was *not* clear if
it's enough to say we use BouncyCastle since BouncyCastle themselves
have notices about export rules on their project.

5D002 appears to be incredibly common for export designation. Look at
the list of Apache projects that are 5D002:
http://www.apache.org/licenses/exports/

If it's really a deal breaker to have the libs in there, then there
are options...

> My project doesn't need anything from OpenSSL.  From reading the post, it is
> clear that someone (hi Charlie!) has given folks in my position due
> consideration, so I'm guessing it's not too hard to strip those pieces out.
> Of course, it would be awesome if there were already a distribution without
> those pieces.  Perchance is there?  If not, I'm going to try it myself, and
> if that's the case, is there interest in me contributing back what that
> looks like to the community (and how would that work?  Is there any
> information on the build/packaging mechanisms that create jruby-complete,
> and would it be terribly difficult to extend them to drop encryption modules
> from the distribution?)

There's no trivial way to remove them (no build flag, etc) but
stripping out bouncycastle (and openssl) would simply be a matter of
deleting them. From JRuby 1.7.2 on, we ship both jruby-openssl and BC
as jars, either in lib/ruby/shared for exploded distribution, or in
jruby-complete.jar for packaged distribution. Removing those jar files
plus lib/ruby/shared/*openssl* would do it.

I knew we'd have to cross this bridge at some point. We're hoping to
work closer with Martin Boßlet to get his "krypt" library up to a
level where we could drop BC and just use what comes with JDK. We're
also willing to explore the possibility of a crypto-free build. But
your best bet, if you don't need crypto, is to just remove it yourself
(and perhaps provide a build patch that makes it easier).

- Charlie

Thanks for the replies!  I've added a new target to the build which
produces a jruby-complete without encryption, and created a pull request 
to
drag that into trunk, if it seems reasonable.  I'll also look into 
Ruboto,
because that sounds neat, and the smaller the footprint, the better for 
my
project.

On Sat, Mar 16, 2013 at 2:54 PM, Charles Oliver Nutter