JRuby without encryption

Mark_McCraw · March 15, 2013, 4:35pm

Hi All,

I’m struggling to figure out a way to be able to use JRuby for a project
inside my company, and since this software will ship everywhere, I need
to
be able to verify that JRuby doesn’t violate export restrictions. I
found
this post:

http://old.nabble.com/Re:-Moving-jruby-ossl-into-JRuby-proper-p33764845.html

from last year indicating that BouncyCastle libraries are now bundled in
JRuby (and digging through jruby-complete, I can verify that they are
indeed!). The libraries are classified as 5D002, which is a red flag
for
anyone who is directly distributing software outside the US or Canada,
because it means they have to get licenses or license exceptions for
every
other country (I spent a very informative two hours on the phone with
the
company attorney specializing in export restrictions this morning). My
company has done that legwork, but there are some place you just can’t
ship
5D002 software to (sorry Russia and China!). It’s kind of a deal
breaker.

My project doesn’t need anything from OpenSSL. From reading the post,
it
is clear that someone (hi Charlie!) has given folks in my position due
consideration, so I’m guessing it’s not too hard to strip those pieces
out.
Of course, it would be awesome if there were already a distribution
without those pieces. Perchance is there? If not, I’m going to try it
myself, and if that’s the case, is there interest in me contributing
back
what that looks like to the community (and how would that work? Is
there
any information on the build/packaging mechanisms that create
jruby-complete, and would it be terribly difficult to extend them to
drop
encryption modules from the distribution?)

Thanks!
Mark

Mark_McCraw · March 16, 2013, 8:37am

You may be interested to know that Ruboto strips a lot of stuff out of
JRuby to make it fit an Android device. Within the Ruboto gem there is a
file called update.rb which does this. It may be a useful example.
…R

Mark_McCraw · March 16, 2013, 7:57pm

Hello there!

On Fri, Mar 15, 2013 at 10:33 AM, Mark McCraw [email protected]
wrote:

JRuby (and digging through jruby-complete, I can verify that they are
indeed!). The libraries are classified as 5D002, which is a red flag for
anyone who is directly distributing software outside the US or Canada,
because it means they have to get licenses or license exceptions for every
other country (I spent a very informative two hours on the phone with the
company attorney specializing in export restrictions this morning). My
company has done that legwork, but there are some place you just can’t ship
5D002 software to (sorry Russia and China!). It’s kind of a deal breaker.

We have not had a lawyer help us with this (expensive, need to find
someone at Red Hat I support) but my understanding was that since
BouncyCastle is 5D002 with license exemption TSU, exporting just
requires notification that it will be shipped. It was not clear if
it’s enough to say we use BouncyCastle since BouncyCastle themselves
have notices about export rules on their project.

5D002 appears to be incredibly common for export designation. Look at
the list of Apache projects that are 5D002:

If it’s really a deal breaker to have the libs in there, then there
are options…

My project doesn’t need anything from OpenSSL. From reading the post, it is
clear that someone (hi Charlie!) has given folks in my position due
consideration, so I’m guessing it’s not too hard to strip those pieces out.
Of course, it would be awesome if there were already a distribution without
those pieces. Perchance is there? If not, I’m going to try it myself, and
if that’s the case, is there interest in me contributing back what that
looks like to the community (and how would that work? Is there any
information on the build/packaging mechanisms that create jruby-complete,
and would it be terribly difficult to extend them to drop encryption modules
from the distribution?)

There’s no trivial way to remove them (no build flag, etc) but
stripping out bouncycastle (and openssl) would simply be a matter of
deleting them. From JRuby 1.7.2 on, we ship both jruby-openssl and BC
as jars, either in lib/ruby/shared for exploded distribution, or in
jruby-complete.jar for packaged distribution. Removing those jar files
plus lib/ruby/shared/openssl would do it.

I knew we’d have to cross this bridge at some point. We’re hoping to
work closer with Martin Boßlet to get his “krypt” library up to a
level where we could drop BC and just use what comes with JDK. We’re
also willing to explore the possibility of a crypto-free build. But
your best bet, if you don’t need crypto, is to just remove it yourself
(and perhaps provide a build patch that makes it easier).

Charlie

Mark_McCraw · March 18, 2013, 3:35pm

Thanks for the replies! I’ve added a new target to the build which
produces a jruby-complete without encryption, and created a pull request
to
drag that into trunk, if it seems reasonable. I’ll also look into
Ruboto,
because that sounds neat, and the smaller the footprint, the better for
my
project.

On Sat, Mar 16, 2013 at 2:54 PM, Charles Oliver N.