Re: [pve-devel] [PATCH pve_flutter_frontend v2] chore: ios: add export compliance key to info.plist

From: "Shan Shaji" <s.shaji@proxmox.com>
To: "Thomas Lamprecht" <t.lamprecht@proxmox.com>,
	"Dominik Csapak" <d.csapak@proxmox.com>,
	"Proxmox VE development discussion" <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH pve_flutter_frontend v2] chore: ios: add export compliance key to info.plist
Date: Mon, 29 Sep 2025 10:39:54 +0200	[thread overview]
Message-ID: <DD55DRW05MXW.21QK0X9IUGKGW@proxmox.com> (raw)
In-Reply-To: <57578ffc-d91c-49b9-a2ac-9d53f1b29d93@proxmox.com>

Thanks @Dominik and @Thomas for the review. AFAIU, We are currently using the `cupertino_http` 
package which internaly uses the URL LOADING SYSTEM of iOS. The URL LOADING SYSTEM [0] 
is using the platform APIs for SSL/TLS. Since it's platform APIs, in the
apple documentation they have mentioned "No documentation required in
App Store connect" [1][2]. 

However, I will do a thorough research again and will update it here. 

- [0] https://developer.apple.com/documentation/foundation/url-loading-system
- [1] https://developer.apple.com/help/app-store-connect/reference/export-compliance-documentation-for-encryption
- [2] https://developer.apple.com/documentation/security/complying-with-encryption-export-regulations

On Fri Sep 26, 2025 at 11:51 AM CEST, Thomas Lamprecht wrote:
> Am 26.09.25 um 11:21 schrieb Dominik Csapak:
>> I'm not a lawyer, but are you sure we are compliant with this?
>> 
>> the https client will use encryption, so it's not like we don't use
>> encryption at all.  (Especially with the cupertino_http package)
>
> We use it, but we do not implement it, which is the key point
> here.
>
>> I guess this is exempt, but having some reference for that (aside
>> some medium/reddit post) would be nice.
>> 
>> At least some kind of rationale in the commit would be good.
>> (IMHO 'we don't use proprietary encryption' is not a good reason

Makes sense, Sorry i should have added more details in the commit
message. Will send another patch with more details after doing some more
research on this. 

>> when also 'standard encryption' falls under the export regulation...)
>> @Thomas, what do you think?
>
> We basically only need to check if any of the used dependencies
> implements the (lower level) encryption that HTTPS builds upon
> themselves, compared to using the platform libraries for that.
> And doing so would be good in any case, which would be an actual
> blocker for us anyway, i.e. independent of legal compliance with
> app stores, as that needs to be thoroughly vetted then, and even
> if we could to that (which I don't think we got the capacity to
> thoroughly do for this, especially considering the ROI here),
> would still need other to feel somewhat confident.
>
> I quickly checked cupertino_http [0], and from what I saw it uses
> only iOS platform native interfaces for TLS and the like, if that
> holds true (please check closer), we would be indeed compliant and
> can indeed signal this through setting ITSAppUsesNonExemptEncryption
> flag to false.

Thanks thomas for checking it. I should have mentioned in the commit. We
are also using crypto package as well. So i also need to check how the
hashing algorithms are categorised in BIS. 

> [0]: https://github.com/dart-lang/http/tree/master/pkgs/cupertino_http/lib/src

_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel