Hi all, The LGPL, like the GPL, imposes substantial limitations on those who create and distribute derivative works based on works that use these licenses.
However, the LGPL was originally known as the Library General Public License, because LGPL-licensed libraries can be linked with non-GPL licensed programs, including proprietary software. This is in contrast to the GPL: If such linking is done with a library under the GPL and the proprietary program and library were distributed together under the proprietary license, the GPL would be violated. You can read the LGPL license here: https://www.gnu.org/licenses/lgpl-3.0.en.html. And a bit more on the advantages or disadvantages of LGPL for libraries here: https://www.gnu.org/licenses/why-not-lgpl.html Kind regards, Kara On Wednesday, July 21, 2021 at 7:32:18 AM UTC+1 wfoll...@cloudbees.com wrote: > Hello Mark, > > I dunno for the license aspect, but just adding a bit of color about the > library itself. Their GitHub > <https://github.com/sshtools/maverick-synergy> has only 13 Stars / 9 > Forks, with 1 main contributors and 2 others. > > This means that the library will not necessary receive the security > attention as a library like BouncyCastle / Apache Commons, etc. If there is > a vulnerability in it, perhaps nobody will find it until 3-4 years, and if > it is found, to hope finding it from scanners, we have to assume they have > a security release process including CVE publication and also assuming the > scanners will take care about their CVEs (normally that part is "easy"). > > IOW if we want to keep our dependencies safe, using only popular ones is a > good practice. > > Not blocking the request, just trying to inform about the potential risk I > am seeing there ;-) > > Wadeck > On Wednesday, July 21, 2021 at 4:39:23 AM UTC+2 Mark Waite wrote: > >> Harshit Chopra's work creating a private key credential binding for >> command line git has encountered difficulties with reading and writing ssh >> private keys. >> >> The library that seems to best fit his needs for reading and writing ssh >> private keys is the maverick-synergy library. Other libraries >> (bouncycastle, sshj) have had various problems in implementation. >> >> The maverick-synergy library >> <https://www.jadaptive.com/en/products/java-ssh-synergy> is LGPL3 >> licensed >> <https://github.com/sshtools/maverick-synergy/blob/master/LICENSE>. Is >> it allowed to use an LGPL3 licensed library in a Jenkins plugin? >> >> Mark Waite >> > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/44bf30f4-04b7-4eec-91ff-dd2875019c1an%40googlegroups.com.
