I agree that security related dependencies should have an upstream security policy. Not every popular project bothers to file CVEs, either, especially solo projects that didn’t have any past CVEs. While GitHub’s vulnerability reporting feature has helped improve this somewhat, it’s still hit or miss.
On Wed, Jul 21, 2021 at 05:15 'Daniel Beck' via Jenkins Developers < jenkinsci-dev@googlegroups.com> wrote: > > > > On 21. Jul 2021, at 04:39, Mark Waite <mark.earl.wa...@gmail.com> wrote: > > > > The maverick-synergy library is LGPL3 licensed. Is it allowed to use an > LGPL3 licensed library in a Jenkins plugin? > > > > The governance document explicitly allows LGPL even for use in core. > > We don't care about plugins distributed by the project, as long as it's > OSI approved. > > https://www.jenkins.io/project/governance/#license > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-dev+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/FE58146B-EDF8-4A85-888A-F2E5E4ACCD6F%40beckweb.net > . > -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CACmp6krhzqUDakU5-Ha8%3DsTh8e4Xo%3D%2B-EZcKqR6YiOwKnCeGLA%40mail.gmail.com.
