Re: Allowed licenses for libraries in Jenkins plugins?

2021-07-21 Thread Mark Waite 
Harshit believes he has found a way to make the code work with sshj.  He's
pulled back from maverick-synergy for the moment.

If someone with skills in Java handling of ssh private keys would like to
provide some coaching, I'm sure Harshit would be grateful.  I am not
skilled at API level interactions with ssh private keys.  Next mentoring
session is Friday July 23, 2021 at 2:00 AM UTC.  Other times can be
arranged if needed.

On Wed, Jul 21, 2021 at 4:41 PM Jesse Glick  wrote:

> On Wed, Jul 21, 2021 at 2:32 AM wfoll...@cloudbees.com <
> wfollon...@cloudbees.com> wrote:
>
>> if we want to keep our dependencies safe, using only popular ones is a
>> good practice
>>
>
> Especially if this is going into a popular plugin like `git`.
>
> Whatever the problems with BouncyCastle are, can they be worked around? Or
> a patch offered upstream?
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr0jdngfFnyXxfJGmiE6K6N8bWWO9Sn3-2Jw2pL6Tv4f5w%40mail.gmail.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CAO49JtEs2mKWxvrA75kS7PwQ511pJj%2B%3Dij7YRMSZMS3sNi27jw%40mail.gmail.com.

Re: Allowed licenses for libraries in Jenkins plugins?

2021-07-21 Thread Jesse Glick 
On Wed, Jul 21, 2021 at 2:32 AM wfoll...@cloudbees.com <
wfollon...@cloudbees.com> wrote:

> if we want to keep our dependencies safe, using only popular ones is a
> good practice
>

Especially if this is going into a popular plugin like `git`.

Whatever the problems with BouncyCastle are, can they be worked around? Or
a patch offered upstream?

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr0jdngfFnyXxfJGmiE6K6N8bWWO9Sn3-2Jw2pL6Tv4f5w%40mail.gmail.com.

Re: Allowed licenses for libraries in Jenkins plugins?

2021-07-21 Thread Matt Sicker 
I agree that security related dependencies should have an upstream security
policy. Not every popular project bothers to file CVEs, either, especially
solo projects that didn’t have any past CVEs. While GitHub’s vulnerability
reporting feature has helped improve this somewhat, it’s still hit or miss.

On Wed, Jul 21, 2021 at 05:15 'Daniel Beck' via Jenkins Developers <
jenkinsci-dev@googlegroups.com> wrote:

>
>
> > On 21. Jul 2021, at 04:39, Mark Waite  wrote:
> >
> > The maverick-synergy library is LGPL3 licensed.  Is it allowed to use an
> LGPL3 licensed library in a Jenkins plugin?
> >
>
> The governance document explicitly allows LGPL even for use in core.
>
> We don't care about plugins distributed by the project, as long as it's
> OSI approved.
>
> https://www.jenkins.io/project/governance/#license
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-dev+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/jenkinsci-dev/FE58146B-EDF8-4A85-888A-F2E5E4ACCD6F%40beckweb.net
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/CACmp6krhzqUDakU5-Ha8%3DsTh8e4Xo%3D%2B-EZcKqR6YiOwKnCeGLA%40mail.gmail.com.

Re: Allowed licenses for libraries in Jenkins plugins?

2021-07-21 Thread 'Daniel Beck' via Jenkins Developers 



> On 21. Jul 2021, at 04:39, Mark Waite  wrote:
> 
> The maverick-synergy library is LGPL3 licensed.  Is it allowed to use an 
> LGPL3 licensed library in a Jenkins plugin?
> 

The governance document explicitly allows LGPL even for use in core.

We don't care about plugins distributed by the project, as long as it's OSI 
approved.

https://www.jenkins.io/project/governance/#license

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/FE58146B-EDF8-4A85-888A-F2E5E4ACCD6F%40beckweb.net.

Re: Allowed licenses for libraries in Jenkins plugins?

2021-07-21 Thread kdela...@cloudbees.com 
Hi all,

The LGPL, like the GPL, imposes substantial limitations on those who create 
and distribute derivative works based on works that use these licenses.

However, the LGPL was originally known as the Library General Public 
License, because LGPL-licensed libraries can be linked with non-GPL 
licensed programs, including proprietary software.

This is in contrast to the GPL:  If such linking is done with a library 
under the GPL and the proprietary program and library were distributed 
together under the proprietary license, the GPL would be violated.

You can read the LGPL license here: 
https://www.gnu.org/licenses/lgpl-3.0.en.html.  And a bit more on the 
advantages or disadvantages of LGPL for libraries here: 
https://www.gnu.org/licenses/why-not-lgpl.html

Kind regards,
Kara
On Wednesday, July 21, 2021 at 7:32:18 AM UTC+1 wfoll...@cloudbees.com 
wrote:

> Hello Mark,
>
> I dunno for the license aspect, but just adding a bit of color about the 
> library itself. Their GitHub 
>  has only 13 Stars / 9 
> Forks, with 1 main contributors and 2 others. 
>
> This means that the library will not necessary receive the security 
> attention as a library like BouncyCastle / Apache Commons, etc. If there is 
> a vulnerability in it, perhaps nobody will find it until 3-4 years, and if 
> it is found, to hope finding it from scanners, we have to assume they have 
> a security release process including CVE publication and also assuming the 
> scanners will take care about their CVEs (normally that part is "easy").
>
> IOW if we want to keep our dependencies safe, using only popular ones is a 
> good practice. 
>
> Not blocking the request, just trying to inform about the potential risk I 
> am seeing there ;-)
>
> Wadeck
> On Wednesday, July 21, 2021 at 4:39:23 AM UTC+2 Mark Waite wrote:
>
>> Harshit Chopra's work creating a private key credential binding for 
>> command line git has encountered difficulties with reading and writing ssh 
>> private keys.
>>
>> The library that seems to best fit his needs for reading and writing ssh 
>> private keys is the maverick-synergy library.  Other libraries 
>> (bouncycastle, sshj) have had various problems in implementation.
>>
>> The maverick-synergy library 
>>  is LGPL3 
>> licensed 
>> .  Is 
>> it allowed to use an LGPL3 licensed library in a Jenkins plugin?
>>
>> Mark Waite
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/44bf30f4-04b7-4eec-91ff-dd2875019c1an%40googlegroups.com.

Re: Allowed licenses for libraries in Jenkins plugins?

2021-07-21 Thread wfoll...@cloudbees.com 
Hello Mark,

I dunno for the license aspect, but just adding a bit of color about the 
library itself. Their GitHub  has 
only 13 Stars / 9 Forks, with 1 main contributors and 2 others. 

This means that the library will not necessary receive the security 
attention as a library like BouncyCastle / Apache Commons, etc. If there is 
a vulnerability in it, perhaps nobody will find it until 3-4 years, and if 
it is found, to hope finding it from scanners, we have to assume they have 
a security release process including CVE publication and also assuming the 
scanners will take care about their CVEs (normally that part is "easy").

IOW if we want to keep our dependencies safe, using only popular ones is a 
good practice. 

Not blocking the request, just trying to inform about the potential risk I 
am seeing there ;-)

Wadeck
On Wednesday, July 21, 2021 at 4:39:23 AM UTC+2 Mark Waite wrote:

> Harshit Chopra's work creating a private key credential binding for 
> command line git has encountered difficulties with reading and writing ssh 
> private keys.
>
> The library that seems to best fit his needs for reading and writing ssh 
> private keys is the maverick-synergy library.  Other libraries 
> (bouncycastle, sshj) have had various problems in implementation.
>
> The maverick-synergy library 
>  is LGPL3 licensed 
> .  Is 
> it allowed to use an LGPL3 licensed library in a Jenkins plugin?
>
> Mark Waite
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/23bccb0b-1395-4c27-b2b2-898811e17092n%40googlegroups.com.

Allowed licenses for libraries in Jenkins plugins?

2021-07-20 Thread Mark Waite 
Harshit Chopra's work creating a private key credential binding for command 
line git has encountered difficulties with reading and writing ssh private 
keys.

The library that seems to best fit his needs for reading and writing ssh 
private keys is the maverick-synergy library.  Other libraries 
(bouncycastle, sshj) have had various problems in implementation.

The maverick-synergy library 
 is LGPL3 licensed 
.  Is it 
allowed to use an LGPL3 licensed library in a Jenkins plugin?

Mark Waite

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to jenkinsci-dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/11504c56-b916-4a40-932d-fa15d5cc49dcn%40googlegroups.com.