Re: Allowed licenses for libraries in Jenkins plugins?

2021-07-21 Thread Mark Waite
Harshit believes he has found a way to make the code work with sshj. He's pulled back from maverick-synergy for the moment. If someone with skills in Java handling of ssh private keys would like to provide some coaching, I'm sure Harshit would be grateful. I am not skilled at API level

Re: Allowed licenses for libraries in Jenkins plugins?

2021-07-21 Thread Jesse Glick
On Wed, Jul 21, 2021 at 2:32 AM wfoll...@cloudbees.com < wfollon...@cloudbees.com> wrote: > if we want to keep our dependencies safe, using only popular ones is a > good practice > Especially if this is going into a popular plugin like `git`. Whatever the problems with BouncyCastle are, can

Re: Allowed licenses for libraries in Jenkins plugins?

2021-07-21 Thread Matt Sicker
I agree that security related dependencies should have an upstream security policy. Not every popular project bothers to file CVEs, either, especially solo projects that didn’t have any past CVEs. While GitHub’s vulnerability reporting feature has helped improve this somewhat, it’s still hit or

Re: Allowed licenses for libraries in Jenkins plugins?

2021-07-21 Thread 'Daniel Beck' via Jenkins Developers
> On 21. Jul 2021, at 04:39, Mark Waite wrote: > > The maverick-synergy library is LGPL3 licensed. Is it allowed to use an > LGPL3 licensed library in a Jenkins plugin? > The governance document explicitly allows LGPL even for use in core. We don't care about plugins distributed by the

Re: Allowed licenses for libraries in Jenkins plugins?

2021-07-21 Thread kdela...@cloudbees.com
Hi all, The LGPL, like the GPL, imposes substantial limitations on those who create and distribute derivative works based on works that use these licenses. However, the LGPL was originally known as the Library General Public License, because LGPL-licensed libraries can be linked with non-GPL

Re: Allowed licenses for libraries in Jenkins plugins?

2021-07-21 Thread wfoll...@cloudbees.com
Hello Mark, I dunno for the license aspect, but just adding a bit of color about the library itself. Their GitHub has only 13 Stars / 9 Forks, with 1 main contributors and 2 others. This means that the library will not necessary receive the

Allowed licenses for libraries in Jenkins plugins?

2021-07-20 Thread Mark Waite
Harshit Chopra's work creating a private key credential binding for command line git has encountered difficulties with reading and writing ssh private keys. The library that seems to best fit his needs for reading and writing ssh private keys is the maverick-synergy library. Other libraries