Re: [cross-project-issues-dev] Is jsch finally dead?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [cross-project-issues-dev] Is jsch finally dead?

From: "Daniel Megert" <daniel_megert@xxxxxxxxxx>
Date: Fri, 30 Nov 2018 16:17:42 +0100
Delivered-to: cross-project-issues-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/cross-project-issues-dev>
List-help: <mailto:cross-project-issues-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=unsubscribe>

I agree McQ.

> Maybe we could convince Atsuhiko that Eclipse Foundation is a good IP gatekeeper which can mitigate
> his license violation concerns and propose to consider moving the project to the Eclipse Foundation.

This sounds like a reasonable approach. Matthias, can you follow up on that?

Dani

From: "Mike Wilson" <Mike_Wilson@xxxxxxxxxx>
To: cross-project-issues-dev@xxxxxxxxxxx
Date: 30.11.2018 16:12
Subject: Re: [cross-project-issues-dev] Is jsch finally dead?
Sent by: cross-project-issues-dev-bounces@xxxxxxxxxxx

> I think it's not a good situation to depend on a library which is maintained by a single person/company
> but not accepting contributions with sources excluding tests and no public history of the source code.
>
Agree. For something with obvious security implications, the source code issue is the most important to me. I have no doubts about the integrity of JCraft, but even accidental issues can have major consequences.

McQ.

----- Original message -----
From: Matthias Sohn <matthias.sohn@xxxxxxxxx>
Sent by: cross-project-issues-dev-bounces@xxxxxxxxxxx
To: Cross project issues <cross-project-issues-dev@xxxxxxxxxxx>
Cc:
Subject: Re: [cross-project-issues-dev] Is jsch finally dead?
Date: Thu, Nov 29, 2018 4:32 PM

A new version of jsch 0.1.55 [1] was released on Maven central hence I once more
tried to contact Atsuhiko and finally he responded. Find his response below.

This means we have the following situation regarding jsch:

there are public releases published on Maven central including source archives which do not contain tests
Jcraft keeps the source code repository private and there is no public source code repository
Jcraft accepts bug reports on the jsch-users mailing list
Jcraft does not accept source code contributions due to license violation concerns

Meanwhile Thomas Wolf created an alternative implementation for JGit and EGit based on
mina-sshd [3] (kudos to Thomas). With our next release 5.2 which will be shipped with 2018-12
EGit and JGit will come with both a jsch and a mina-sshd based implementation and users can choose
the implementation they want to use. For 5.2 jsch will still be the default until the mina-sshd based solution
has proven to be stable.

I think it's not a good situation to depend on a library which is maintained by a single person/company
but not accepting contributions with sources excluding tests and no public history of the source code.
As we experienced in the last 2 years this can mean having no maintenance for an extended period.

Maybe we could convince Atsuhiko that Eclipse Foundation is a good IP gatekeeper which can mitigate
his license violation concerns and propose to consider moving the project to the Eclipse Foundation.

[references] are given in forwarded email below.

-Matthias

---------- Forwarded message ---------
From: Atsuhiko Yamanaka <ymnk@xxxxxxxxxx>
Date: Thu, Nov 29, 2018 at 3:13 PM
Subject: Re: jsch maintenance and source code repository
To: <matthias.sohn@xxxxxxxxx>
Cc: <thomas.wolf@xxxxxxxxxx>

Hi,

Sorry for our delay.

On Thu, Nov 29, 2018 at 9:09 AM Matthias Sohn <matthias.sohn@xxxxxxxxx> wrote:
> I noticed that a new version of jsch 0.1.55 [1] was deployed on Maven central, looks like you are back ?

We have been developing it for almost 16 years, and will continue it.
We started that software to add the X forwarding functionality to our
pure Java X server
for our customers, so we have strong motivations to continue it.

> Could you let us know
> - if you intend to continue maintaining jsch
> - where we can find the source code repository
> - if and how you accept contributions for jsch

So, yes, we will continue maintaining jsch.
At present time, there is not a public repository,
and we will accept bug reports at jsch-users mailing list.
We hesitate to accept source code due to the license violation concerns.

Sincerely,
--
Atsuhiko Yamanaka
JCraft,Inc.
<-- address data redacted -->

---------- Forwarded message ---------
From: Matthias Sohn <matthias.sohn@xxxxxxxxx>
Date: Thu, Nov 29, 2018 at 1:09 AM
Subject: jsch maintenance and source code repository
To: <atsuhiko.yamanaka@xxxxxxxxx>
Cc: Thomas Wolf <thomas.wolf@xxxxxxxxxx>

Hi Atsuhiko,

I noticed that a new version of jsch 0.1.55 [1] was deployed on Maven central, looks like you are back ?

We missed you at Eclipse [2] and came to the impression that jsch is no longer maintained.
I tried several times in the last 2 years to reach you or your company to clarify if jsch is still
maintained since it's not a good situation to depend on a security relevant library which is
no longer maintained.

During the last 2 years we implemented a number of workarounds in JGit to workaround
bugs in jsch.

Since we didn't get any response for all emails sent to you and your company
and there was no activity in the jsch sourceforge project we discussed if we should fork jsch
in order to continue maintenance. But then we couldn't find a source code repository for jsch
with the jsch source code history and we also couldn't find unit tests. Hence Thomas created
an alternative implementation for JGit using Apache mina-sshd [2]. The next version JGit 5.2
to be released before Christmas will come with both the jsch and the new mina-sshd based
implementation.

Could you let us know
- if you intend to continue maintaining jsch
- where we can find the source code repository
- if and how you accept contributions for jsch

[1] https://search.maven.org/artifact/com.jcraft/jsch/0.1.55/jar
http://www.jcraft.com/jsch/
http://www.jcraft.com/jsch/ChangeLog
[2] https://www.eclipse.org/lists/cross-project-issues-dev/msg16175.html
[3] https://www.eclipse.org/lists/egit-dev/msg04556.html

-Matthias

On Fri, Nov 2, 2018 at 4:29 PM Mat Booth <mat.booth@xxxxxxxxxx> wrote:
I filed a bug against Equinox too. It could also be updated to consume the latest version of org.apache.sshd: https://bugs.eclipse.org/bugs/show_bug.cgi?id=540728

On Fri, 2 Nov 2018 at 14:47, Greg Watson <g.watson@xxxxxxxxxxxx> wrote:
I've opened a bug against Platform/Team (since this seems to be where jsch resides) [1]. It seems like EGit's Apache Mina work might be a good starting point.

Regards,
Greg

[1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=540727

On Nov 2, 2018, at 8:16 AM, Matthias Sohn <matthias.sohn@xxxxxxxxx> wrote:

Also see this earlier discussion [1] on this list.

The biggest problem with jsch is that there seems to be no known public source code repository containing
the project's real source code history including tests.

There are a couple of public jsch repositories [2] but they all seem to contain just snapshots of
source archives downloaded from Maven central. None of these repositories contain any jsch tests.
There are the source archives available on Maven Central [3]
and zip archives uploaded on sourceforge [4].

[1] https://www.eclipse.org/lists/cross-project-issues-dev/msg14979.html
[2] https://github.com/is/jsch
https://github.com/vngx/vngx-jsch
https://github.com/rtyley/jsch
https://github.com/ePaul/jsch-documentation
https://github.com/feiqitian/JSch
https://github.com/octo47/jsch
https://gitlab.com/farmboy0/jsch
[3] https://search.maven.org/search?q=g:com.jcraft%20AND%20a:jsch&core=gav
[4] https://sourceforge.net/projects/jsch/files/jsch/

On Fri, Nov 2, 2018 at 12:22 PM Matthias Sohn <matthias.sohn@xxxxxxxxx> wrote:
I tried several times to reach the jsch maintainer and his company but never got a response.
We implemented a couple of workarounds around jsch bugs in JGit and are tired to do so.

Hence Thomas Wolf started an alternative implementation for JGit and EGit based on Apache Mina sshd.
See https://bugs.eclipse.org/bugs/show_bug.cgi?id=520927

-Matthias

On Fri, Nov 2, 2018 at 12:05 PM Gunnar Wagenknecht <gunnar@xxxxxxxxxxxxxxx> wrote:
It looks like. We use it in the IDE and in EGit.

See here:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=540652

-Gunnar

--
Gunnar Wagenknecht
gunnar@xxxxxxxxxxxxxxx, http://guw.io/

On Nov 2, 2018, at 02:19, Greg Watson <g.watson@xxxxxxxxxxxx> wrote:

This question has been asked before, but I think it's time to ask it again. The last version of jsch was 0.1.54 in Sep 2016 and there doesn't seem to have been any development since then. Given the number of projects that depend on a decent ssh implementation, and the numerous bugs that still exist in jsch, what are the plans for maintaining and/or replacing it?

Thanks,
Greg
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@xxxxxxxxxxx To change your delivery options, retrieve your password, or unsubscribe from this list, visithttps://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@xxxxxxxxxxx To change your delivery options, retrieve your password, or unsubscribe from this list, visithttps://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

Follow-Ups:
- Re: [cross-project-issues-dev] Is jsch finally dead?
  - From: Greg Watson

References:
- Re: [cross-project-issues-dev] Is jsch finally dead?
  - From: Matthias Sohn
- [cross-project-issues-dev] Is jsch finally dead?
  - From: Greg Watson
- Re: [cross-project-issues-dev] Is jsch finally dead?
  - From: Gunnar Wagenknecht
- Re: [cross-project-issues-dev] Is jsch finally dead?
  - From: Matthias Sohn
- Re: [cross-project-issues-dev] Is jsch finally dead?
  - From: Matthias Sohn
- Re: [cross-project-issues-dev] Is jsch finally dead?
  - From: Greg Watson
- Re: [cross-project-issues-dev] Is jsch finally dead?
  - From: Mat Booth
- Re: [cross-project-issues-dev] Is jsch finally dead?
  - From: Mike Wilson

Prev by Date: Re: [cross-project-issues-dev] Is jsch finally dead?
Next by Date: Re: [cross-project-issues-dev] SimRel 2018-12 Milestone 3 (M3) is available
Previous by thread: Re: [cross-project-issues-dev] Is jsch finally dead?
Next by thread: Re: [cross-project-issues-dev] Is jsch finally dead?
Index(es):
- Date
- Thread

Breadcrumbs