From: orbit-dev-bounces@xxxxxxxxxxx
[mailto:orbit-dev-bounces@xxxxxxxxxxx] On Behalf Of DJ Houghton
Sent: Thursday, May 29, 2008 10:09 AM
To: Orbit Developer discussion
Subject: RE: [orbit-dev] JSch 0.1.28 Cryptography warning
I
checked my old emails and the about.html is the one that was given to me by our
legal team. It contains the following lines and I believe this should suffice:
<p>NOTE:
Although the SSH2 protocol depends on cryptographic algorithms, JSch relies on
a Java™ Cryptography Extension (JCE)
to provide this
functionality and does not in itself contain any cryptographic code.</p>
"Jeff
McAffer" <jeff@xxxxxxxxx>
|
"Jeff
McAffer" <jeff@xxxxxxxxx>
Sent by: orbit-dev-bounces@xxxxxxxxxxx
05/29/2008 09:08
AM
|
Please respond to
Orbit Developer discussion <orbit-dev@xxxxxxxxxxx>
|
|
|
To
|
"'Orbit Developer discussion'"
<orbit-dev@xxxxxxxxxxx>
|
|
cc
|
|
|
Subject
|
RE: [orbit-dev] JSch 0.1.28 Cryptography
warning
|
|
This is a topic for the legal team (legal@xxxxxxxxxxx).
The relevant points are
a) 0.1.28 is not current and is not used in current
releases
b) we generally cannot remove old libs as David
points out
The conclusion to this will be met by measuring the
real/perceived risk against the drawbacks of removing the content.
Jeff
From: orbit-dev-bounces@xxxxxxxxxxx [mailto:orbit-dev-bounces@xxxxxxxxxxx]
On Behalf Of David M Williams
Sent: Thursday, May 29, 2008 8:59 AM
To: Orbit Developer discussion
Subject: Re: [orbit-dev] JSch 0.1.28 Cryptography warning
I don't know the answers to the main questions you are asking, but will point
out that we need to keep 'old' content for quite a while, if not forever,
since even Callisto is still still considered "in maintenance mode"
by some adopters. In other words, they might want/need to re-build it at some
point.
That said, we can certainly "deprecate" bundles, and recommend more
recent ones be used. I've done that for javax.wsdl15, and have documented that
in the "notes" section of our build page table. (which comes from the
individual IP logs).
And, naturally, if there really is something "wrong" with the
license, and we've discovered in hindsight we should not be re-distributing it,
then yes, that can and should still be removed for legal reasons (and those old
Callisto folks doing maintenance would have to figure out their own solutions
:)
|
From:
|
"Oberhuber,
Martin" <Martin.Oberhuber@xxxxxxxxxxxxx>
|
|
To:
|
"Atsuhiko
Yamanaka" <ymnk@xxxxxxxxxx>, <jeff@xxxxxxxxx>,
<legal@xxxxxxxxxxx>, "Orbit Developer discussion"
<orbit-dev@xxxxxxxxxxx>
|
|
Date:
|
05/29/2008
08:46 AM
|
|
Subject:
|
[orbit-dev]
JSch 0.1.28 Cryptography warning
|
Hi all,
A kind reviewer noticed while reviewing Orbit:
5. Jcraft.jsch
0.1.28 does not
contain the same Cryptography warning as the other versions. Is that because it
does not contain the same encryption methods?
I have some questions about this:
- Version 0.1.28 is really legacy (from the 3.2 / Callisto
Stream!), 0.1.31 was used in Europa and 0.1.37 is now current in
Ganymede) .
That being said, do we even bother about his observation? Would we want
to remove JSch 0.1.28 from the Orbit ZIP just to be on the safe side? How
would we do that? I'd think that if we do not release 0.1.28 any more
we'd not need to bother any more... have we ever "obsoleted" a
bundle from Orbit before? Is this something we want to do?
- Atsuhiko, what do you think about this observation?
Cheers,
--
Martin Oberhuber, Senior Member of Technical Staff, Wind River
Target Management Project Lead, DSDP PMC Member
http://www.eclipse.org/dsdp/tm_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/orbit-dev
_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/orbit-dev_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/orbit-dev
