A new version of jsch 0.1.55 [1] was released on Maven central hence I once more
tried to contact Atsuhiko and finally he responded. Find his response below.
This means we have the following situation regarding jsch:
- there are public releases published on Maven central including source archives which do not contain tests
- Jcraft keeps the source code repository private and there is no public source code repository
- Jcraft accepts bug reports on the jsch-users mailing list
- Jcraft does not accept source code contributions due to license violation concerns
Meanwhile Thomas Wolf created an alternative implementation for JGit and EGit based on
mina-sshd [3] (kudos to Thomas). With our next release 5.2 which will be shipped with 2018-12
EGit and JGit will come with both a jsch and a mina-sshd based implementation and users can choose
the implementation they want to use. For 5.2 jsch will still be the default until the mina-sshd based solution
has proven to be stable.
I think it's not a good situation to depend on a library which is maintained by a single person/company
but not accepting contributions with sources excluding tests and no public history of the source code.
As we experienced in the last 2 years this can mean having no maintenance for an extended period.
Maybe we could convince Atsuhiko that Eclipse Foundation is a good IP gatekeeper which can mitigate
his license violation concerns and propose to consider moving the project to the Eclipse Foundation.
[references] are given in forwarded email below.
-Matthias
Hi,
Sorry for our delay.
On Thu, Nov 29, 2018 at 9:09 AM Matthias Sohn <
matthias.sohn@xxxxxxxxx> wrote:
> I noticed that a new version of jsch 0.1.55 [1] was deployed on Maven central, looks like you are back ?
We have been developing it for almost 16 years, and will continue it.
We started that software to add the X forwarding functionality to our
pure Java X server
for our customers, so we have strong motivations to continue it.
> Could you let us know
> - if you intend to continue maintaining jsch
> - where we can find the source code repository
> - if and how you accept contributions for jsch
So, yes, we will continue maintaining jsch.
At present time, there is not a public repository,
and we will accept bug reports at jsch-users mailing list.
We hesitate to accept source code due to the license violation concerns.
Sincerely,
--
Atsuhiko Yamanaka
JCraft,Inc.
<-- address data redacted -->
Hi Atsuhiko,
I noticed that a new version of jsch 0.1.55 [1] was deployed on Maven central, looks like you are back ?
We missed you at Eclipse [2] and came to the impression that jsch is no longer maintained.
I tried several times in the last 2 years to reach you or your company to clarify if jsch is still
maintained since it's not a good situation to depend on a security relevant library which is
no longer maintained.
During the last 2 years we implemented a number of workarounds in JGit to workaround
bugs in jsch.
Since we didn't get any response for all emails sent to you and your company
and there was no activity in the jsch sourceforge project we discussed if we should fork jsch
in order to continue maintenance. But then we couldn't find a source code repository for jsch
with the jsch source code history and we also couldn't find unit tests. Hence Thomas created
an alternative implementation for JGit using Apache mina-sshd [2]. The next version JGit 5.2
to be released before Christmas will come with both the jsch and the new mina-sshd based
implementation.
Could you let us know
- if you intend to continue maintaining jsch
- where we can find the source code repository
- if and how you accept contributions for jsch
-Matthias