Re: [cross-project-issues-dev] Is jsch finally dead?

["Mike Wilson" <Mike_Wilson@xxxxxxxxxx>]

> I think it's not a good situation to depend on a library which is maintained by a single person/company

> but not accepting contributions with sources excluding tests and no public history of the source code.

>

Agree. For something with obvious security implications, the source code issue is the most important to me. I have no doubts about the integrity of JCraft, but even accidental issues can have major consequences. 

 

McQ.

 

----- Original message -----
From: Matthias Sohn <matthias.sohn@xxxxxxxxx>
Sent by: cross-project-issues-dev-bounces@xxxxxxxxxxx
To: Cross project issues <cross-project-issues-dev@xxxxxxxxxxx>
Cc:
Subject: Re: [cross-project-issues-dev] Is jsch finally dead?
Date: Thu, Nov 29, 2018 4:32 PM
 

A new version of jsch 0.1.55 [1] was released on Maven central hence I once more

tried to contact Atsuhiko and finally he responded. Find his response below.

 

This means we have the following situation regarding jsch:

• there are public releases published on Maven central including source archives which do not contain tests
• Jcraft keeps the source code repository private and there is no public source code repository
• Jcraft accepts bug reports on the jsch-users mailing list
• Jcraft does not accept source code contributions due to license violation concerns

Meanwhile Thomas Wolf created an alternative implementation for JGit and EGit based on

mina-sshd [3] (kudos to Thomas). With our next release 5.2 which will be shipped with 2018-12

EGit and JGit will come with both a jsch and a mina-sshd based implementation and users can choose

the implementation they want to use. For 5.2 jsch will still be the default until the mina-sshd based solution

has proven to be stable.

 

I think it's not a good situation to depend on a library which is maintained by a single person/company

but not accepting contributions with sources excluding tests and no public history of the source code.

As we experienced in the last 2 years this can mean having no maintenance for an extended period.

 

Maybe we could convince Atsuhiko that Eclipse Foundation is a good IP gatekeeper which can mitigate

his license violation concerns and propose to consider moving the project to the Eclipse Foundation.

 

[references] are given in forwarded email below.

 

-Matthias

 

---------- Forwarded message ---------
From: Atsuhiko Yamanaka <ymnk@xxxxxxxxxx>
Date: Thu, Nov 29, 2018 at 3:13 PM
Subject: Re: jsch maintenance and source code repository
To: <matthias.sohn@xxxxxxxxx>
Cc: <thomas.wolf@xxxxxxxxxx>

Hi,

Sorry for our delay.

On Thu, Nov 29, 2018 at 9:09 AM Matthias Sohn <matthias.sohn@xxxxxxxxx> wrote:
> I noticed that a new version of jsch 0.1.55 [1] was deployed on Maven central, looks like you are back ?

We have been developing it for almost 16 years, and will continue it.
We started that software to add the X forwarding functionality to our
pure Java X server
for our customers, so we have strong motivations to continue it.

> Could you let us know
> - if you intend to continue maintaining jsch
> - where we can find the source code repository
> - if and how you accept contributions for jsch

So, yes, we will continue maintaining jsch.
At present time, there is not a public repository,
and we will accept bug reports at jsch-users mailing list.
We hesitate to accept source code due to the license violation concerns.


Sincerely,
--
Atsuhiko Yamanaka
JCraft,Inc.
<-- address data redacted -->
 

---------- Forwarded message ---------
From: Matthias Sohn <matthias.sohn@xxxxxxxxx>
Date: Thu, Nov 29, 2018 at 1:09 AM
Subject: jsch maintenance and source code repository
To: <atsuhiko.yamanaka@xxxxxxxxx>
Cc: Thomas Wolf <thomas.wolf@xxxxxxxxxx>

 

Hi Atsuhiko,

 

I noticed that a new version of jsch 0.1.55 [1] was deployed on Maven central, looks like you are back ?

 

We missed you at Eclipse [2] and came to the impression that jsch is no longer maintained.

I tried several times in the last 2 years to reach you or your company to clarify if jsch is still

maintained since it's not a good situation to depend on a security relevant library which is

no longer maintained. 

 

During the last 2 years we implemented a number of workarounds in JGit to workaround

bugs in jsch.

 

Since we didn't get any response for all emails sent to you and your company

and there was no activity in the jsch sourceforge project we discussed if we should fork jsch

in order to continue maintenance. But then we couldn't find a source code repository for jsch

with the jsch source code history and we also couldn't find unit tests. Hence Thomas created

an alternative implementation for JGit using Apache mina-sshd [2]. The next version JGit 5.2

to be released before Christmas will come with both the jsch and the new mina-sshd based

implementation.

 

Could you let us know

- if you intend to continue maintaining jsch

- where we can find the source code repository

- if and how you accept contributions for jsch

 

[1] https://search.maven.org/artifact/com.jcraft/jsch/0.1.55/jar

http://www.jcraft.com/jsch/

http://www.jcraft.com/jsch/ChangeLog

[2] https://www.eclipse.org/lists/cross-project-issues-dev/msg16175.html

[3] https://www.eclipse.org/lists/egit-dev/msg04556.html

 

-Matthias

 

On Fri, Nov 2, 2018 at 4:29 PM Mat Booth <mat.booth@xxxxxxxxxx> wrote:

I filed a bug against Equinox too. It could also be updated to consume the latest version of org.apache.sshd: https://bugs.eclipse.org/bugs/show_bug.cgi?id=540728

 

On Fri, 2 Nov 2018 at 14:47, Greg Watson <g.watson@xxxxxxxxxxxx> wrote:

I've opened a bug against Platform/Team (since this seems to be where jsch resides) [1]. It seems like EGit's Apache Mina work might be a good starting point.

 

Regards,

Greg

 

[1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=540727

 

On Nov 2, 2018, at 8:16 AM, Matthias Sohn <matthias.sohn@xxxxxxxxx> wrote:

 

Also see this earlier discussion [1] on this list.

 

The biggest problem with jsch is that there seems to be no known public source code repository containing

the project's real source code history including tests.

• There are a couple of public jsch repositories [2] but they all seem to contain just snapshots of
  source archives downloaded from Maven central. None of these repositories contain any jsch tests.
• There are the source archives available on Maven Central [3] 
• and zip archives uploaded on sourceforge [4].

[1] https://www.eclipse.org/lists/cross-project-issues-dev/msg14979.html

[2] https://github.com/is/jsch

https://github.com/vngx/vngx-jsch

https://github.com/rtyley/jsch

https://github.com/ePaul/jsch-documentation

https://github.com/feiqitian/JSch

https://github.com/octo47/jsch

https://gitlab.com/farmboy0/jsch

[3] https://search.maven.org/search?q=g:com.jcraft%20AND%20a:jsch&core=gav

[4] https://sourceforge.net/projects/jsch/files/jsch/

 

On Fri, Nov 2, 2018 at 12:22 PM Matthias Sohn <matthias.sohn@xxxxxxxxx> wrote:

I tried several times to reach the jsch maintainer and his company but never got a response.

We implemented a couple of workarounds around jsch bugs in JGit and are tired to do so.

 

Hence Thomas Wolf started an alternative implementation for JGit and EGit based on Apache Mina sshd.

See https://bugs.eclipse.org/bugs/show_bug.cgi?id=520927

 

-Matthias

 

On Fri, Nov 2, 2018 at 12:05 PM Gunnar Wagenknecht <gunnar@xxxxxxxxxxxxxxx> wrote:

It looks like. We use it in the IDE and in EGit.

 

See here:

https://bugs.eclipse.org/bugs/show_bug.cgi?id=540652

 

-Gunnar

-- 
Gunnar Wagenknecht
gunnar@xxxxxxxxxxxxxxx, http://guw.io/

 

 

 

On Nov 2, 2018, at 02:19, Greg Watson <g.watson@xxxxxxxxxxxx> wrote:

 

This question has been asked before, but I think it's time to ask it again. The last version of jsch was 0.1.54 in Sep 2016 and there doesn't seem to have been any development since then. Given the number of projects that depend on a decent ssh implementation, and the numerous bugs that still exist in jsch, what are the plans for maintaining and/or replacing it?

Thanks,
Greg
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev