Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
RE: [orbit-dev] JSch 0.1.28 Cryptography warning

Thanks DJ.  I had understood the problem here to be that some old version of JSCH was incorrect.  Are we going to update the old one?  Seems ok to me…

 

Jeff

 

From: orbit-dev-bounces@xxxxxxxxxxx [mailto:orbit-dev-bounces@xxxxxxxxxxx] On Behalf Of DJ Houghton
Sent: Thursday, May 29, 2008 10:09 AM
To: Orbit Developer discussion
Subject: RE: [orbit-dev] JSch 0.1.28 Cryptography warning

 

I checked my old emails and the about.html is the one that was given to me by our legal team. It contains the following lines and I believe this should suffice:

<p>NOTE: Although the SSH2 protocol depends on cryptographic algorithms, JSch relies on a Java&trade; Cryptography Extension (JCE)
to provide this functionality and does not in itself contain any cryptographic code.</p>



Inactive hide details for "Jeff McAffer" <jeff@xxxxxxxxx>"Jeff McAffer" <jeff@xxxxxxxxx>

"Jeff McAffer" <jeff@xxxxxxxxx>
Sent by: orbit-dev-bounces@xxxxxxxxxxx

05/29/2008 09:08 AM

Please respond to
Orbit Developer discussion <orbit-dev@xxxxxxxxxxx>

To


"'Orbit Developer discussion'" <orbit-dev@xxxxxxxxxxx>

cc

Subject


RE: [orbit-dev] JSch 0.1.28 Cryptography warning

 


This is a topic for the legal team (legal@xxxxxxxxxxx). The relevant points are
a) 0.1.28 is not current and is not used in current releases
b) we generally cannot remove old libs as David points out

The conclusion to this will be met by measuring the real/perceived risk against the drawbacks of removing the content.

Jeff

From: orbit-dev-bounces@xxxxxxxxxxx [mailto:orbit-dev-bounces@xxxxxxxxxxx] On Behalf Of David M Williams
Sent:
Thursday, May 29, 2008 8:59 AM
To:
Orbit Developer discussion
Subject:
Re: [orbit-dev] JSch 0.1.28 Cryptography warning



I don't know the answers to the main questions you are asking, but will point out that we need to keep 'old' content for quite a while, if not forever,
since even Callisto is still still considered "in maintenance mode" by some adopters. In other words, they might want/need to re-build it at some point.


That said, we can certainly "deprecate" bundles, and recommend more recent ones be used. I've done that for javax.wsdl15, and have documented that in the "notes" section of our build page table. (which comes from the individual IP logs).


And, naturally, if there really is something "wrong" with the license, and we've discovered in hindsight we should not be re-distributing it, then yes, that can and should still be removed for legal reasons (and those old Callisto folks doing maintenance would have to figure out their own solutions :)


From:

"Oberhuber, Martin" <Martin.Oberhuber@xxxxxxxxxxxxx>

To:

"Atsuhiko Yamanaka" <ymnk@xxxxxxxxxx>, <jeff@xxxxxxxxx>, <legal@xxxxxxxxxxx>, "Orbit Developer discussion" <orbit-dev@xxxxxxxxxxx>

Date:

05/29/2008 08:46 AM

Subject:

[orbit-dev] JSch 0.1.28 Cryptography warning





Hi all,


A kind reviewer noticed while reviewing Orbit:


5.
Jcraft.jsch 0.1.28 does not contain the same Cryptography warning as the other versions. Is that because it does not contain the same encryption methods?
I have some questions about this:

    • Version 0.1.28 is really legacy (from the 3.2 / Callisto Stream!), 0.1.31 was used in Europa and 0.1.37 is now current in Ganymede) .
      That being said, do we even bother about his observation? Would we want to remove JSch 0.1.28 from the Orbit ZIP just to be on the safe side? How would we do that? I'd think that if we do not release 0.1.28 any more we'd not need to bother any more... have we ever "obsoleted" a bundle from Orbit before? Is this something we want to do?
    • Atsuhiko, what do you think about this observation?

Cheers,
--

Martin Oberhuber
, Senior Member of Technical Staff, Wind River
Target Management Project Lead, DSDP PMC Member

http://www.eclipse.org/dsdp/tm_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx

https://dev.eclipse.org/mailman/listinfo/orbit-dev
_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx

https://dev.eclipse.org/mailman/listinfo/orbit-dev_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/orbit-dev


Back to the top