[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
RE: [orbit-dev] JSch 0.1.28 Cryptography warning
|
Probably the encryption in JSch:
com.jcraft.jsch.jcraft.HMAC
was indeed added after 0.1.28 -- let's wait for Atsuhiko to comment, ok?
Cheers,
--
Martin Oberhuber, Senior Member of Technical Staff, Wind River
Target Management Project Lead, DSDP PMC Member
http://www.eclipse.org/dsdp/tm
________________________________
From: orbit-dev-bounces@xxxxxxxxxxx
[mailto:orbit-dev-bounces@xxxxxxxxxxx] On Behalf Of Jeff McAffer
Sent: Thursday, May 29, 2008 4:23 PM
To: 'Orbit Developer discussion'
Subject: RE: [orbit-dev] JSch 0.1.28 Cryptography warning
Thanks DJ. I had understood the problem here to be that some
old version of JSCH was incorrect. Are we going to update the old one?
Seems ok to me...
Jeff
From: orbit-dev-bounces@xxxxxxxxxxx
[mailto:orbit-dev-bounces@xxxxxxxxxxx] On Behalf Of DJ Houghton
Sent: Thursday, May 29, 2008 10:09 AM
To: Orbit Developer discussion
Subject: RE: [orbit-dev] JSch 0.1.28 Cryptography warning
I checked my old emails and the about.html is the one that was
given to me by our legal team. It contains the following lines and I
believe this should suffice:
<p>NOTE: Although the SSH2 protocol depends on cryptographic
algorithms, JSch relies on a Java™ Cryptography Extension (JCE)
to provide this functionality and does not in itself contain any
cryptographic code.</p>
"Jeff McAffer" <jeff@xxxxxxxxx>
"Jeff McAffer" <jeff@xxxxxxxxx>
Sent by: orbit-dev-bounces@xxxxxxxxxxx
05/29/2008 09:08 AM
Please respond to
Orbit Developer discussion <orbit-dev@xxxxxxxxxxx>
To
"'Orbit Developer discussion'" <orbit-dev@xxxxxxxxxxx>
cc
Subject
RE: [orbit-dev] JSch 0.1.28 Cryptography warning
This is a topic for the legal team (legal@xxxxxxxxxxx). The
relevant points are
a) 0.1.28 is not current and is not used in current releases
b) we generally cannot remove old libs as David points out
The conclusion to this will be met by measuring the
real/perceived risk against the drawbacks of removing the content.
Jeff
From: orbit-dev-bounces@xxxxxxxxxxx [
mailto:orbit-dev-bounces@xxxxxxxxxxx] On Behalf Of David M Williams
Sent: Thursday, May 29, 2008 8:59 AM
To: Orbit Developer discussion
Subject: Re: [orbit-dev] JSch 0.1.28 Cryptography warning
I don't know the answers to the main questions you are asking,
but will point out that we need to keep 'old' content for quite a while,
if not forever,
since even Callisto is still still considered "in maintenance
mode" by some adopters. In other words, they might want/need to re-build
it at some point.
That said, we can certainly "deprecate" bundles, and recommend
more recent ones be used. I've done that for javax.wsdl15, and have
documented that in the "notes" section of our build page table. (which
comes from the individual IP logs).
And, naturally, if there really is something "wrong" with the
license, and we've discovered in hindsight we should not be
re-distributing it, then yes, that can and should still be removed for
legal reasons (and those old Callisto folks doing maintenance would have
to figure out their own solutions :)
From:
"Oberhuber, Martin" <Martin.Oberhuber@xxxxxxxxxxxxx>
To:
"Atsuhiko Yamanaka" <ymnk@xxxxxxxxxx>, <jeff@xxxxxxxxx>,
<legal@xxxxxxxxxxx>, "Orbit Developer discussion"
<orbit-dev@xxxxxxxxxxx>
Date:
05/29/2008 08:46 AM
Subject:
[orbit-dev] JSch 0.1.28 Cryptography warning
________________________________
Hi all,
A kind reviewer noticed while reviewing Orbit:
5. Jcraft.jsch 0.1.28 does not contain the same Cryptography
warning as the other versions. Is that because it does not contain the
same encryption methods?
I have some questions about this:
* Version 0.1.28 is really legacy (from the 3.2 /
Callisto Stream!), 0.1.31 was used in Europa and 0.1.37 is now current
in Ganymede) .
That being said, do we even bother about his
observation? Would we want to remove JSch 0.1.28 from the Orbit ZIP just
to be on the safe side? How would we do that? I'd think that if we do
not release 0.1.28 any more we'd not need to bother any more... have we
ever "obsoleted" a bundle from Orbit before? Is this something we want
to do?
* Atsuhiko, what do you think about this
observation?
Cheers,
--
Martin Oberhuber, Senior Member of Technical Staff, Wind River
Target Management Project Lead, DSDP PMC Member
http://www.eclipse.org/dsdp/tm <http://www.eclipse.org/dsdp/tm>
_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/orbit-dev
<https://dev.eclipse.org/mailman/listinfo/orbit-dev>
_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/orbit-dev
<https://dev.eclipse.org/mailman/listinfo/orbit-dev>
_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/orbit-dev
