Allowed licenses for libraries in Jenkins plugins?

[Mark Waite]

Harshit Chopra's work creating a private key credential binding for command line git has encountered difficulties with reading and writing ssh private keys.

The library that seems to best fit his needs for reading and writing ssh private keys is the maverick-synergy library.  Other libraries (bouncycastle, sshj) have had various problems in implementation.

The maverick-synergy library is LGPL3 licensed.  Is it allowed to use an LGPL3 licensed library in a Jenkins plugin?

Mark Waite

[wfoll...@cloudbees.com]

Hello Mark,

I dunno for the license aspect, but just adding a bit of color about the library itself. Their GitHub has only 13 Stars / 9 Forks, with 1 main contributors and 2 others. 

This means that the library will not necessary receive the security attention as a library like BouncyCastle / Apache Commons, etc. If there is a vulnerability in it, perhaps nobody will find it until 3-4 years, and if it is found, to hope finding it from scanners, we have to assume they have a security release process including CVE publication and also assuming the scanners will take care about their CVEs (normally that part is "easy").

IOW if we want to keep our dependencies safe, using only popular ones is a good practice. 

Not blocking the request, just trying to inform about the potential risk I am seeing there ;-)

Wadeck

[kdela...@cloudbees.com]

Hi all,

The LGPL, like the GPL, imposes substantial limitations on those who create and distribute derivative works based on works that use these licenses.

However, the LGPL was originally known as the Library General Public License, because LGPL-licensed libraries can be linked with non-GPL licensed programs, including proprietary software.

This is in contrast to the GPL:  If such linking is done with a library under the GPL and the proprietary program and library were distributed together under the proprietary license, the GPL would be violated.

You can read the LGPL license here: https://www.gnu.org/licenses/lgpl-3.0.en.html.  And a bit more on the advantages or disadvantages of LGPL for libraries here: https://www.gnu.org/licenses/why-not-lgpl.html

Kind regards,

Kara

[Daniel Beck]

> On 21. Jul 2021, at 04:39, Mark Waite <mark.ea...@gmail.com> wrote:
>
> The maverick-synergy library is LGPL3 licensed. Is it allowed to use an LGPL3 licensed library in a Jenkins plugin?
>

The governance document explicitly allows LGPL even for use in core.

We don't care about plugins distributed by the project, as long as it's OSI approved.

https://www.jenkins.io/project/governance/#license

[Matt Sicker]

I agree that security related dependencies should have an upstream security policy. Not every popular project bothers to file CVEs, either, especially solo projects that didn’t have any past CVEs. While GitHub’s vulnerability reporting feature has helped improve this somewhat, it’s still hit or miss.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/FE58146B-EDF8-4A85-888A-F2E5E4ACCD6F%40beckweb.net.

[Jesse Glick]

On Wed, Jul 21, 2021 at 2:32 AM wfoll...@cloudbees.com <wfoll...@cloudbees.com> wrote:

if we want to keep our dependencies safe, using only popular ones is a good practice

Especially if this is going into a popular plugin like `git`.

Whatever the problems with BouncyCastle are, can they be worked around? Or a patch offered upstream?

[Mark Waite]

Harshit believes he has found a way to make the code work with sshj.  He's pulled back from maverick-synergy for the moment.

If someone with skills in Java handling of ssh private keys would like to provide some coaching, I'm sure Harshit would be grateful.  I am not skilled at API level interactions with ssh private keys.  Next mentoring session is Friday July 23, 2021 at 2:00 AM UTC.  Other times can be arranged if needed.

--

You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr0jdngfFnyXxfJGmiE6K6N8bWWO9Sn3-2Jw2pL6Tv4f5w%40mail.gmail.com.