That doesn't really address the issue of only having a single person maintaining the code though. Unless there are others who would be interested in supporting it, I would think going with an active project would be a much better long term strategy. Otherwise it seems to be just papering over the problems. For example, who would be willing to add support for EDDSA (which is already supported by Mina?) Also, there are many long standing bugs with JSch (e.g. many threading issues) that would need significant work to address. Would anyone be likely to volunteer for that?

Regards,
Greg

> On Nov 30, 2018, at 10:17 AM, Daniel Megert <***@ch.ibm.com> wrote:
>
> I agree McQ.
>
> > Maybe we could convince Atsuhiko that Eclipse Foundation is a good IP gatekeeper which can mitigate
> > his license violation concerns and propose to consider moving the project to the Eclipse Foundation.
>
> This sounds like a reasonable approach. Matthias, can you follow up on that?
>
> Dani
>
>
>
> From: "Mike Wilson" <***@ca.ibm.com>
> To: cross-project-issues-***@eclipse.org
> Date: 30.11.2018 16:12
> Subject: Re: [cross-project-issues-dev] Is jsch finally dead?
> Sent by: cross-project-issues-dev-***@eclipse.org
>
>
>
> > I think it's not a good situation to depend on a library which is maintained by a single person/company
> > but not accepting contributions with sources excluding tests and no public history of the source code.
> >
> Agree. For something with obvious security implications, the source code issue is the most important to me. I have no doubts about the integrity of JCraft, but even accidental issues can have major consequences.
>
> McQ.
>
> ----- Original message -----
> From: Matthias Sohn <***@gmail.com>
> Sent by: cross-project-issues-dev-***@eclipse.org
> To: Cross project issues <cross-project-issues-***@eclipse.org>
> Cc:
> Subject: Re: [cross-project-issues-dev] Is jsch finally dead?
> Date: Thu, Nov 29, 2018 4:32 PM
>
> A new version of jsch 0.1.55 [1] was released on Maven central hence I once more
> tried to contact Atsuhiko and finally he responded. Find his response below.
>
> This means we have the following situation regarding jsch:
> there are public releases published on Maven central including source archives which do not contain tests
> Jcraft keeps the source code repository private and there is no public source code repository
> Jcraft accepts bug reports on the jsch-users mailing list
> Jcraft does not accept source code contributions due to license violation concerns
> Meanwhile Thomas Wolf created an alternative implementation for JGit and EGit based on
> mina-sshd [3] (kudos to Thomas). With our next release 5.2 which will be shipped with 2018-12
> EGit and JGit will come with both a jsch and a mina-sshd based implementation and users can choose
> the implementation they want to use. For 5.2 jsch will still be the default until the mina-sshd based solution
> has proven to be stable.
>
> I think it's not a good situation to depend on a library which is maintained by a single person/company
> but not accepting contributions with sources excluding tests and no public history of the source code.
> As we experienced in the last 2 years this can mean having no maintenance for an extended period.
>
> Maybe we could convince Atsuhiko that Eclipse Foundation is a good IP gatekeeper which can mitigate
> his license violation concerns and propose to consider moving the project to the Eclipse Foundation.
>
> [references] are given in forwarded email below.
>
> -Matthias
>
> ---------- Forwarded message ---------
> From: Atsuhiko Yamanaka <***@jcraft.com <mailto:***@jcraft.com>>
> Date: Thu, Nov 29, 2018 at 3:13 PM
> Subject: Re: jsch maintenance and source code repository
> To: <***@gmail.com <mailto:***@gmail.com>>
> Cc: <***@paranor.ch <mailto:***@paranor.ch>>
>
>
> Hi,
>
> Sorry for our delay.
>
> On Thu, Nov 29, 2018 at 9:09 AM Matthias Sohn <***@gmail.com <mailto:***@gmail.com>> wrote:
> > I noticed that a new version of jsch 0.1.55 [1] was deployed on Maven central, looks like you are back ?
>
> We have been developing it for almost 16 years, and will continue it.
> We started that software to add the X forwarding functionality to our
> pure Java X server
> for our customers, so we have strong motivations to continue it.
>
> > Could you let us know
> > - if you intend to continue maintaining jsch
> > - where we can find the source code repository
> > - if and how you accept contributions for jsch
>
> So, yes, we will continue maintaining jsch.
> At present time, there is not a public repository,
> and we will accept bug reports at jsch-users mailing list.
> We hesitate to accept source code due to the license violation concerns.
>
>
> Sincerely,
> --
> Atsuhiko Yamanaka
> JCraft,Inc.
> <-- address data redacted -->
>
> ---------- Forwarded message ---------
> From: Matthias Sohn <***@gmail.com <mailto:***@gmail.com>>
> Date: Thu, Nov 29, 2018 at 1:09 AM
> Subject: jsch maintenance and source code repository
> To: <***@gmail.com <mailto:***@gmail.com>>
> Cc: Thomas Wolf <***@paranor.ch <mailto:***@paranor.ch>>
>
> Hi Atsuhiko,
>
> I noticed that a new version of jsch 0.1.55 [1] was deployed on Maven central, looks like you are back ?
>
> We missed you at Eclipse [2] and came to the impression that jsch is no longer maintained.
> I tried several times in the last 2 years to reach you or your company to clarify if jsch is still
> maintained since it's not a good situation to depend on a security relevant library which is
> no longer maintained.
>
> During the last 2 years we implemented a number of workarounds in JGit to workaround
> bugs in jsch.
>
> Since we didn't get any response for all emails sent to you and your company
> and there was no activity in the jsch sourceforge project we discussed if we should fork jsch
> in order to continue maintenance. But then we couldn't find a source code repository for jsch
> with the jsch source code history and we also couldn't find unit tests. Hence Thomas created
> an alternative implementation for JGit using Apache mina-sshd [2]. The next version JGit 5.2
> to be released before Christmas will come with both the jsch and the new mina-sshd based
> implementation.
>
> Could you let us know
> - if you intend to continue maintaining jsch
> - where we can find the source code repository
> - if and how you accept contributions for jsch
>
> [1] https://search.maven.org/artifact/com.jcraft/jsch/0.1.55/jar <https://search.maven.org/artifact/com.jcraft/jsch/0.1.55/jar>
> http://www.jcraft.com/jsch/ <http://www.jcraft.com/jsch/>
> http://www.jcraft.com/jsch/ChangeLog <http://www.jcraft.com/jsch/ChangeLog>
> [2] https://www.eclipse.org/lists/cross-project-issues-dev/msg16175.html <https://www.eclipse.org/lists/cross-project-issues-dev/msg16175.html>
> [3] https://www.eclipse.org/lists/egit-dev/msg04556.html <https://www.eclipse.org/lists/egit-dev/msg04556.html>
>
> -Matthias
>
> On Fri, Nov 2, 2018 at 4:29 PM Mat Booth <***@redhat.com <mailto:***@redhat.com>> wrote:
> I filed a bug against Equinox too. It could also be updated to consume the latest version of org.apache.sshd: https://bugs.eclipse.org/bugs/show_bug.cgi?id=540728 <https://bugs.eclipse.org/bugs/show_bug.cgi?id=540728>
>
> On Fri, 2 Nov 2018 at 14:47, Greg Watson <***@computer.org <mailto:***@computer.org>> wrote:
> I've opened a bug against Platform/Team (since this seems to be where jsch resides) [1]. It seems like EGit's Apache Mina work might be a good starting point.
>
> Regards,
> Greg
>
> [1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=540727 <https://bugs.eclipse.org/bugs/show_bug.cgi?id=540727>
>
> On Nov 2, 2018, at 8:16 AM, Matthias Sohn <***@gmail.com <mailto:***@gmail.com>> wrote:
>
> Also see this earlier discussion [1] on this list.
>
> The biggest problem with jsch is that there seems to be no known public source code repository containing
> the project's real source code history including tests.
> There are a couple of public jsch repositories [2] but they all seem to contain just snapshots of
> source archives downloaded from Maven central. None of these repositories contain any jsch tests.
> There are the source archives available on Maven Central [3]
> and zip archives uploaded on sourceforge [4].
> [1] https://www.eclipse.org/lists/cross-project-issues-dev/msg14979.html <https://www.eclipse.org/lists/cross-project-issues-dev/msg14979.html>
> [2] https://github.com/is/jsch <https://github.com/is/jsch>
> https://github.com/vngx/vngx-jsch <https://github.com/vngx/vngx-jsch>
> https://github.com/rtyley/jsch <https://github.com/rtyley/jsch>
> https://github.com/ePaul/jsch-documentation <https://github.com/ePaul/jsch-documentation>
> https://github.com/feiqitian/JSch <https://github.com/feiqitian/JSch>
> https://github.com/octo47/jsch <https://github.com/octo47/jsch>
> https://gitlab.com/farmboy0/jsch <https://gitlab.com/farmboy0/jsch>
> [3] https://search.maven.org/search?q=g:com.jcraft%20AND%20a:jsch&core=gav <https://search.maven.org/search?q=g:com.jcraft%20AND%20a:jsch&core=gav>
> [4] https://sourceforge.net/projects/jsch/files/jsch/ <https://sourceforge.net/projects/jsch/files/jsch/>
>
> On Fri, Nov 2, 2018 at 12:22 PM Matthias Sohn <***@gmail.com <mailto:***@gmail.com>> wrote:
> I tried several times to reach the jsch maintainer and his company but never got a response.
> We implemented a couple of workarounds around jsch bugs in JGit and are tired to do so.
>
> Hence Thomas Wolf started an alternative implementation for JGit and EGit based on Apache Mina sshd.
> See https://bugs.eclipse.org/bugs/show_bug.cgi?id=520927 <https://bugs.eclipse.org/bugs/show_bug.cgi?id=520927>
>
> -Matthias
>
> On Fri, Nov 2, 2018 at 12:05 PM Gunnar Wagenknecht <***@wagenknecht.org <mailto:***@wagenknecht.org>> wrote:
> It looks like. We use it in the IDE and in EGit.
>
> See here:
> https://bugs.eclipse.org/bugs/show_bug.cgi?id=540652 <https://bugs.eclipse.org/bugs/show_bug.cgi?id=540652>
>
> -Gunnar
>
> --
> Gunnar Wagenknecht
> ***@wagenknecht.org <mailto:***@wagenknecht.org>, http://guw.io/ <http://guw.io/>
>
>
>
>
>
>
> On Nov 2, 2018, at 02:19, Greg Watson <***@computer.org <mailto:***@computer.org>> wrote:
>
> This question has been asked before, but I think it's time to ask it again. The last version of jsch was 0.1.54 in Sep 2016 and there doesn't seem to have been any development since then. Given the number of projects that depend on a decent ssh implementation, and the numerous bugs that still exist in jsch, what are the plans for maintaining and/or replacing it?
>
> Thanks,
> Greg
> _______________________________________________
> cross-project-issues-dev mailing list
> cross-project-issues-***@eclipse.org <mailto:cross-project-issues-***@eclipse.org>
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev <https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev>
> _______________________________________________
> cross-project-issues-dev mailing list
> cross-project-issues-***@eclipse.org <mailto:cross-project-issues-***@eclipse.org>
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev <https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev>
> _______________________________________________
> cross-project-issues-dev mailing list
> cross-project-issues-***@eclipse.org <mailto:cross-project-issues-***@eclipse.org>
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev <https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev>
> _______________________________________________
> cross-project-issues-dev mailing list
> cross-project-issues-***@eclipse.org <mailto:cross-project-issues-***@eclipse.org>
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev <https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev>
> _______________________________________________
> cross-project-issues-dev mailing list
> cross-project-issues-***@eclipse.org <mailto:cross-project-issues-***@eclipse.org>
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev <https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev>
> _______________________________________________
> cross-project-issues-dev mailing list
> cross-project-issues-***@eclipse.org
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev <https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev>
>
> _______________________________________________
> cross-project-issues-dev mailing list
> cross-project-issues-***@eclipse.org
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev <https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev>
>
>
> _______________________________________________
> cross-project-issues-dev mailing list
> cross-project-issues-***@eclipse.org
> To change your delivery options, retrieve your password, or unsubscribe from this list, visit
> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev