michaeljmarshall commented on pull request #12119: URL: https://github.com/apache/pulsar/pull/12119#issuecomment-924330167
Looks like bouncy castle dependencies/licenses are making the "misc" tests fail. I think part of it is that the discovery module was the only module that required `org.apache.pulsar:bouncy-castle-bc:jar:pkg:2.9.0-SNAPSHOT:complie`. When running `mvn dependency:tree` on both `master` and on my branch. The error message for the test is: ``` $ src/check-binary-license ./distribution/server/target/apache-pulsar-*-bin.tar.gz org.bouncycastle-bcpkix-jdk15on-1.61.jar unaccounted for in LICENSE org.bouncycastle-bcprov-jdk15on-1.61.jar unaccounted for in LICENSE org.bouncycastle-bcpkix-jdk15on-1.69.jar mentioned in LICENSE, but not bundled org.bouncycastle-bcprov-jdk15on-1.69.jar mentioned in LICENSE, but not bundled org.bouncycastle-bcutil-jdk15on-1.69.jar mentioned in LICENSE, but not bundled ``` When I inspect the server distribution after building from this branch, I see the following: ``` $ tar -tf apache-pulsar-2.9.0-SNAPSHOT-bin.tar.gz | grep -i bounc apache-pulsar-2.9.0-SNAPSHOT/licenses/LICENSE-bouncycastle.txt apache-pulsar-2.9.0-SNAPSHOT/lib/presto/plugin/pulsar-presto-connector/bouncy-castle-bc-2.9.0-SNAPSHOT-pkg.jar apache-pulsar-2.9.0-SNAPSHOT/lib/org.apache.pulsar-bouncy-castle-bc-2.9.0-SNAPSHOT-pkg.jar apache-pulsar-2.9.0-SNAPSHOT/lib/org.bouncycastle-bcprov-ext-jdk15on-1.69.jar apache-pulsar-2.9.0-SNAPSHOT/lib/org.bouncycastle-bcpkix-jdk15on-1.61.jar apache-pulsar-2.9.0-SNAPSHOT/lib/org.bouncycastle-bcprov-jdk15on-1.61.jar ``` It looks like the 1.61 jars are coming from a grpc dependency. After running `mvn dependency:tree`, I can see the following several times throughout our dependency tree: ``` [INFO] | | | \- io.grpc:grpc-xds:jar:1.33.0:test [INFO] | | | +- org.bouncycastle:bcpkix-jdk15on:jar:1.61:test [INFO] | | | | \- org.bouncycastle:bcprov-jdk15on:jar:1.61:test [INFO] | | | \- io.grpc:grpc-netty-shaded:jar:1.33.0:test (version selected from constraint [1.33.0,1.33.0]) ``` I'm not familiar enough with Maven or with our build to know the right way to solve this. On one hand, `grpc-xds` is bringing in an older version of bouncy castle, which is known to have security issues (https://github.com/apache/pulsar/pull/10867), so I think we'll want to force the version to 1.69. Note that the latest version of grpc-xds is 1.40.1 and is only using bouncy castle jars [1.67](https://github.com/grpc/grpc-java/blob/v1.40.1/build.gradle#L184). On the other hand, is it a good idea to be using a later version of bouncy castle than the `grpc-xds` jar requires? @lhotari - can you help me figure out the right next step here? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
