michaeljmarshall commented on pull request #12119:
URL: https://github.com/apache/pulsar/pull/12119#issuecomment-924330167


   Looks like bouncy castle dependencies/licenses are making the "misc" tests 
fail. I think part of it is that the discovery module was the only module that 
required `org.apache.pulsar:bouncy-castle-bc:jar:pkg:2.9.0-SNAPSHOT:complie`. 
When running `mvn dependency:tree` on both `master` and on my branch.
   
   The error message for the test is:
   
   ```  
   $ src/check-binary-license 
./distribution/server/target/apache-pulsar-*-bin.tar.gz
   org.bouncycastle-bcpkix-jdk15on-1.61.jar unaccounted for in LICENSE
   org.bouncycastle-bcprov-jdk15on-1.61.jar unaccounted for in LICENSE
   org.bouncycastle-bcpkix-jdk15on-1.69.jar mentioned in LICENSE, but not 
bundled
   org.bouncycastle-bcprov-jdk15on-1.69.jar mentioned in LICENSE, but not 
bundled
   org.bouncycastle-bcutil-jdk15on-1.69.jar mentioned in LICENSE, but not 
bundled
   ```
   
   When I inspect the server distribution after building from this branch, I 
see the following:
   
   ```
   $ tar -tf apache-pulsar-2.9.0-SNAPSHOT-bin.tar.gz  | grep -i bounc
   apache-pulsar-2.9.0-SNAPSHOT/licenses/LICENSE-bouncycastle.txt
   
apache-pulsar-2.9.0-SNAPSHOT/lib/presto/plugin/pulsar-presto-connector/bouncy-castle-bc-2.9.0-SNAPSHOT-pkg.jar
   
apache-pulsar-2.9.0-SNAPSHOT/lib/org.apache.pulsar-bouncy-castle-bc-2.9.0-SNAPSHOT-pkg.jar
   apache-pulsar-2.9.0-SNAPSHOT/lib/org.bouncycastle-bcprov-ext-jdk15on-1.69.jar
   apache-pulsar-2.9.0-SNAPSHOT/lib/org.bouncycastle-bcpkix-jdk15on-1.61.jar
   apache-pulsar-2.9.0-SNAPSHOT/lib/org.bouncycastle-bcprov-jdk15on-1.61.jar
   ```
   
   It looks like the 1.61 jars are coming from a grpc dependency. After running 
`mvn dependency:tree`, I can see the following several times throughout our 
dependency tree: 
   
   ```
   [INFO] |  |  |  \- io.grpc:grpc-xds:jar:1.33.0:test
   [INFO] |  |  |     +- org.bouncycastle:bcpkix-jdk15on:jar:1.61:test
   [INFO] |  |  |     |  \- org.bouncycastle:bcprov-jdk15on:jar:1.61:test
   [INFO] |  |  |     \- io.grpc:grpc-netty-shaded:jar:1.33.0:test (version 
selected from constraint [1.33.0,1.33.0])
   ```
   
   I'm not familiar enough with Maven or with our build to know the right way 
to solve this. On one hand, `grpc-xds` is bringing in an older version of 
bouncy castle, which is known to have security issues 
(https://github.com/apache/pulsar/pull/10867), so I think we'll want to force 
the version to 1.69. Note that the latest version of grpc-xds is 1.40.1 and is 
only using bouncy castle jars 
[1.67](https://github.com/grpc/grpc-java/blob/v1.40.1/build.gradle#L184). On 
the other hand, is it a good idea to be using a later version of bouncy castle 
than the `grpc-xds` jar requires?
   
   @lhotari - can you help me figure out the right next step here?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


Reply via email to