pjfanning commented on pull request #3980: URL: https://github.com/apache/hadoop/pull/3980#issuecomment-1055250279
@mukund-thakur thanks for looking at this. I'm afraid I'm not an expert in the hadoop build. I'm just a random ASF member who has found lots of ASF projects that use insecure dependencies and a lot of them are holding back from upgrading because they support hadoop and it is built with the out of data insecure dependencies. I tried to build with bouncycastle 1.67 but got similar failures. * The test failures are timeout exceptions so it is hard to work out why they fail. * bouncycastle is used for security purposes so it seems even more important to use a version of this jar that has no published security vulnerabilities * even if other projects will also be forced to upgrade bouncycastle of haddop does, shouldn't this be regarded as a good thing? * what if bouncycastle 1.60 is discovered to have a new major flaw? - that would likely only be fixed in a bouncycastle 1.7x release -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
