Hello Bouncy Castle,
I am QA Engineer at iText Software. We create a Java and .NET library to
create and manipulate PDF files, called (drumroll...) iText. Our
software can be downloaded from our website and on GitHub, and we also
offer it on Maven Central (Java) and NuGet.org (.NET).
We use Bouncy Castle as a dependency in iText.
Today we got a message via Nuget:
> Hi,
>
> I was wondering if you have a supported distribution that does not
> embed the Bouncy Castle source in your package? Or if you intend to
> create a release with the package referenced as a separate NuGet
> package? The issue I have is the DotNetUtilities.ToRSA method does
> not work in your distrubution on .NET 4 and above. This issue has
> been fixed in the Bouncy Castle distribution.
Indeed, for iText 5.x.x we use an older version of Bouncy Castle. In the
Java version we reference it on our POM file, but in the .NET version
it's directly included. Copyright notices are of course preserved, see
also http://itextpdf.com/copyright-ip and
http://itextpdf.com/copyright-ip/bouncy-castle
There appears to be a NuGet package of Bouncy Castle:
https://www.nuget.org/packages/BouncyCastle/
However, I found no mention of NuGet on the BC website or in the
archives of this mailing list. So my question is: what is the status of
that NuGet package? Is it "official"?
We prefer to err on the side of caution and we're not going to use
anything unofficial unless we see it explicitly endorsed on the
bouncycastle.org website.
To give you some background information: iText for .NET was published on
NuGet (as iTextSharp) by volunteers outside of iText Software, and
without our knowledge.
About a year ago, we found out that there were a couple of different
NuGet packages of our product. We examined them all, and chose one
package where we decided that the volunteers had done an excellent job.
So we decided to contact them and endorse that particular distribution:
https://www.nuget.org/packages/iTextSharp/ and we also mention it on our
website: http://developers.itextpdf.com/itextsharp-net
It's very well possible that the same thing has happened for Bouncy
Castle: that external volunteers packaged it for NuGet. But I can't be
sure. I don't see the 3 owners (teoman soygul, peter dettman, bogatykh)
mentioned on http://www.bouncycastle.org/csharp/contributors.html
I think there lies a task for the Bouncy Castle project:
1. Verify the quality of the NuGet package
2. Contact the current owners, and request to add a Bouncy Castle
organization profile to the package owners
3. Mention the NuGet distribution of Bouncy Castle on
http://www.bouncycastle.org/csharp/
Kind regards,
--
Amedee Van Gasse
QA Engineer | iText Software BVBA
amedee.vanga...@itextpdf.com
http://itextpdf.com
