aledsage commented on issue #1039: [Security] Bump bouncycastle.version from 1.51 to 1.61 URL: https://github.com/apache/brooklyn-server/pull/1039#issuecomment-562166214 I think we err on the side of caution (for compatibility reasons) and not upgrade. We could ask jclouds if they plan to upgrade bouncycastle, and we could then upgrade after that. Our dependencies, `sshj` and `jclouds-bouncycastle`, depend on bouncycastle version 1.51. We can't assume semantic versioning (e.g. method signatures etc can change, meaning bouncycastle versions are not binary compatible). If we get this wrong, then our dependencies can fail with `NoSuchMethodError` etc - i.e. causing the dependency to fail big-time. It is very hard to guarantee that won't happen - how confident are you that QA have covered all code paths (especially if Karaf vs non-karaf might be different!) --- Options (not mutually exclusive) include: 1. Don't upgrade (user/customer security scans have not complained so maybe they view that as not an issue?! We know for sure that some big companies have done security scans.) 2. Run with two versions of Bouncycastle in Karaf (both 1.51 and the newer one). 3. Upgrade `sshj` to a newer version (e.g. sshj 0.27 depends on bouncycastle 1.60). 4. Convince ourselves that `jclouds-bouncycastle` is not important - that it is not on the production code path for any uses of Brooklyn?! 5. Convince ourselves that there are no binary incompatibilities between the versions of Bouncycastle that we are talking about here.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
