aledsage commented on issue #1039: [Security] Bump bouncycastle.version from 1.51 to 1.61 URL: https://github.com/apache/brooklyn-server/pull/1039#issuecomment-614915614 Looking at this again, rebased against master... The brooklyn dist karaf systems folder contains the following new duplicates (i.e. both versions of those jars are being shipped in brooklyn): ``` system//net/i2p/crypto/eddsa: [0.2.0, 0.1.0] system//org/bouncycastle/bcprov-ext-jdk15on: [1.61, 1.51] system//org/bouncycastle/bcpkix-jdk15on: [1.61, 1.51] system//com/hierynomus/sshj: [0.22.0, 0.20.0] ``` This comes from the jclouds features, such as `jclouds-services`: ``` Running feature:info jclouds-services Feature jclouds-services 2.1.2 Description: OSGi Service Factories for jclouds Feature has no configuration Feature configuration files: ${karaf.etc}/org.apache.jclouds.credentials.cfg Feature depends on: aries-blueprint 0.0.0 jclouds-compute 2.1.2 jclouds-blobstore 2.1.2 Feature contains followed bundles: ... mvn:org.bouncycastle/bcprov-ext-jdk15on/1.51 mvn:org.apache.jclouds.driver/jclouds-bouncycastle/2.1.2 ... ``` However, at runtime it's happy to use BouncyCastle 1.61, e.g. for `jclouds-bouncycastle` bundle: ``` Import-Package = .... org.bouncycastle.jce.provider;version="[1.51,2)", ... ``` --- Alex said about blacklisting bundles, which led me to the following useful links: * https://issues.apache.org/jira/browse/KARAF-5376?focusedCommentId=16431939&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-16431939 * https://stackoverflow.com/a/53589206 * https://github.com/apache/karaf/blob/master/features/core/src/test/resources/org/apache/karaf/features/internal/service/org.apache.karaf.features.xml I tried adding `featureReplacements` to `etc/org.apache.karaf.features.xml` and confirmed that did modify the feature (but I didn't quite get the right syntax - it ended up with no bundles in it!) I think that's worth exploring more, possibly instead using `bundleReplacements`.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
