2 thoughts:

1) I know this is partially git’s fault on the diff, and i know this is a 
standard gripe from me, but for reviewers things are much easier if 
syntax/whitespace changes are separated out into a separate patch from 
2) One thing that caught my eye was the SHA-1 use on the fingerprint. That got 
me looking around the codebase, and I see SHA-1/SHA1 sprinkled around. It’s not 
considered secure anymore [1]. Some of the uses are just for naming, that’s 
fine. I don’t think any of the use I saw was OMGFIXNOW. But at some point might 
be nice to replace all that with SHA-256. Would require a data migration, 
3) Awesome, run with it. :)

1: https://en.wikipedia.org/wiki/SHA-1#Cryptanalysis_and_validation

> On Dec 1, 2016, at 10:17 PM, Rohit Yadav <rohit.ya...@shapeblue.com> wrote:
> All,
> I've sent a PR that will upgrade bountycastle dependency to the latest 
> version [1]. In terms of security, an upgrade is necessary though it would 
> also require for users (who are upgrading to, or later) to 
> destroy old systemvms such as CPVM and SSVM so the agents that will be 
> started in new system vms will use the same dependency jar (version/release) 
> and use the same cipher suites as the mgmt server (i.e. there will be no 
> SSL-based communication issue afterwards) as provided by bountycastle v1.55.
> Thoughts, feedback?
> [1] https://github.com/apache/cloudstack/pull/1799
> Regards.
> rohit.ya...@shapeblue.com 
> www.shapeblue.com
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK
> @shapeblue

Reply via email to