Team, In the 1.x line bcprov made its way into the root of the classpath/lib folder to support the encrypted sensitive properties features. This can be reworked to isolate it a bit more if we need to.
However, in [1] it has been observed that we have bcprov dependencies in about 53 places with each instance taking about 4MB of space for a total hit of about 200MB of bcprov. [1] proposes to make bcprov-jdk15on and bcpkix-jdk15on part of the core provided list of things right along side the logback/slf4j/logging interfaces. This means all things will have access to these going forward and it means it impacts our version compatibility. Given that it would be a standard/provided thing if we want to upgrade versions or swap it out with something else we could break extensions that then chose to depend on it. We are not in control of the bcprov api just like we're not in control of the logging APIs. If there was some important security related fix we needed from bcprov but changing also pulled in api changes for them it could break our extensions. Even with all this said, given the nature, importance, and size benefit, I am in favor of NIFI-2954. But, would like to highlight this in case others have perspective they'd like to share. [1] https://issues.apache.org/jira/browse/NIFI-2954 Thanks Joe
