+1 as well. On Tue, Nov 1, 2016 at 2:41 AM, Joe Witt <[email protected]> wrote:
> Team, > > In the 1.x line bcprov made its way into the root of the classpath/lib > folder to support the encrypted sensitive properties features. This > can be reworked to isolate it a bit more if we need to. > > However, in [1] it has been observed that we have bcprov dependencies > in about 53 places with each instance taking about 4MB of space for a > total hit of about 200MB of bcprov. > > [1] proposes to make bcprov-jdk15on and bcpkix-jdk15on part of the > core provided list of things right along side the > logback/slf4j/logging interfaces. This means all things will have > access to these going forward and it means it impacts our version > compatibility. Given that it would be a standard/provided thing if we > want to upgrade versions or swap it out with something else we could > break extensions that then chose to depend on it. We are not in > control of the bcprov api just like we're not in control of the > logging APIs. If there was some important security related fix we > needed from bcprov but changing also pulled in api changes for them it > could break our extensions. > > Even with all this said, given the nature, importance, and size > benefit, I am in favor of NIFI-2954. But, would like to highlight > this in case others have perspective they'd like to share. > > [1] https://issues.apache.org/jira/browse/NIFI-2954 > > Thanks > Joe >
