You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@brooklyn.apache.org by GitBox <gi...@apache.org> on 2020/04/16 21:51:37 UTC

[GitHub] [brooklyn-server] aledsage commented on issue #1039: [Security] Bump bouncycastle.version from 1.51 to 1.61

aledsage commented on issue #1039: [Security] Bump bouncycastle.version from 1.51 to 1.61
URL: https://github.com/apache/brooklyn-server/pull/1039#issuecomment-614915614
 
 
   Looking at this again, rebased against master...
   
   The brooklyn dist karaf systems folder contains the following new duplicates (i.e. both versions of those jars are being shipped in brooklyn):
   ```
   system//net/i2p/crypto/eddsa: [0.2.0, 0.1.0]
   system//org/bouncycastle/bcprov-ext-jdk15on: [1.61, 1.51]
   system//org/bouncycastle/bcpkix-jdk15on: [1.61, 1.51]
   system//com/hierynomus/sshj: [0.22.0, 0.20.0]
   ```
   
   This comes from the jclouds features, such as `jclouds-services`:
   ```
   Running feature:info jclouds-services
   Feature jclouds-services 2.1.2
   Description:
     OSGi Service Factories for jclouds
   Feature has no configuration
   Feature configuration files: 
     ${karaf.etc}/org.apache.jclouds.credentials.cfg
   Feature depends on:
     aries-blueprint 0.0.0
     jclouds-compute 2.1.2
     jclouds-blobstore 2.1.2
   Feature contains followed bundles:
     ...
     mvn:org.bouncycastle/bcprov-ext-jdk15on/1.51
     mvn:org.apache.jclouds.driver/jclouds-bouncycastle/2.1.2
     ...
   ```
   
   However, at runtime it's happy to use BouncyCastle 1.61, e.g. for `jclouds-bouncycastle` bundle:
   ```
   Import-Package = 
       ....
   	org.bouncycastle.jce.provider;version="[1.51,2)",
   	...
   ```
   
   ---
   Alex said about blacklisting bundles, which led me to the following useful links:
   * https://issues.apache.org/jira/browse/KARAF-5376?focusedCommentId=16431939&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-16431939
   * https://stackoverflow.com/a/53589206
   * https://github.com/apache/karaf/blob/master/features/core/src/test/resources/org/apache/karaf/features/internal/service/org.apache.karaf.features.xml
   
   I tried adding `featureReplacements` to `etc/org.apache.karaf.features.xml` and confirmed that did modify the feature (but I didn't quite get the right syntax - it ended up with no bundles in it!)
   
   I think that's worth exploring more, possibly instead using `bundleReplacements`.
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services