You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@pdfbox.apache.org by "Emmanuel Bourg (JIRA)" <ji...@apache.org> on 2013/04/30 19:44:16 UTC

[jira] [Comment Edited] (PDFBOX-1587) Update the dependency on Bouncy Castle to 1.48

    [ https://issues.apache.org/jira/browse/PDFBOX-1587?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13645762#comment-13645762 ] 

Emmanuel Bourg edited comment on PDFBOX-1587 at 4/30/13 5:42 PM:
-----------------------------------------------------------------

I'm not sure this will break applications using encrypted documents with PDFBox. As I understand the PDFBox code, Bouncy Castle is a purely internal dependency, no class from Bouncy Class leaks in the public API of PDFBox. The user only interacts with standard X509Certificates from java.security.cert. So it should be safe to upgrade the dependency even for the 1.8.x line.
                
      was (Author: ebourg):
    I'm not sure this will break applications using encrypted documents with PDFBox. As I understand the PDFBox code, Bouncy Castle is a purely internal dependency, no class from Bouncy Class leaks in the public API of PDFBox. The user only interacts with standard X50Certificates from java.security.cert. So it should be safe to upgrade the dependency even for the 1.8.x line.
                  
>  Update the dependency on Bouncy Castle to 1.48
> -----------------------------------------------
>
>                 Key: PDFBOX-1587
>                 URL: https://issues.apache.org/jira/browse/PDFBOX-1587
>             Project: PDFBox
>          Issue Type: Improvement
>    Affects Versions: 1.8.1
>            Reporter: Emmanuel Bourg
>            Assignee: Thomas Chojecki
>             Fix For: 2.0.0
>
>         Attachments: pdfbox-bouncycastle-update.patch
>
>
> The recent versions of Bouncy Castle didn't preserve the binary compatibility and PDFBox doesn't compile against them.
> This is an issue for the Debian project because the Bouncy Castle package has to be updated to 1.48 in order to fix a security issue. This update is going to break the PDFBox package.
> Could you please update the dependency on Bouncy Castle? I'll attach the patch with the necessary changes.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira