You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2021/09/21 19:46:48 UTC

[GitHub] [pulsar] michaeljmarshall commented on pull request #12119: [Discovery Service] Remove module and all its references

michaeljmarshall commented on pull request #12119:
URL: https://github.com/apache/pulsar/pull/12119#issuecomment-924330167


   Looks like bouncy castle dependencies/licenses are making the "misc" tests fail. I think part of it is that the discovery module was the only module that required `org.apache.pulsar:bouncy-castle-bc:jar:pkg:2.9.0-SNAPSHOT:complie`. When running `mvn dependency:tree` on both `master` and on my branch.
   
   The error message for the test is:
   
   ```  
   $ src/check-binary-license ./distribution/server/target/apache-pulsar-*-bin.tar.gz
   org.bouncycastle-bcpkix-jdk15on-1.61.jar unaccounted for in LICENSE
   org.bouncycastle-bcprov-jdk15on-1.61.jar unaccounted for in LICENSE
   org.bouncycastle-bcpkix-jdk15on-1.69.jar mentioned in LICENSE, but not bundled
   org.bouncycastle-bcprov-jdk15on-1.69.jar mentioned in LICENSE, but not bundled
   org.bouncycastle-bcutil-jdk15on-1.69.jar mentioned in LICENSE, but not bundled
   ```
   
   When I inspect the server distribution after building from this branch, I see the following:
   
   ```
   $ tar -tf apache-pulsar-2.9.0-SNAPSHOT-bin.tar.gz  | grep -i bounc
   apache-pulsar-2.9.0-SNAPSHOT/licenses/LICENSE-bouncycastle.txt
   apache-pulsar-2.9.0-SNAPSHOT/lib/presto/plugin/pulsar-presto-connector/bouncy-castle-bc-2.9.0-SNAPSHOT-pkg.jar
   apache-pulsar-2.9.0-SNAPSHOT/lib/org.apache.pulsar-bouncy-castle-bc-2.9.0-SNAPSHOT-pkg.jar
   apache-pulsar-2.9.0-SNAPSHOT/lib/org.bouncycastle-bcprov-ext-jdk15on-1.69.jar
   apache-pulsar-2.9.0-SNAPSHOT/lib/org.bouncycastle-bcpkix-jdk15on-1.61.jar
   apache-pulsar-2.9.0-SNAPSHOT/lib/org.bouncycastle-bcprov-jdk15on-1.61.jar
   ```
   
   It looks like the 1.61 jars are coming from a grpc dependency. After running `mvn dependency:tree`, I can see the following several times throughout our dependency tree: 
   
   ```
   [INFO] |  |  |  \- io.grpc:grpc-xds:jar:1.33.0:test
   [INFO] |  |  |     +- org.bouncycastle:bcpkix-jdk15on:jar:1.61:test
   [INFO] |  |  |     |  \- org.bouncycastle:bcprov-jdk15on:jar:1.61:test
   [INFO] |  |  |     \- io.grpc:grpc-netty-shaded:jar:1.33.0:test (version selected from constraint [1.33.0,1.33.0])
   ```
   
   I'm not familiar enough with Maven or with our build to know the right way to solve this. On one hand, `grpc-xds` is bringing in an older version of bouncy castle, which is known to have security issues (https://github.com/apache/pulsar/pull/10867), so I think we'll want to force the version to 1.69. Note that the latest version of grpc-xds is 1.40.1 and is only using bouncy castle jars [1.67](https://github.com/grpc/grpc-java/blob/v1.40.1/build.gradle#L184). On the other hand, is it a good idea to be using a later version of bouncy castle than the `grpc-xds` jar requires?
   
   @lhotari - can you help me figure out the right next step here?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org