You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@pdfbox.apache.org by Miao Fan <mi...@gmail.com> on 2011/06/23 14:15:01 UTC
Why org.bouncycastle.* packages were specified as mandatory in the
manifest in the pdfbox-1.5.0.jar
Hello,
I downloaded pdfbox 1.4 and 1.5 recently, and found the manifest in the
downloaded jars contains mandatory dependencies of org.bouncycastle.*
plugins which should not. I have to modify wrapper it by removing them from
manifest to use. I want to confirm if that's a bug and if yes, how to submit
a bug against it?
B.T.W, adding org.bouncycastle.* plugins is not option for us now since it
needs to get legal approval etc to get them in.
Thanks,
Miao
Re: Why org.bouncycastle.* packages were specified as mandatory in
the manifest in the pdfbox-1.5.0.jar
Posted by Thomas Chojecki <in...@rayman2200.de>.
Zitat von Miao Fan <mi...@gmail.com>:
> Hi Thomas,
Hi Miao,
> Anyway, just curious how I could submit a bug?
You can find the issue tracker under the link [1] and need to register
a user account. But it's not a bug, more an improvement or wish. To
decrypt or encrypt documents the pdfbox need this library otherwise it
crash and encrypted documents aren't so rare (all protected documents
are encrypted).
I need also a bc free version. So thumbs up for that improvement.
> Thanks,
> Miao
Best regards
Thomas
[1] https://issues.apache.org/jira/browse/PDFBOX/
> On Thu, Jun 23, 2011 at 8:52 AM, Thomas Chojecki <in...@rayman2200.de> wrote:
>
>> Zitat von Miao Fan <mi...@gmail.com>:
>>
>> Hello,
>>>
>> Hi Miao,
>>
>>
>> I downloaded pdfbox 1.4 and 1.5 recently, and found the manifest in the
>>> downloaded jars contains mandatory dependencies of org.bouncycastle.*
>>> plugins which should not. I have to modify wrapper it by removing them
>>> from
>>> manifest to use. I want to confirm if that's a bug and if yes, how to
>>> submit
>>> a bug against it?
>>>
>> Some functionality of the pdfbox need the BC. I would also prefer to remove
>> this dependancy because BC is a heavy weight library and do not harmony with
>> a small pdf library.
>>
>>
>> B.T.W, adding org.bouncycastle.* plugins is not option for us now since it
>>> needs to get legal approval etc to get them in.
>>>
>> I found out that the PDF Encryption need the library. So only for encrypted
>> pdf documents.
>>
>> Maybe someone can rewrite the code of the *.pdmodel.encryption.* and use
>> only the java cryptography extension (JCE)
>>
>> Thanks,
>>>
>>> Miao
>>>
>>
>> Best regards
>> Thomas
>>
>>
>>
>
Re: Why org.bouncycastle.* packages were specified as mandatory in
the manifest in the pdfbox-1.5.0.jar
Posted by Miao Fan <mi...@gmail.com>.
Hi Thomas,
I totally agree with you. We have a small project and won't need any
encryption. The simple solution would be mark them as optional in the
manifest file. Also the version of 'export' plugins are not versioned which
make us can't import these plugins based on version.
Anyway, just curious how I could submit a bug?
Thanks,
Miao
On Thu, Jun 23, 2011 at 8:52 AM, Thomas Chojecki <in...@rayman2200.de> wrote:
> Zitat von Miao Fan <mi...@gmail.com>:
>
> Hello,
>>
> Hi Miao,
>
>
> I downloaded pdfbox 1.4 and 1.5 recently, and found the manifest in the
>> downloaded jars contains mandatory dependencies of org.bouncycastle.*
>> plugins which should not. I have to modify wrapper it by removing them
>> from
>> manifest to use. I want to confirm if that's a bug and if yes, how to
>> submit
>> a bug against it?
>>
> Some functionality of the pdfbox need the BC. I would also prefer to remove
> this dependancy because BC is a heavy weight library and do not harmony with
> a small pdf library.
>
>
> B.T.W, adding org.bouncycastle.* plugins is not option for us now since it
>> needs to get legal approval etc to get them in.
>>
> I found out that the PDF Encryption need the library. So only for encrypted
> pdf documents.
>
> Maybe someone can rewrite the code of the *.pdmodel.encryption.* and use
> only the java cryptography extension (JCE)
>
> Thanks,
>>
>> Miao
>>
>
> Best regards
> Thomas
>
>
>
Re: Why org.bouncycastle.* packages were specified as mandatory in
the manifest in the pdfbox-1.5.0.jar
Posted by Miao Fan <mi...@gmail.com>.
Hi Tomas,
Thanks for the info.
Adam,
I agree the majority may be more interested in using the bc. But make it
optional in "manifest" still server your interest. You can still use it
without any issue. :) But for those such as us do not want it, it works for
us too.
In addition, if bc to be considered as a mandatory plugs-ins, that's fine
too. But please modify http://pdfbox.apache.org/dependencies.html. On that
page, it says "Optional dependencies".
Thanks,
Miao
On Thu, Jun 23, 2011 at 12:07 PM, <Ad...@swmc.com> wrote:
> What would be the correct action if a user tries to decrypt a PDF without
> the decryption libraries (bc)? Currently, it throws an exception, which
> seems like the most reasonable thing to do.
>
> Marking bc as optional and not including it by default seems like it would
> not be in the best interest to the majority of users. As Thomas
> mentioned, encrypted PDFs are not rare, so not having the ability to
> decrypt them out of the box would be a major drawback. As a side note,
> many documents with no password and no apparent restrictions are still
> encrypted, just with a blank password. You'll still need the decryption
> libraries to deal with these documents.
>
> For those who are unwilling or unable to use bc, you can remove the
> library manually as long as you do not need to ever deal with any
> encrypted documents. On the other hand, if you need to deal with
> encryption and can't use bc, we would be happy to accept a patch which
> decrypts them without the library. Then if the bc libs aren't present, it
> can fall back to your new implementation. This would make sure existing
> users don't have any regression bugs (as they'll still use bc), and you'd
> be able to remove bc and still have working crypto capabilities. Once the
> non-bc version is stable and can handle all RC4, and AES cases that bc can
> handle, we can mark the bc libs as optional.
>
> ----
> Thanks,
> Adam
>
>
>
>
>
> From:
> Thomas Chojecki <in...@rayman2200.de>
> To:
> users@pdfbox.apache.org
> Date:
> 06/23/2011 05:53
> Subject:
> Re: Why org.bouncycastle.* packages were specified as mandatory in the
> manifest in the pdfbox-1.5.0.jar
>
>
>
> Zitat von Miao Fan <mi...@gmail.com>:
>
> > Hello,
> Hi Miao,
>
> > I downloaded pdfbox 1.4 and 1.5 recently, and found the manifest in the
> > downloaded jars contains mandatory dependencies of org.bouncycastle.*
> > plugins which should not. I have to modify wrapper it by removing them
> from
> > manifest to use. I want to confirm if that's a bug and if yes, how to
> submit
> > a bug against it?
> Some functionality of the pdfbox need the BC. I would also prefer to
> remove this dependancy because BC is a heavy weight library and do not
> harmony with a small pdf library.
>
> > B.T.W, adding org.bouncycastle.* plugins is not option for us now since
> it
> > needs to get legal approval etc to get them in.
> I found out that the PDF Encryption need the library. So only for
> encrypted pdf documents.
>
> Maybe someone can rewrite the code of the *.pdmodel.encryption.* and
> use only the java cryptography extension (JCE)
>
> > Thanks,
> >
> > Miao
>
> Best regards
> Thomas
>
>
>
>
>
>
>
> - FHA 203b; 203k; HECM; VA; USDA; Conventional
> - Warehouse Lines; FHA-Authorized Originators
> - Lending and Servicing in over 45 States
> www.swmc.com - www.simplehecmcalculator.com
> Visit www.swmc.com/resources for helpful links on Training, Webinars,
> Lender Alerts and Submitting Conditions
>
> This email and any content within or attached hereto from Sun West Mortgage
> Company, Inc. is confidential and/or legally privileged. The information is
> intended only for the use of the individual or entity named on this email.
> If you are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution or taking any action in reliance on the
> contents of this email information is strictly prohibited, and that the
> documents should be returned to this office immediately by email. Receipt by
> anyone other than the intended recipient is not a waiver of any privilege.
> Please do not include your social security number, account number, or any
> other personal or financial information in the content of the email. Should
> you have any questions, please call (800) 453 7884.
Re: Why org.bouncycastle.* packages were specified as mandatory in the
manifest in the pdfbox-1.5.0.jar
Posted by Ad...@swmc.com.
What would be the correct action if a user tries to decrypt a PDF without
the decryption libraries (bc)? Currently, it throws an exception, which
seems like the most reasonable thing to do.
Marking bc as optional and not including it by default seems like it would
not be in the best interest to the majority of users. As Thomas
mentioned, encrypted PDFs are not rare, so not having the ability to
decrypt them out of the box would be a major drawback. As a side note,
many documents with no password and no apparent restrictions are still
encrypted, just with a blank password. You'll still need the decryption
libraries to deal with these documents.
For those who are unwilling or unable to use bc, you can remove the
library manually as long as you do not need to ever deal with any
encrypted documents. On the other hand, if you need to deal with
encryption and can't use bc, we would be happy to accept a patch which
decrypts them without the library. Then if the bc libs aren't present, it
can fall back to your new implementation. This would make sure existing
users don't have any regression bugs (as they'll still use bc), and you'd
be able to remove bc and still have working crypto capabilities. Once the
non-bc version is stable and can handle all RC4, and AES cases that bc can
handle, we can mark the bc libs as optional.
----
Thanks,
Adam
From:
Thomas Chojecki <in...@rayman2200.de>
To:
users@pdfbox.apache.org
Date:
06/23/2011 05:53
Subject:
Re: Why org.bouncycastle.* packages were specified as mandatory in the
manifest in the pdfbox-1.5.0.jar
Zitat von Miao Fan <mi...@gmail.com>:
> Hello,
Hi Miao,
> I downloaded pdfbox 1.4 and 1.5 recently, and found the manifest in the
> downloaded jars contains mandatory dependencies of org.bouncycastle.*
> plugins which should not. I have to modify wrapper it by removing them
from
> manifest to use. I want to confirm if that's a bug and if yes, how to
submit
> a bug against it?
Some functionality of the pdfbox need the BC. I would also prefer to
remove this dependancy because BC is a heavy weight library and do not
harmony with a small pdf library.
> B.T.W, adding org.bouncycastle.* plugins is not option for us now since
it
> needs to get legal approval etc to get them in.
I found out that the PDF Encryption need the library. So only for
encrypted pdf documents.
Maybe someone can rewrite the code of the *.pdmodel.encryption.* and
use only the java cryptography extension (JCE)
> Thanks,
>
> Miao
Best regards
Thomas
- FHA 203b; 203k; HECM; VA; USDA; Conventional
- Warehouse Lines; FHA-Authorized Originators
- Lending and Servicing in over 45 States
www.swmc.com - www.simplehecmcalculator.com
Visit www.swmc.com/resources for helpful links on Training, Webinars, Lender Alerts and Submitting Conditions
This email and any content within or attached hereto from Sun West Mortgage Company, Inc. is confidential and/or legally privileged. The information is intended only for the use of the individual or entity named on this email. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this email information is strictly prohibited, and that the documents should be returned to this office immediately by email. Receipt by anyone other than the intended recipient is not a waiver of any privilege. Please do not include your social security number, account number, or any other personal or financial information in the content of the email. Should you have any questions, please call (800) 453 7884.
Re: Why org.bouncycastle.* packages were specified as mandatory in
the manifest in the pdfbox-1.5.0.jar
Posted by Thomas Chojecki <in...@rayman2200.de>.
Zitat von Miao Fan <mi...@gmail.com>:
> Hello,
Hi Miao,
> I downloaded pdfbox 1.4 and 1.5 recently, and found the manifest in the
> downloaded jars contains mandatory dependencies of org.bouncycastle.*
> plugins which should not. I have to modify wrapper it by removing them from
> manifest to use. I want to confirm if that's a bug and if yes, how to submit
> a bug against it?
Some functionality of the pdfbox need the BC. I would also prefer to
remove this dependancy because BC is a heavy weight library and do not
harmony with a small pdf library.
> B.T.W, adding org.bouncycastle.* plugins is not option for us now since it
> needs to get legal approval etc to get them in.
I found out that the PDF Encryption need the library. So only for
encrypted pdf documents.
Maybe someone can rewrite the code of the *.pdmodel.encryption.* and
use only the java cryptography extension (JCE)
> Thanks,
>
> Miao
Best regards
Thomas