[jdk17u-dev] RFR: 8305972: Update XML Security for Java to 3.0.2 [v5]
Goetz Lindenmaier
goetz at openjdk.org
Wed Jan 10 11:55:30 UTC 2024
On Mon, 8 Jan 2024 16:49:38 GMT, Martin Balao <mbalao at openjdk.org> wrote:
>> Hi @martinuy,
>> do you think it would be better to keep all the code and only remove the two String and the change to the comment of DigestMethod?
>> In the 21u change for the update to [3.0.3](https://github.com/openjdk/jdk21u-dev/pull/94) I have done it that way. Probably that's also the better solution here.
>
> Hi @GoeLin ,
>
> I assume that in 21u you kept all the (implementation) code except for the public members. If so, I understand the motivations but personally prefer what you proposed for 17u in this PR. It makes the code more clear in terms of what is supported. For example, it would be misleading for someone who looks for "EdDSA" references in the code, finds many —even beyond defines— and assumes that it is supported. This is, of course, at the expense of higher chances of non-clean updates. We have taken this approach in other libraries before such as when we removed the implementation of DTLS in the 8u backport of the TLS engine.
>
> Martin.-
Hi @martinuy,
looking at the CSR differences: [CSR for head](https://bugs.openjdk.org/browse/JDK-8307507) [CSR for 11 & 17](https://bugs.openjdk.org/browse/JDK-8320594) I still believe it is more correct to keep the coding.
At least for 17, which, as I understand, supports EdDSA in general. It was just not specified for XML Security (i.e. not contained in SignatureMethod.java). Probably changing this would require more than just a CSR so Oracle omitted it.
I prepared a minimal PR: https://github.com/openjdk/jdk17u-dev/pull/2116 that only removes the strings and replace their usage by the plain strings. The tests pass, our nightly testing passed for this PR, too.
-------------
PR Comment: https://git.openjdk.org/jdk17u-dev/pull/2006#issuecomment-1884706983
More information about the jdk-updates-dev
mailing list