An update on ecosystem concerns removing javax.security.cert
Alan Bateman
Alan.Bateman at oracle.com
Sat Apr 15 13:50:44 UTC 2023
On 15/04/2023 10:15, Eirik Bjørsnøs wrote:
> Hi,
>
> JDK-8227024 [1] and the associated CSR JDK-8227395 [2] suggests
> removing the deprecated classes in javax.security.cert.
>
> The CSR was withdrawn last year following ecosystem compatibility
> concerns:
>
> Given the compatibility risks/impacts with existing providers and
> JSSE implementations, we've decided to withdraw this CSR for the
> time being.
>
>
> I reached out to the BouncyCastle project [3] and they are basically
> OK with the OpenJDK project to go ahead and remove the APIs:
>
> It's a just cause, so go ahead and deal with it, I think all we
> need is
> someone to let us know when it's done and point us at a JVM so we can
> start organising the new jar.
>
>
> I have also contributed the following PRs to make Tomcat, Netty,
> Vert.x and Undertow aware of the plans of removal and also to provide
> the actual code changes:
>
> https://github.com/apache/tomcat/pull/608
> https://github.com/netty/netty/pull/13326
> https://github.com/eclipse-vertx/vert.x/pull/4665
> https://github.com/undertow-io/undertow/pull/1468
>
> Implementing these PRs was mostly straightforward, indicating that the
> impact in these projects would be relatively low if these APIs would
> be removed today.
>
> I think we are in a bit of a knotty situation where the ecosystem is
> now basically just waiting for OpenJDK to actually remove these APIs.
> Based on my recent interaction with these projects I'm hopeful that
> the ecosystem impact is lower than what has been assessed previously.
> I believe we should go ahead with this removal, sooner rather than later.
>
> Any thoughts?
>
Kudos for reaching out the BC and for creating PRs to several projects
to remove their usage, this is a great way to contribute!
Removing anything is hard. The changes in JDK-8241047 were intended to
allow SSLSession implementations drop their dependence on
javax.security.cert.X509Certificate but it may take time if
implementations are still expecting to be able to compile to a wide
range of releases that include JDK 14 or older. I also be concerned that
existing releases of this frameworks/libs with dependences on
javax.security.cert.X509Certificate will be in use for some time. I'll
defer to Sean and Brad but it feels like it might have to stay around
for another few releases at least.
-Alan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20230415/6e0a1b35/attachment.htm>
More information about the security-dev
mailing list