An update on ecosystem concerns removing javax.security.cert
Cástulo Ramírez Londoño
castuloramirez at gmail.com
Mon Apr 17 19:39:34 UTC 2023
On Sat, 15 Apr 2023 at 11:16, Eirik Bjørsnøs <eirbjo at gmail.com> wrote:
> Hi,
>
> JDK-8227024 [1] and the associated CSR JDK-8227395 [2] suggests removing
> the deprecated classes in javax.security.cert.
>
> The CSR was withdrawn last year following ecosystem compatibility concerns:
>
> Given the compatibility risks/impacts with existing providers and JSSE
>> implementations, we've decided to withdraw this CSR for the time being.
>
>
> I reached out to the BouncyCastle project [3] and they are basically OK
> with the OpenJDK project to go ahead and remove the APIs:
>
> It's a just cause, so go ahead and deal with it, I think all we need is
>> someone to let us know when it's done and point us at a JVM so we can
>> start organising the new jar.
>
>
> I have also contributed the following PRs to make Tomcat, Netty, Vert.x
> and Undertow aware of the plans of removal and also to provide the actual
> code changes:
>
> https://github.com/apache/tomcat/pull/608
> https://github.com/netty/netty/pull/13326
> https://github.com/eclipse-vertx/vert.x/pull/4665
> https://github.com/undertow-io/undertow/pull/1468
>
> Implementing these PRs was mostly straightforward, indicating that the
> impact in these projects would be relatively low if these APIs would be
> removed today.
>
> I think we are in a bit of a knotty situation where the ecosystem is now
> basically just waiting for OpenJDK to actually remove these APIs.
>
> Based on my recent interaction with these projects I'm hopeful that the
> ecosystem impact is lower than what has been assessed previously. I believe
> we should go ahead with this removal, sooner rather than later.
>
> Any thoughts?
>
> Thanks,
> Eirik.
>
> [1] https://bugs.openjdk.org/browse/JDK-8227024
> [2] https://bugs.openjdk.org/browse/JDK-8227395
> [3] https://marc.info/?l=bouncycastle-crypto-dev&m=168154811006840&w=2
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20230417/ddf076f7/attachment.htm>
More information about the security-dev
mailing list