<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
On 15/04/2023 10:15, Eirik Bjørsnøs wrote:<br>
<blockquote type="cite" cite="mid:CA+pBWhvtcoHF9FE=uUciyFnAU=1V7NQu8cUYUBpo8ODjCinbGw@mail.gmail.com">
<div dir="ltr">Hi,<br>
<div><br>
</div>
<div>JDK-8227024 [1] and the associated CSR JDK-8227395 [2]
suggests removing the deprecated classes
in javax.security.cert.<br>
</div>
<div><br>
</div>
<div>The CSR was withdrawn last year following ecosystem
compatibility concerns:</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Given
the compatibility risks/impacts with existing providers and
JSSE implementations, we've decided to withdraw this CSR for
the time being.</blockquote>
<div><br>
</div>
<div>I reached out to the BouncyCastle project [3] and they are
basically OK with the OpenJDK project to go ahead and remove
the APIs:</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">It's
a just cause, so go ahead and deal with it, I think all we
need is<br>
someone to let us know when it's done and point us at a JVM so
we can<br>
start organising the new jar.</blockquote>
<div><br>
</div>
<div>I have also contributed the following PRs to make Tomcat,
Netty, Vert.x and Undertow aware of the plans of removal and
also to provide the actual code changes:</div>
<div><br>
</div>
<div><a href="https://github.com/apache/tomcat/pull/608" moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/apache/tomcat/pull/608</a><br>
</div>
<div><a href="https://github.com/netty/netty/pull/13326" moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/netty/netty/pull/13326</a><br>
</div>
<div><a href="https://github.com/eclipse-vertx/vert.x/pull/4665" moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/eclipse-vertx/vert.x/pull/4665</a><br>
</div>
<div><a href="https://github.com/undertow-io/undertow/pull/1468" moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/undertow-io/undertow/pull/1468</a><br>
</div>
<div><br>
</div>
<div>Implementing these PRs was mostly straightforward,
indicating that the impact in these projects would be
relatively low if these APIs would be removed today.</div>
<div><br>
</div>
<div>I think we are in a bit of a knotty situation where the
ecosystem is now basically just waiting for OpenJDK to
actually remove these APIs.</div>
<div> </div>
<div>Based on my recent interaction with these projects I'm
hopeful that the ecosystem impact is lower than what has been
assessed previously. I believe we should go ahead with this
removal, sooner rather than later.</div>
<div><br>
</div>
<div>Any thoughts?</div>
<br>
</div>
</blockquote>
Kudos for reaching out the BC and for creating PRs to several
projects to remove their usage, this is a great way to contribute!<br>
<br>
Removing anything is hard. The changes in JDK-8241047 were intended
to allow SSLSession implementations drop their dependence on
javax.security.cert.X509Certificate but it may take time if
implementations are still expecting to be able to compile to a wide
range of releases that include JDK 14 or older. I also be concerned
that existing releases of this frameworks/libs with dependences on
javax.security.cert.X509Certificate will be in use for some time.
I'll defer to Sean and Brad but it feels like it might have to stay
around for another few releases at least.<br>
<br>
-Alan.<br>
</body>
</html>