<div><br></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, 15 Apr 2023 at 11:16, Eirik Bjørsnøs <<a href="mailto:eirbjo@gmail.com">eirbjo@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<br><div><br></div><div>JDK-8227024 [1] and the associated CSR JDK-8227395 [2] suggests removing the deprecated classes in javax.security.cert.<br></div><div><br></div><div>The CSR was withdrawn last year following ecosystem compatibility concerns:</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Given the compatibility risks/impacts with existing providers and JSSE implementations, we've decided to withdraw this CSR for the time being.</blockquote><div><br></div><div>I reached out to the BouncyCastle project [3] and they are basically OK with the OpenJDK project to go ahead and remove the APIs:</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">It's a just cause, so go ahead and deal with it, I think all we need is<br> someone to let us know when it's done and point us at a JVM so we can<br> start organising the new jar.</blockquote><div><br></div><div>I have also contributed the following PRs to make Tomcat, Netty, Vert.x and Undertow aware of the plans of removal and also to provide the actual code changes:</div><div><br></div><div><a href="https://github.com/apache/tomcat/pull/608" target="_blank">https://github.com/apache/tomcat/pull/608</a><br></div><div><a href="https://github.com/netty/netty/pull/13326" target="_blank">https://github.com/netty/netty/pull/13326</a><br></div><div><a href="https://github.com/eclipse-vertx/vert.x/pull/4665" target="_blank">https://github.com/eclipse-vertx/vert.x/pull/4665</a><br></div><div><a href="https://github.com/undertow-io/undertow/pull/1468" target="_blank">https://github.com/undertow-io/undertow/pull/1468</a><br></div><div><br></div><div>Implementing these PRs was mostly straightforward, indicating that the impact in these projects would be relatively low if these APIs would be removed today.</div><div><br></div><div>I think we are in a bit of a knotty situation where the ecosystem is now basically just waiting for OpenJDK to actually remove these APIs.</div><div> </div><div>Based on my recent interaction with these projects I'm hopeful that the ecosystem impact is lower than what has been assessed previously. I believe we should go ahead with this removal, sooner rather than later.</div><div><br></div><div>Any thoughts?</div><div><br></div><div>Thanks,</div><div>Eirik.</div><div><br></div><div>[1] <a href="https://bugs.openjdk.org/browse/JDK-8227024" target="_blank">https://bugs.openjdk.org/browse/JDK-8227024</a></div><div>[2] <a href="https://bugs.openjdk.org/browse/JDK-8227395" target="_blank">https://bugs.openjdk.org/browse/JDK-8227395</a></div><div>[3] <a href="https://marc.info/?l=bouncycastle-crypto-dev&m=168154811006840&w=2" target="_blank">https://marc.info/?l=bouncycastle-crypto-dev&m=168154811006840&w=2</a></div></div>
</blockquote></div></div>