hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Kanter (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-15832) Upgrade BouncyCastle to 1.60
Date Thu, 11 Oct 2018 00:41:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-15832?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16645768#comment-16645768
] 

Robert Kanter commented on HADOOP-15832:
----------------------------------------

Good point [~stevel@apache.org], I hadn't thought about that.  It looks like we already have
a notification about crypto export stuff in the README.txt ([https://github.com/apache/hadoop/blob/trunk/README.txt).])
and we need to simply append some details to the bottom, right?
{noformat}
...
The following provides more details on the included cryptographic
software:
  Hadoop Core uses the SSL libraries from the Jetty project written 
by mortbay.org.
  Hadoop Yarn Server Web Proxy uses the BouncyCastle Java
cryptography APIs written by the Legion of the Bouncy Castle Inc.
{noformat}
[~stevel@apache.org], does that sound good?  Anything else that's needed?  I can make an addendum
patch.
 

> Upgrade BouncyCastle to 1.60
> ----------------------------
>
>                 Key: HADOOP-15832
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15832
>             Project: Hadoop Common
>          Issue Type: Improvement
>    Affects Versions: 3.3.0
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>            Priority: Major
>             Fix For: 3.3.0
>
>         Attachments: HADOOP-15832.001.patch
>
>
> As part of my work on YARN-6586, I noticed that we're using a very old version of BouncyCastle:
> {code:xml}
> <dependency>
>    <groupId>org.bouncycastle</groupId>
>    <artifactId>bcprov-jdk16</artifactId>
>    <version>1.46</version>
>    <scope>test</scope>
> </dependency>
> {code}
> The *-jdk16 artifacts have been discontinued and are not recommended (see [http://bouncy-castle.1462172.n4.nabble.com/Bouncycaslte-bcprov-jdk15-vs-bcprov-jdk16-td4656252.html]).

>  In particular, the newest release, 1.46, is from {color:#FF0000}2011{color}! 
>  [https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk16]
> The currently maintained and recommended artifacts are *-jdk15on:
>  [https://www.bouncycastle.org/latest_releases.html]
>  They're currently on version 1.60, released only a few months ago.
> We should update BouncyCastle to the *-jdk15on artifacts and the 1.60 release. It's currently
a test-only artifact, so there should be no backwards-compatibility issues with updating this.
It's also needed for YARN-6586, where we'll actually be shipping it.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message