> > Basically, the source of the Bouncy Castle Crypto libraries is > > freely available, however the library jar file is signed by Bouncy > > Castle, which is necessary for its use as a Java security provider. > > Bad. > > > As far as I can tell, in creating a Java library package, I want to > > include all of the original source, but then distribute the signed jar > > rather than rebuilding it from the source. > > I personally don't like it... but well, let's trust the Legion of the > Bouncy Castle
The only options I can think of are to make multiple packages, some with signed jars and some with unsigned jars, or to provide both jars in the same package. Note that this is not just a matter of bein signed by the Legion of the Bouncy Castle; the certificate they use was obtained from "the JCE Code Signing Certification Authority" [1]. Being signed allows Java to [2]trust the jar, in accordance with the privileges associated with the trusted signer. 1. http://java.sun.com/j2se/1.4.2/docs/guide/security/jce/HowToImplAJCEProvider.html#Step%205 2. http://java.sun.com/j2se/1.4.2/docs/guide/extensions/spec.html#installed > > I have tried the various options I could think of, but wherever I try to > > include the signed jar in the package, whether inside or outside of the > > debian subdirectory, with or without a new jar directory, I get the > > following error when I run dpkg-buildpackage: > > You can follow the advice of doogie, or you can also rebuild a > semi-original tarball. > > Also, looking at #234048, your short description will be rejected by > ftp-master. You also have to make good descriptions of all the binary > packages that your source package will produce. Yeah, I filed the initial bug imagining a single package, and then realized that there are multiple packages distributed separately by Bouncy Castle. My first thought was to create a different package for each signed jar they provide on their download page. Is that the right thing to do, or should I rather create a single package that provides all of the jars? Or should I group together the 112, 113, and 114 jars of the same type? I've uploaded a first stab at packaging one of the jars to mentors.debian.net, but it doesn't seem to be there yet. The package name I uploaded is libbcprov-jdk14-java. I would love to get feedback on it once it arrives. > I'm not a guru in cryptography so I'd like to know the differences > between Bouncy Castle Cryptography and Cryptix? > > Bouncy Castle Crypto APIs -- http://www.bouncycastle.org/ > Cryptix -- http://www.ntua.gr/cryptix/ They are very similar in nature. They do, of course have different algorithms implemented. I started using Bouncy Castle because of their Elliptic Curve Cryptogrophy implementation (including ECDSA, specifically). Also, "Although primarily geared towards providing alternative encryption algorithms for J2SE, the Legion has adapted some of its code to work with J2ME. Specifically, parts of the Bouncy Castle lightweight cryptography API work with both the CLDC and the CDC" [3]. 3. http://java.sun.com/developer/J2METechTips/2001/tt1217.html > Thanks for your time and help in Debian, Thank you for your feedback. I hope to receive additional help as I iron out the issues related to packaging Bouncy Castle. Charles -- Prize contest details May be obtained At football broadcast Every Saturday Over WCCO Burma-Shave http://frogcircus.org/burmashave/1933/prize_contest_details
