On Sat, 15 Apr 2023 at 11:16, Eirik Bjørsnøs <eir...@gmail.com> wrote:
> Hi, > > JDK-8227024 [1] and the associated CSR JDK-8227395 [2] suggests removing > the deprecated classes in javax.security.cert. > > The CSR was withdrawn last year following ecosystem compatibility concerns: > > Given the compatibility risks/impacts with existing providers and JSSE >> implementations, we've decided to withdraw this CSR for the time being. > > > I reached out to the BouncyCastle project [3] and they are basically OK > with the OpenJDK project to go ahead and remove the APIs: > > It's a just cause, so go ahead and deal with it, I think all we need is >> someone to let us know when it's done and point us at a JVM so we can >> start organising the new jar. > > > I have also contributed the following PRs to make Tomcat, Netty, Vert.x > and Undertow aware of the plans of removal and also to provide the actual > code changes: > > https://github.com/apache/tomcat/pull/608 > https://github.com/netty/netty/pull/13326 > https://github.com/eclipse-vertx/vert.x/pull/4665 > https://github.com/undertow-io/undertow/pull/1468 > > Implementing these PRs was mostly straightforward, indicating that the > impact in these projects would be relatively low if these APIs would be > removed today. > > I think we are in a bit of a knotty situation where the ecosystem is now > basically just waiting for OpenJDK to actually remove these APIs. > > Based on my recent interaction with these projects I'm hopeful that the > ecosystem impact is lower than what has been assessed previously. I believe > we should go ahead with this removal, sooner rather than later. > > Any thoughts? > > Thanks, > Eirik. > > [1] https://bugs.openjdk.org/browse/JDK-8227024 > [2] https://bugs.openjdk.org/browse/JDK-8227395 > [3] https://marc.info/?l=bouncycastle-crypto-dev&m=168154811006840&w=2 >
