New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
For more security spongycastle -> bouncycastle #4163
For more security spongycastle -> bouncycastle #4163
Comments
Thanks for opening your first issue here! |
As far as I remember we did have bouncycastle before, but needed to switch to the default oracle one as external libs support wasn't supported anymore when we upgraded the JDK. Maybe @freimair has more details on this. |
@ripcurlx: Thanks for your comment! Since several years, a lot of projects have already moved from Spongy Castle to Bouncy Castle because the project is dead. You can see discussion "34" in https://github.com/rtyley/spongycastle/issues. |
@ripcurlx: Any news? |
@Neustradamus Sorry - completely missed your response. As mentioned above I don't think we are using Spongy Castle at all (we previously did use BoncyCastle). Where did you find this in the codebase? Maybe I missed something. |
@ripcurlx: Spongy Castle was a fork of Bouncy Castle and it is obsolete:
Spongy Castle has vulnerabilities from Bouncy Castle. Time to update to Bouncy Castle 1.68. |
@ripcurlx: Please look in all repositories:
I see in this project:
Please update, there are CVEs |
That is an old formatting instruction. I'll get rid of it. Yes, I did look myself as well and found some bouncycastle libs used. We use version 1.63 right now. I'll forward it to check if we should/can move to 1.68 without any problems. |
Those are all deprecated/archived or unused projects. But it was a good reminder to archive two of them as well (bisq-network/incubator-bisq-api and bisq-network/incubator-bisq-xmr-integration). |
@stejbac @chimp1984 Do you think it is safe to update to the latest bouncycastle version? |
@ripcurlx Are the any important changes? Basically we prefer to not update libs as long not needed. Risk to get new targeted vulnerabilities is higher IMO than potential security fixes for some exotic edge cases. To do it safely someone would need to review/audit all the changes there which is unfeasible from our dev work force. |
For more security, can you change old spongycastle (based on old bouncycastle) to bouncycastle?
The text was updated successfully, but these errors were encountered: