Created attachment 144217 [details] patch java/bouncycastle port is version 1.45. It is somewhat ancient, there is 1.50 released for few months Fix: Patch for makefile to support BouncyCastle 1.50 follow The major changes: 1. reference to MIT-like licence added see https://www.bouncycastle.org/license.html 2. JAVA_VERSION modified, BC doesn't suport JDK 1.8 3. JDKMVERSON/JDKNVERSION logic removed, no longer necesarry 4. MAKE_ARGS changed, the jdk15+.xml fit all supported JAVA versions 5. JARS: bctsp no longer exist, new jar bcpkix 6. post-patch,do-install: changes with directory layout and file naming reflected 7. pkg-plist and pkg-descr updated 'make makesum' needs to be run after update
Over to maintainer.
We cannot replace the current port. 1.45 is the last version supporting BC API v1, from 1.46 the API/ABI changed and current ports depending on BC expect the old API. Creating a new port is the right thing to do, it's in my plan.
1. No problem with it. I wish the patch I sent will turn it to be rather simple task for you. Please do it. 2. JAVA_VERSION may require correction even for 1.45 - it doesn't support JDK 1.8 as well 3. Just for the completeness ... There are only two ports directly depending on java/bouncycastle: devel/itext and print/pdfbox print/pdfbox will move to new BC API in 2.0.0 version (now trunk) current upstream version of devel/itext use new BC API just now. The itext in ports tree is ancient. I assume the devel/itext will not be updated to current version because of unfriendly license change. Lets close this PR
1) yes, it will, thanks. 2) Right, I'll fix it. 3) I'm the maintainer of both ports :-) Yes, itext is not updated because of license. I'm not against a new itext port, but it should be a separate port. I'll keep the PR open until I commit the new port.
(In reply to Alex Dupre from comment #2) I've checked, there are two ports that use bouncycastle: devel/itext print/pdfbox There are much newer versions of itext available ? 5.5.7 (we have 4.2.0). pdfbox is still at 1.8.10.
Any progress here? According to http://seclists.org/oss-sec/2015/q4/131, the BouncyCastle version we currently ship seems to be is vulnerable to CVE-2015-7940 which was fixed in 1.51.
There is now new port java/bouncycastle15 recently commited that bring in 1.54 version to our ports tree. I successfully use it with iText 5.5.9 (not in the ports tree yet) and my own java code. I've created new port not knowing about this PR. Please review/comment new port. I can also give up maintainership of bouncycastle15 if you prefer maintain both ports. I've created it because I know old version is API-incompatible and I needed new version.
OK. It seems the legacy Bouncy Castle is still required. So I propose another solution - lets current java/bouncycastle become java/bouncycastle14 to satisfy legacy users of legacy version and current java/bouncycastle15 become java/bouncycastle to make current version of Bouncy Castle available.
(In reply to Dan Lukes from comment #8) No objections from my side. However, I cannot rename ports myself as I have no commit bits.
I know no proper procedures to do something like it as I have neither commit bits nor I'm maintainer of a port. I even don't know where to ask.
I'll have a look.
I would suggest to keep bouncycastle as is and submit new ports for itext and pdfbox that reference bouncycastle15 and use it. If the new ports are in the tree, we can remove bouncycastle.
(In reply to Kurt Jaeger from comment #12) So future major versions of Bouncy Castle will require another new port. It will make further updates difficult (moreover major upgrade will not happen automatically). But I'm neither maintainer nor I have commit bits, so final decision is not mine.
Now there exist java/bouncycastle15 in the tree. It is new port supporting newer API.