[bisq-network/bisq] Minimal api (#3001)

[mrosseel]

@blabno you surely put a lot of effort in, it's time to make some decisions

I'm thinking there might be a middle ground between 'no new deps' and 'add all the deps'.
What if the api was optionally enabled in the client or shipped separately? 
Using OSGI (please don't) or the new java module system it should be possible to only add the dependencies to the classpath if the api is enabled.  This will limit the attack surface to maybe 1% of the users.

Rewriting all the things is an option, but very costly and I'm personally not convinced it will be better (security bugs) or more non-hackable (rogue contributor).

So my proposal is that either the deps are loaded as-needed or the api is shipped in a different binary. If others insist on the 'rewrite everything' option, I understand that blabno needs some assurances that this will then be merged.

This is a difficult topic, hopefully the next dev call will shed some light :)

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/bisq/pull/3001#issuecomment-525671830
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20190828/8f1a1904/attachment.html>