[bisq-network/bisq] Remove bcprov from direct dependencies - a major step towards eventually removing Bouncy Castle (#3195)

battleofwizards notifications at github.com
Tue Sep 3 13:32:34 UTC 2019 

This removes `org.bouncycastle:bcprov` from **direct** dependencies.

We still depend on this jar **indirectly** via `bouncycastle:bcpg`, which is used for PGP signature verification of Bisq Desktop updates.

This gets us closer to prospect of removing Bounce Castle dependency entirely in the future.

Rationale for this direction:

* We are really only using Bouncy Castle for PGP sig verification
* Java's builtin cryptography got vastly better since 2000; no more key length restrictions
* We should prefer boring and proven cryptography anyway
* Australian projects should be considered compromised and Bouncy Castle is managed by Australian non-profit organization
* Bouncy Castle is a heavy dependency totaling 3.6MB

In the process:

* Ergo coin got removed
* BC Base64 got replaced with Java's builtin version (which is much faster BTW)
* BC Hex got replaced with Guava's version

Note to reviewers: individual commits are easier to review than full diff. They also provide more details.
You can view, comment on, or merge this pull request online at:

  https://github.com/bisq-network/bisq/pull/3195

-- Commit Summary --

  * Replace bouncycastle Hex with guava Hex
  * Replace bouncycastle Base64 with java builtin Base64
  * Remove Ergo coin as prep to remove Bouncy Castle
  * Remove bouncycastle:bcprov from *direct* dependencies

-- File Changes --

    D assets/src/main/java/bisq/asset/coins/Ergo.java (66)
    M assets/src/main/resources/META-INF/services/bisq.asset.Asset (1)
    D assets/src/test/java/bisq/asset/coins/ErgoTest.java (48)
    M build.gradle (3)
    M common/src/main/java/bisq/common/crypto/CryptoUtils.java (1)
    M common/src/main/java/bisq/common/crypto/Encryption.java (5)
    M common/src/main/java/bisq/common/crypto/PGP.java (5)
    M common/src/main/java/bisq/common/crypto/Sig.java (6)
    A common/src/main/java/bisq/common/util/Base64.java (33)
    A common/src/main/java/bisq/common/util/Hex.java (31)
    M core/src/test/java/bisq/core/crypto/EncryptionTest.java (5)
    M p2p/src/main/java/bisq/network/p2p/storage/P2PDataStorage.java (5)
    M pricenode/src/main/java/bisq/price/spot/providers/BitcoinAverage.java (5)

-- Patch Links --

https://github.com/bisq-network/bisq/pull/3195.patch
https://github.com/bisq-network/bisq/pull/3195.diff

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/bisq/pull/3195
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20190903/6128884e/attachment.html>

More information about the bisq-github mailing list