Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Publish a Bill of Materials to Maven #899

Open
OrangeDog opened this issue Mar 5, 2021 · 6 comments · May be fixed by #1915
Open

Publish a Bill of Materials to Maven #899

OrangeDog opened this issue Mar 5, 2021 · 6 comments · May be fixed by #1915

Comments

@OrangeDog
Copy link

To aid large projects who have multiple transient dependencies on BC, you could publish a BOM to maven to cover all components at the same version. e.g.:

<project xmlns=xmlns="http://maven.apache.org/POM/4.0.0">
  <modelVersion>4.0.0</modelVersion>

  <groupId>org.bouncycastle</groupId>
  <artifactId>bcall</artifactId>
  <version>1.68</version>

  <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>org.bouncycastle</groupId>
        <artifactId>bcpkix-jdk15on</artifactId>
        <version>${project.version}</version>
      </dependency>
      <dependency>
        <groupId>org.bouncycastle</groupId>
        <artifactId>bcprov-jdk15on</artifactId>
        <version>${project.version}</version>
      </dependency>
      <!-- etc. -->
    </dependencies>
  </dependencyManagement>
</project>
@bjmi
Copy link

bjmi commented Jun 8, 2022

Other existing examples:

@OrangeDog
Copy link
Author

This would also help when some components get patches but others don't.

e.g version 1.72.2 of the BOM would contain 1.72.2 of bcpg but 1.72 of all the others.

@alshopov
Copy link

alshopov commented Nov 6, 2023

I am also interested in BOM. Are you interested in patches?

@runeflobakk
Copy link

This would be very helpful, as it is very easy to run into NoClassDefFoundError and similar as you upgrade the BouncyCastle components which you depend on, and other libraries in your graph depend typically on earlier versions which are not compatible.

@OrangeDog
Copy link
Author

You could use this plugin to generate them automatically:
https://github.com/sundrio/sundrio/tree/main/maven-plugin

@joschi joschi mentioned this issue Jul 29, 2024
Closed
runeflobakk added a commit to runeflobakk/bc-java that referenced this issue Nov 17, 2024
@runeflobakk
Add BOM artifact
0d587a5 
Fixes bcgit#899
@runeflobakk runeflobakk linked a pull request Nov 17, 2024 that will close this issue
Open
@runeflobakk
Copy link

I have created a suggestion in #1915 , and would very much appreciate any feedback as this is more or less my first experience with Gradle 😅

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add BOM runeflobakk/bc-java
4 participants
@runeflobakk @alshopov @OrangeDog @bjmi