java-algorand-sdk icon indicating copy to clipboard operation
java-algorand-sdk copied to clipboard

Published 20 hours ago verified publisher icon algorand

Move to Java 8

Open winder opened this issue 4 years ago • 11 comments

We should deprecate support for Java 7 and move to Java 8.

Java 7 has almost no market share these days, especially in the security conscious crypto space.

If that isn't enough, there are a handful of Android security fixes in Java 8, so requiring that version could protect algorand users.

winder avatar Jul 22 '20 16:07 winder

Needed to check if it would break any mobile app. @Priegle Any insight here?

algorotem avatar Oct 05 '20 17:10 algorotem

@winder is anyone working on this item currently?

srayhunter avatar Jun 11 '21 20:06 srayhunter

@srayhunter no. Is there a specific reason you would like to see us remove Java7 support?

winder avatar Jun 14 '21 13:06 winder

Just FYI: I've found an issue when you target minSdkVersion = 24 and run on Android 7.

I'm seeing:

com.fasterxml.jackson.databind.JsonMappingException: No virtual method decode(Ljava/lang/String;)[B in class Lorg/apache/commons/codec/binary/Base64; or its super classes (declaration of 'org.apache.commons.codec.binary.Base64' appears in /system/framework/org.apache.http.legacy.boot.jar)
  at [Source: [B@d361c9b; line: 1, column: 340] (through reference chain: com.algorand.algosdk.v2.client.model.TransactionsResponse["transactions"]->java.util.ArrayList[0]->com.algorand.algosdk.v2.client.model.Transaction["genesis-hash"])

which stems from the org.apache.commons.codec.binary.Base64 picking up a broken BaseNCodec from the bootpath.

Using Java 8 Base64 would fix this.

(I cant find a non hacky way to stop my app loading the broken commons code)

richdrich avatar Aug 27 '21 23:08 richdrich

Please keep it Java 7 compatible. We still need this to run on ancient android 4 runtimes.

timmolter avatar Nov 03 '21 20:11 timmolter

I suggest we update to use the BouncyCastle Base64 class, since it's already on this projects classpath. It will also solve another issue with namespace clashing I'm having on Android 4.

timmolter avatar Nov 03 '21 20:11 timmolter

If this works in the old BouncyCastle that's bundled in old Android? Or, just add a local base64 routine that avoids any library issues - should not be needed I know :-)

richdrich avatar Nov 03 '21 22:11 richdrich

Here's the specific issue I am having: https://github.com/algorand/java-algorand-sdk/issues/271

My option #2 to fix it, is exactly what you suggested.

timmolter avatar Nov 03 '21 23:11 timmolter

For BouncyCastle you can force the usage of the compile dependency using

            Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME);
            Security.insertProviderAt(new BouncyCastleProvider(), 0);

which guarantees ( I think) it uses the one you want and not the old BouncyCastle that's bundled in old Android. This isn't an issue with Java 8 though because you can force the update during runtime.

However there are OTHER issues that I've run into that updating to Java 8 can cause on Android 4, which there are only painful fixes for:

  • List.sort(Object::compareTo)
  • Long.hashCode(long)
  • org.apache.commons.codec.binary.Base64.decode(Ljava/lang/String;)[B

to name a couple. Once you allow Java8, people start using this stuff and then you get crashes usually in production because of some obscure phone that you don't have in hand to test with.

I'm not trying to start an argument, just providing a counter argument. Too bad we just can't update all the phone out there!

timmolter avatar Nov 03 '21 23:11 timmolter

I think that changing the provider makes it use the correct provider for javax.security (JCE) APIs but not where the bouncycastle dependency is imported directly. But I may be wrong.

richdrich avatar Nov 03 '21 23:11 richdrich

Yeah, maybe you're right about that. I'm still learning about this specific issue.... ;)

timmolter avatar Nov 04 '21 09:11 timmolter