bc-java icon indicating copy to clipboard operation
bc-java copied to clipboard
verified publisher icon bcgit

Publish a Bill of Materials to Maven

Open OrangeDog opened this issue 4 years ago • 7 comments

To aid large projects who have multiple transient dependencies on BC, you could publish a BOM to maven to cover all components at the same version. e.g.:

<project xmlns=xmlns="http://maven.apache.org/POM/4.0.0">
  <modelVersion>4.0.0</modelVersion>

  <groupId>org.bouncycastle</groupId>
  <artifactId>bcall</artifactId>
  <version>1.68</version>

  <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>org.bouncycastle</groupId>
        <artifactId>bcpkix-jdk15on</artifactId>
        <version>${project.version}</version>
      </dependency>
      <dependency>
        <groupId>org.bouncycastle</groupId>
        <artifactId>bcprov-jdk15on</artifactId>
        <version>${project.version}</version>
      </dependency>
      <!-- etc. -->
    </dependencies>
  </dependencyManagement>
</project>

OrangeDog avatar Mar 05 '21 12:03 OrangeDog

Other existing examples:

bjmi avatar Jun 08 '22 06:06 bjmi

This would also help when some components get patches but others don't.

e.g version 1.72.2 of the BOM would contain 1.72.2 of bcpg but 1.72 of all the others.

OrangeDog avatar Mar 06 '23 17:03 OrangeDog

I am also interested in BOM. Are you interested in patches?

alshopov avatar Nov 06 '23 13:11 alshopov

This would be very helpful, as it is very easy to run into NoClassDefFoundError and similar as you upgrade the BouncyCastle components which you depend on, and other libraries in your graph depend typically on earlier versions which are not compatible.

runeflobakk avatar Apr 26 '24 10:04 runeflobakk