SSH.NET
SSH.NET copied to clipboard
sshnet
Third party libraries
Does anyone know why SSH.NET uses copies of third-party libraries:
- BouncyCastle: Based on Version 1.8.3 from http://www.bouncycastle.org/csharp/ (currently there is 2.2.1)
- Chaos.NaCl: https://github.com/CodesInChaos/Chaos.NaCl/commit/2c861348dc45369508e718aa08611c53b53553db
source of information: https://github.com/sshnet/SSH.NET/pull/496#issuecomment-573557849
I wonder if it would be better to use Nuget. We would receive security updates, bug fixes, and optimizations.
I looked through the code coverage and for the most part, the copied code is not covered by tests.
@scott-xu @Rob-Hague @drieseng @jacobslusser
I don't know why it was copied, but one possible explanation and downside of using the nuget package: the bouncycastle binary is nearly 7 megabytes.
The size wouldn't be a blocker for me (I would prefer the nuget). I imagine we wouldn't need Chaos.NaCl: I think bouncycastle could be used for Ed25519
I looked through the code coverage and for the most part, the copied code is not covered by tests.
Most of the internal code is unused: #1140
@WojciechNagorski, I think you raise an excellent question. If we are counting votes, I would be in favor of using the third-party nuget packages instead of copying the code.
At that time there were no usable NuGets (Chaos.NaCl still hasnt) and BouncyCastle is a huge bloat we just needed a very small part of. Thats why we went the route to import only needed stuff.
I'm ok with switching to NuGet.
I suppose the reasons for including the source code were:
- Reduce the number of - direct or indirect - dependencies to the absolute minimum hereby avoid dll/assembly hell.
- Reduce the on-disk foodprint of SSH.NET.
- Support for legacy target frameworks.
Perhaps the last one was - at that time - the most important reason.
The BouncyCastle code has been removed. I think we can get rid of Chaos.NaCI now.