Publish a Bill of Materials to Maven

OrangeDog commented 3 years ago

To aid large projects who have multiple transient dependencies on BC, you could publish a BOM to maven to cover all components at the same version. e.g.:

<project xmlns=xmlns="http://maven.apache.org/POM/4.0.0">
  <modelVersion>4.0.0</modelVersion>

  <groupId>org.bouncycastle</groupId>
  <artifactId>bcall</artifactId>
  <version>1.68</version>

  <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>org.bouncycastle</groupId>
        <artifactId>bcpkix-jdk15on</artifactId>
        <version>${project.version}</version>
      </dependency>
      <dependency>
        <groupId>org.bouncycastle</groupId>
        <artifactId>bcprov-jdk15on</artifactId>
        <version>${project.version}</version>
      </dependency>
      <!-- etc. -->
    </dependencies>
  </dependencyManagement>
</project>

bjmi commented 2 years ago

Other existing examples:

OrangeDog commented 1 year ago

This would also help when some components get patches but others don't.

e.g version 1.72.2 of the BOM would contain 1.72.2 of bcpg but 1.72 of all the others.

alshopov commented 8 months ago

I am also interested in BOM. Are you interested in patches?

runeflobakk commented 2 months ago

This would be very helpful, as it is very easy to run into NoClassDefFoundError and similar as you upgrade the BouncyCastle components which you depend on, and other libraries in your graph depend typically on earlier versions which are not compatible.

OrangeDog commented 1 month ago

You could use this plugin to generate them automatically: https://github.com/sundrio/sundrio/tree/main/maven-plugin

bcgit / bc-java

Publish a Bill of Materials to Maven #899