Third party libraries

[WojciechNagorski]

Does anyone know why SSH.NET uses copies of third-party libraries:

• BouncyCastle: Based on Version 1.8.3 from http://www.bouncycastle.org/csharp/ (currently there is 2.2.1)
• Chaos.NaCl: https://github.com/CodesInChaos/Chaos.NaCl/commit/2c861348dc45369508e718aa08611c53b53553db

source of information: https://github.com/sshnet/SSH.NET/pull/496#issuecomment-573557849

I wonder if it would be better to use Nuget. We would receive security updates, bug fixes, and optimizations.

I looked through the code coverage and for the most part, the copied code is not covered by tests.

@scott-xu @Rob-Hague @drieseng @jacobslusser

[Rob-Hague]

I don't know why it was copied, but one possible explanation and downside of using the nuget package: the bouncycastle binary is nearly 7 megabytes.

The size wouldn't be a blocker for me (I would prefer the nuget). I imagine we wouldn't need Chaos.NaCl: I think bouncycastle could be used for Ed25519

I looked through the code coverage and for the most part, the copied code is not covered by tests.

Most of the internal code is unused: #1140

[Rob-Hague]

cc @darinkes

[jacobslusser]

@WojciechNagorski, I think you raise an excellent question. If we are counting votes, I would be in favor of using the third-party nuget packages instead of copying the code.

[darinkes]

At that time there were no usable NuGets (Chaos.NaCl still hasnt) and BouncyCastle is a huge bloat we just needed a very small part of. Thats why we went the route to import only needed stuff.

[drieseng]

I'm ok with switching to NuGet.

I suppose the reasons for including the source code were:

• Reduce the number of - direct or indirect - dependencies to the absolute minimum hereby avoid dll/assembly hell.
• Reduce the on-disk foodprint of SSH.NET.
• Support for legacy target frameworks.

Perhaps the last one was - at that time - the most important reason.