-
-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tuweni project appears to be unmaintained, switch to other options? #177
Comments
Thanks for submitting your first issue, we will have a look as quickly as possible. |
@ghsa-retrieval correct we need to move away from Tuweni. Do you have interest in picking this up? |
@nbaars I would be interested in this. Replacing the library could be challenging though, as we need to ensure that it remains fully compatible with how libsodium works. |
@robertguetzkow would be great if you can pick this up! let me know if you need any help. |
@nbaars I'll give it a try. What would be your preferred approach, should we use a specific provider (like Bouncy Castle) or just implement generically against JCA? The decision may have impact on the minimum required Java version to support all cryptographic algorithms. |
Using a specific provider is fine. Bouncycastle is already used in the project. |
Will do. Currently quite busy at work though, so it might take a bit until I can implement it. |
I'm starting to map out what changes are needed and in particular how libsodium and Bouncy Castle implement their Ed25519. I need to check whether or not we can ensure that the validation rejects the same inputs, e.g. libsodium performs small-order checks. |
Is your feature request related to a problem? Please describe.
The Tuweni project appears to be abandoned, with the Apache Incubator repository being archived. A fork by the original author exists, but besides one version it has also not seen any updates. Without maintenance of the library this could lead to bugs and vulnerabilities not getting addressed.
Describe the solution you'd like
Perhaps switching to BouncyCastle or other libraries might be an option.
Describe alternatives you've considered
None
Additional context
The text was updated successfully, but these errors were encountered: