Third party libraries

[WojciechNagorski]

Does anyone know why SSH.NET uses copies of third-party libraries:

• BouncyCastle: Based on Version 1.8.3 from http://www.bouncycastle.org/csharp/ (currently there is 2.2.1)
• Chaos.NaCl: CodesInChaos/Chaos.NaCl@2c86134

source of information: #496 (comment)

I wonder if it would be better to use Nuget. We would receive security updates, bug fixes, and optimizations.

I looked through the code coverage and for the most part, the copied code is not covered by tests.

@scott-xu @Rob-Hague @drieseng @jacobslusser

[Rob-Hague]

I don't know why it was copied, but one possible explanation and downside of using the nuget package: the bouncycastle binary is nearly 7 megabytes.

The size wouldn't be a blocker for me (I would prefer the nuget). I imagine we wouldn't need Chaos.NaCl: I think bouncycastle could be used for Ed25519

I looked through the code coverage and for the most part, the copied code is not covered by tests.

Most of the internal code is unused: #1140

[Rob-Hague]

cc @darinkes

[jacobslusser]

@WojciechNagorski, I think you raise an excellent question. If we are counting votes, I would be in favor of using the third-party nuget packages instead of copying the code.

[darinkes]

At that time there were no usable NuGets (Chaos.NaCl still hasnt) and BouncyCastle is a huge bloat we just needed a very small part of. Thats why we went the route to import only needed stuff.

[drieseng]

I'm ok with switching to NuGet.

I suppose the reasons for including the source code were:

• Reduce the number of - direct or indirect - dependencies to the absolute minimum hereby avoid dll/assembly hell.
• Reduce the on-disk foodprint of SSH.NET.
• Support for legacy target frameworks.

Perhaps the last one was - at that time - the most important reason.