[ https://issues.redhat.com/browse/WFLY-14287?page=com.atlassian.jira.plugi... ] Radoslav Ivanov edited comment on WFLY-14287 at 1/20/21 11:20 PM: ------------------------------------------------------------------ [~brian.stansberry], thanks for the reply and detailed explanation. I pretty well understand those about foodprint, independence, compatibility, etc. So I will understand if you reject changes. Anyway, I would like to share some food for thought in a scenario and hopefully we can find a solution for it in the future. Let say we have a critical CVE (CVE-2020-28052 in bouncycastle). It is tricky to update the duplicate module only and not the private one for no newer WildFly (WF) reasons. Sometimes, for security reasons WF users may take the risk to depend on a private module and update it (after some regression testing) instead of running on vulnerable along with another updated version of bouncycastle. was (Author: rady66): [~brian.stansberry], thanks for the reply and detailed explanation. I pretty well understand those about foodprint, independence, compatibility, etc. So I will understand if you reject changes. Anyway, I would like to share some food for thought in a scenario and hopefully we can find a solution for it in the future. Let say we have a critical CVE-2020-28052 in bouncycastle. It is tricky to not update the private (duplicate) older version until you get a newer WildFly (WF). Sometimes, for security reasons WF users may take the risk to depend on a private module and update it (after some regression testing) instead of running on vulnerable along with another updated version of bouncycastle. -- This message was sent by Atlassian Jira (v8.13.1#813001)