A Reflection: Compliance, Security, and the new world of Multi-release Jars with Bouncy Castle (S23a)
As more limits get introduced on the use of reflection in Java, Java 9 saw the introduction of multi-release jar files. These class archive files allow a JVM to dynamically choose the versions of classes that are used when a jar file is loaded. While this means it is easy to incorporate features from new JVMs, for a project that provides multi-JVM FIPS support, like Bouncy Castle, it raises questions about how to manage development and testing, minimize duplication, and ensure that, for the FIPS artifact, all versions are secure and equal.