[
https://issues.apache.org/jira/browse/XALANJ-2436?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17831612#comment-17831612
]
Joe Kesselman commented on XALANJ-2436:
---------------------------------------
Uhm. If we rename, that avoids our being vulnerable to getting the wrong
version but makes deliberately overriding with a newer version harder. (Not
impossible but it requires mucking with the jarfile.)
If we don't, we block someone else's needing a version we have issues with,
should that ever arise. And it's possible to create a case where dependencies
are intertwined such that there is no way for everyone to get exactly what they
want without separate class loaders.
I agree that the Endorsed case should no longer be an issue -- but that was
achieved precisely by shading Sun's copy of Xalan and having a runtime
selection of the proper package via a factory, so we could continue to use the
"native" org.apache packages.
Basically, if you have runtime linking via the classpaths you are going to have
exposures and have to decide which is least objectionable. The clean answers
are either that we don't bundle the dependencies into our jarfile, or that we
do so but rename as private copies, or we go full private loaders such as OSGI.
I"m not wild about any of them. It's very much a matter of least-worst. I'm
open to arguments. But we might want to take that debate to the list, shelving
this work item pending consensus...
> Xalan must not expose bundled classes (bcel, regexp)
> ----------------------------------------------------
>
> Key: XALANJ-2436
> URL: https://issues.apache.org/jira/browse/XALANJ-2436
> Project: XalanJ2
> Issue Type: Bug
> Components: Xalan
> Affects Versions: 2.7.1
> Environment: any
> Reporter: Holger Hoffstätte
> Assignee: Joseph Kessselman
> Priority: Critical
> Attachments: XALAN-2436.patch, rewrite-packages.rules
>
>
> I just spent the better part of half a day figuring out what caused the
> problem outlined in
> https://sourceforge.net/tracker/?func=detail&atid=614693&aid=1902137&group_id=96405.
> Xalan bundles regexp and bcel, however since one of the recommened ways of
> installing xalan is via the endorsed mechanism this will wreak serious havoc
> on any other apps that use bcel. That would be less of a problem is xalan's
> version were up to date, but as of 2.7.1 it still includes a version from the
> early stone age (see XALANJ-2423). The solution is easy: when building the
> aggregate jar, add an ant task to rewrite the bundled packages via jarjar
> (http://code.google.com/p/jarjar/). This can be trivially added to the build
> and creates a completely self-contained xalan jar that will not blow up the
> world when endorsed.
> I will attach a trivial rule file for jarjar that rewrites the embedded
> packages which should immediately fix any collision problems. For more
> information about how to use jarjar, see
> http://code.google.com/p/jarjar/wiki/GettingStarted
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@xalan.apache.org
For additional commands, e-mail: dev-h...@xalan.apache.org
