[
https://issues.apache.org/jira/browse/SOLR-16048?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17496702#comment-17496702
]
Jan Høydahl commented on SOLR-16048:
------------------------------------
Looks like it was mainly javax.servlet classes and other things that would
conflict with Jetty that was unwanted. Not sure there is a difference whether
solr is loaded as an (unpacked) war or a .war file, I think we still don't want
such jars to sneak into WEB-INF/lib, and probably not into modules either.
I thought it may have a licensing side to it, since JDK classes in javax. would
likely not be OK for us to redistribute. Javax.servlet-api is CDDL and allowed.
It may also be another situation with JDK11 than with JDK8, since JDK8 included
e.g. javax.annotation while JDK9+ does not.
[~uschindler] what is your take on this javax check? Can we get rid of it, or
should we keep it but narrow it in to packages that would clash with JDK11
only? And can we move the check to compile-time instead of smoketester?
> Examine Tika dependencies that brought in javax classes
> -------------------------------------------------------
>
> Key: SOLR-16048
> URL: https://issues.apache.org/jira/browse/SOLR-16048
> Project: Solr
> Issue Type: Task
> Security Level: Public(Default Security Level. Issues are Public)
> Components: contrib - Solr Cell (Tika extraction)
> Reporter: Kevin Risden
> Priority: Major
>
> SOLR-15989 Tika 1.28.1 upgrade brought in some javax packaged classes which
> [~janhoy] caught with the smoketester. Details from [~janhoy] in SOLR-15989:
> {quote}This upgrade adds many parsers and dependencies. I ran the
> smoketester, which introspects every jar looking for illegal "java.{*}" and
> "javax.{*}" class files. These libararies were flagged by the smoke tester:
> {code:java}
> modules/extraction/lib/unit-api-1.0.jar" contains sheisty class
> "javax/measure/Dimension.class"
> modules/extraction/lib/jakarta.activation-1.2.2.jar" contains sheisty class
> "javax/activation/CommandInfo$Beans$1.class"
> modules/extraction/lib/jakarta.annotation-api-1.3.5.jar" contains sheisty
> class "javax/annotation/security/PermitAll.class"
> jakarta.xml.bind-api:2.3.3 {code}
> I believes all jakarta libs are OK license wise, but strangely they use the
> javax.xxx namespace instead of jakarta.xxx. The Units API (javax.measure.xxx)
> seems to be in the same category, that it is a JSR implemented with an
> allowed license.
> We have excluded several annotation jars elsewhere, that's why I raise this
> here.
> I assume the correct action is to make exceptions for these pacakges in the
> smoke tester. Any other insight?{quote}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
