[
https://issues.apache.org/jira/browse/SOLR-16048?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17496716#comment-17496716
]
Uwe Schindler commented on SOLR-16048:
--------------------------------------
Hi,
The check is still correct. We should not import another servlet-jar file into
the webapplication or outside. So the javax check is mostly to prevent such
problems. It is not only because of webapplications. The main reason is also
that many 3rd party libraries like XALAN, XERCES were written for older JDK
versions and because of that bundled some javax classes which are shipped with
JDK as dependency. As we are now on Java 11, we should really really review all
of those javax packages and figure out if they are already part of JDK and
remove them as exclusion or mark the dependency as "provided" in "Maven speak".
I think the javax.measure shold be put on a whitelist. In short: Keep the
check, but open issue and investiagte each "newcomer" if it warrants a
whitelisting. But please do not allow: "oh a new dependency... I have no idea,
lets get this PR in, I put it on whitelist!"
The annotation jars should be checked especially: Mostly those are not needed
at runtime, unless the annotation is a runtime annotation. So most
"{{@NonNull}}" libs can safely be excluded. Often those dependencies are a bug
in the lib (should be changed to compile only, but not runtime).
> Examine Tika dependencies that brought in javax classes
> -------------------------------------------------------
>
> Key: SOLR-16048
> URL: https://issues.apache.org/jira/browse/SOLR-16048
> Project: Solr
> Issue Type: Task
> Security Level: Public(Default Security Level. Issues are Public)
> Components: contrib - Solr Cell (Tika extraction)
> Reporter: Kevin Risden
> Priority: Major
>
> SOLR-15989 Tika 1.28.1 upgrade brought in some javax packaged classes which
> [~janhoy] caught with the smoketester. Details from [~janhoy] in SOLR-15989:
> {quote}This upgrade adds many parsers and dependencies. I ran the
> smoketester, which introspects every jar looking for illegal "java.{*}" and
> "javax.{*}" class files. These libararies were flagged by the smoke tester:
> {code:java}
> modules/extraction/lib/unit-api-1.0.jar" contains sheisty class
> "javax/measure/Dimension.class"
> modules/extraction/lib/jakarta.activation-1.2.2.jar" contains sheisty class
> "javax/activation/CommandInfo$Beans$1.class"
> modules/extraction/lib/jakarta.annotation-api-1.3.5.jar" contains sheisty
> class "javax/annotation/security/PermitAll.class"
> jakarta.xml.bind-api:2.3.3 {code}
> I believes all jakarta libs are OK license wise, but strangely they use the
> javax.xxx namespace instead of jakarta.xxx. The Units API (javax.measure.xxx)
> seems to be in the same category, that it is a JSR implemented with an
> allowed license.
> We have excluded several annotation jars elsewhere, that's why I raise this
> here.
> I assume the correct action is to make exceptions for these pacakges in the
> smoke tester. Any other insight?{quote}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
