[
https://issues.apache.org/jira/browse/SOLR-16048?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17496774#comment-17496774
]
Jan Høydahl commented on SOLR-16048:
------------------------------------
I suspect that the extraction module does not have sufficient tests to exercise
all the parsers, and their dependencies, thus if we exclude all the jakarta
libs in gradle, we'll never know what breaks during extraction/parsing.
OpenJDK11 does not seem to clash with any of these javax name spaces. I agree
on a whitelist-when-needed approach. But is it safe to exclude the three
jakarta jars, or should we keep JAXB?
Here is the dependency graph of current main:
[https://gist.github.com/janhoy/c322197ae803991626e8be09420ef1a4]
> Examine Tika dependencies that brought in javax classes
> -------------------------------------------------------
>
> Key: SOLR-16048
> URL: https://issues.apache.org/jira/browse/SOLR-16048
> Project: Solr
> Issue Type: Task
> Security Level: Public(Default Security Level. Issues are Public)
> Components: contrib - Solr Cell (Tika extraction)
> Reporter: Kevin Risden
> Priority: Major
>
> SOLR-15989 Tika 1.28.1 upgrade brought in some javax packaged classes which
> [~janhoy] caught with the smoketester. Details from [~janhoy] in SOLR-15989:
> {quote}This upgrade adds many parsers and dependencies. I ran the
> smoketester, which introspects every jar looking for illegal "java.{*}" and
> "javax.{*}" class files. These libararies were flagged by the smoke tester:
> {code:java}
> modules/extraction/lib/unit-api-1.0.jar" contains sheisty class
> "javax/measure/Dimension.class"
> modules/extraction/lib/jakarta.activation-1.2.2.jar" contains sheisty class
> "javax/activation/CommandInfo$Beans$1.class"
> modules/extraction/lib/jakarta.annotation-api-1.3.5.jar" contains sheisty
> class "javax/annotation/security/PermitAll.class"
> jakarta.xml.bind-api:2.3.3 {code}
> I believes all jakarta libs are OK license wise, but strangely they use the
> javax.xxx namespace instead of jakarta.xxx. The Units API (javax.measure.xxx)
> seems to be in the same category, that it is a JSR implemented with an
> allowed license.
> We have excluded several annotation jars elsewhere, that's why I raise this
> here.
> I assume the correct action is to make exceptions for these pacakges in the
> smoke tester. Any other insight?{quote}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
