On Fri, Jan 21, 2011 at 10:06:21AM +0100, Thierry Vignaud wrote: > On 21 January 2011 00:01, nicolas vigier <[email protected]> wrote: > >> Shipping binary jar given by upstream tarball cause trouble because you > >> 1) cannot patch them in case of bug > >> 2) cannot see how and what was compiled > >> > >> That's not very free software friendly, and I think we should refuse > >> that. > > > > I've already seen while trying to package java apps, a jar being shipped, > > but sources not available anywhere on the internet, except after > > searching for a few hours on an old website on archive.org with broken > > link to the sources zip, and developers not aware of the issue, because > > they never tried to find the sources, and always used this binary .jar > > they found on a random web site. > > And they never though about security...
Security is not a problem , it is java, no null pointer exception /o\. But that's not only security, there is simply bugs that happen, and API problem ( that IMHO happens more often than security issue ). -- Michael Scherer
