On 13-09-30 5:40 PM, Mike Hommey wrote:
Hi,
It has just come to my attention that we're using some third party java
libraries. At the very least, jmdns, commons-net, and robotium. There
are two things that I'm concerned with.
These three are all things I consider to be "ateam", all that might not
actually be correct. I'm not sure if any ateam Android folks watch this
list; if you do, please chime in.
While their license (Apache License 2.0) allow binary redistribution
without the corresponding source (although there is a source jar for
commons-net), shouldn't Mozilla redistribute the sources as well?
I know that Android background services (myself and rnewman) have been
very careful to OK licenses for anything we want to include in the
android-sync github repo and mozilla-central. I'm quite confident we
have no Java source with incompatible licenses in either of our
repositories.
Independently of this kind of ethical problem, how do we ensure those
pre-built java classes actually match the source they're supposed to be
built from? Shouldn't we actually build them instead?
I would rather a checksum or md5 check against a shipped jar. Java's
one of the few environments where it's not hard to ship a binary; why
build everything when we don't have to?
I can see an argument that by not building the jars, we lose the ability
to rebuild or upgrade the deps; but these deps are not getting updated
frequently (!) and at least robotium delivers as a jar.
Nick
_______________________________________________
mobile-firefox-dev mailing list
[email protected]
https://mail.mozilla.org/listinfo/mobile-firefox-dev
