Le 11/02/2014 21:22, Bastian Blank a écrit :

> Have you talked to the security team about this?  Where does Debian ship
> different versions of asm?

Debian has four versions of asm. Each version is incompatible with the
previous one, and they share the same namespace (org.objectweb.asm.*).
That means two versions can't coexist safely in the same classpath, this
is guaranteed to break at runtime. That's why widely used libraries like
cglib relocate the asm classes under a different namespace to avoid
conflicts (net.sf.cglib.asm.*).

I'm not sure to see why the security team would care about this though.

Emmanuel Bourg

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to