+------------------------------------------------------------------------------ | On Thursday, Jul 20, 2006 at 06:12:54PM +0200, Christian Weisgerber wrote: | | To: [email protected] | From: Christian Weisgerber <[EMAIL PROTECTED]> | Date: Thu, 20 Jul 2006 18:12:54 +0200 | Subject: Java ports: source vs. binary? | | We need some sort of policy how to deal with software written in | Java. We have a number of ports that are basically just wrappers | that install pre-compiled Java byte code. Additional ports in this | style have been proposed. Actual Java source may or may not be | available, but it is certainly not used by the ports in question. | | Some people--Marc Balmer has been very outspoken--dislike this | approach, because we are just wrapping other people's binaries. | Instead, ports should fetch the source and newly compile the code. | The counter argument from the Java people is that Java byte code | is machine-independent, compiling it afresh will just produce the | very same binaries, adding build time for no gain. An additional | complication is that passing around binary archives seems well-accepted | in the Java scene, posing problems of obtaining the actual source | code and exploding dependency requirements. | | How are we going to deal with this? | | Some preliminary discussion at the last hackathon produced the | opinion that even Java ports should be built from source by all | means. However, that discussion didn't include any of our porters | who are interested in Java... The source requirement may render | various ports impossible or impracticably difficult. We'll need to | decide whether we put our foot down here. | | -- | Christian "naddy" Weisgerber [EMAIL PROTECTED]
It would be nice to make people only have ports with source. Seems to go against the whole "blob" thing to accept bytecode compiled Java. If there was a policy and I had a vote, I'd say make source only a requirement. Other than standing on the open source front for an argument, is there a practical argument that relates to reality? How many people have time audit the Java code, seems it is hard enough to just get a port reviewed and committed as it is. Java bytecode is easier to reverse than machine code, yet it is still blobby. I think the option should be available for source auditing in the interest of security, should it ever come needed or someone feels like auditing Java ports for some reason and enforced by policy for ports. Very few Java ports ports for things would not get added/submitted if I had to guess. Java community is different from the UNIX c community, yet it shouldn't matter in the interest of security right? You should be able to audit and make changes to the source if you wanted to, for whatever reason. People will use whatever Java software they want anyways, just having OpenBSD package it for them is handy. I personally would like to have the option available to me to view the source, should I ever want to some day. Having OpenBSD package it up for and integrated into the package management system is just a nice thing to have. IMO, ports should follow the same goals as OpenBSD listed on goals.html, and closed source Java bytecode doesn't seem to fit in there, especially with the latest anti-blob campaign. -Chris -- a programmer with free time, sometimes.
