Bug#822091: libxmlbeans-java: Embeds classes without source
Control: severity -1 normal Control: tags -1 pending On 23.01.2017 23:11, Emmanuel Bourg wrote: > I got another look at this, and maybe it isn't as bad as we thought. The > piccolo jars in external/lib/ do not contain compiled .class files, but > only .java source files. The xmlbeans build unpacks them to > build/private/piccolo/src, changes the package to > org.apache.xmlbeans.impl.piccolo, and then compiles them. > > There are still a few jar files with compiled classes (junit, saxon, > jsr173, oldxbean) but they aren't used to build the package. So this is > more a matter of cleaning the upstream tarball of unnecessary files than > fixing a severe policy violation. Very well then, I let this one pass for once. ;) signature.asc Description: OpenPGP digital signature
Bug#822091: libxmlbeans-java: Embeds classes without source
I got another look at this, and maybe it isn't as bad as we thought. The piccolo jars in external/lib/ do not contain compiled .class files, but only .java source files. The xmlbeans build unpacks them to build/private/piccolo/src, changes the package to org.apache.xmlbeans.impl.piccolo, and then compiles them. There are still a few jar files with compiled classes (junit, saxon, jsr173, oldxbean) but they aren't used to build the package. So this is more a matter of cleaning the upstream tarball of unnecessary files than fixing a severe policy violation. Emmanuel Bourg
Bug#822091: libxmlbeans-java: Embeds classes without source
Le 21/04/2016 09:29, Markus Koschany a écrit : > While I was working on #820839, I discovered that the source package > ships external jar and zip files in external/. > > I tried to repack the tarball but then the package failed to build > from source. Apparently the build system requires the piccolo classes > and it also embeds them in the resulting xmlbeans.jar. Good catch. It looks like the jar was already embedded in the first upload 6 years ago. XMLBeans has an option to use an alternative XML parser (with XmlOptions.setLoadUseXMLReader()) but it's never used in Debian. So the Piccolo parser is indeed used. Piccolo is a rather old parser, I don't think it's worth packaging it. I suggest patching xmlbeans to use the standard JDK parser instead. Emmanuel Bourg
Bug#822091: libxmlbeans-java: Embeds classes without source
Package: libxmlbeans-java Version: 2.6.0-4 Severity: serious While I was working on #820839, I discovered that the source package ships external jar and zip files in external/. I tried to repack the tarball but then the package failed to build from source. Apparently the build system requires the piccolo classes and it also embeds them in the resulting xmlbeans.jar. This is bad on many levels and needs fixing. Markus -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.5.0-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages libxmlbeans-java depends on: ii libxml-commons-resolver1.1-java 1.2-7 libxmlbeans-java recommends no packages. libxmlbeans-java suggests no packages. -- no debconf information
