I prepared an update of the cglib package on alioth:
- The Built-Using field has been added
- debian/copyright now mentions the inclusion of the asm classes
- the asm license file is now included in cglib-nodep.jar like the jar
distributed by upstream
Tony, could you please upload this update if
On Tue, Feb 11, 2014 at 08:10:28AM +0100, Emmanuel Bourg wrote:
Le 11/02/2014 05:16, tony mancill a écrit :
Instead of Built-Using or updating debian/copyright, it seems preferable
to refactor the source to use the actual libasm3-java JAR, although I
haven't yet looked into how much effort
Le 11/02/2014 21:22, Bastian Blank a écrit :
Have you talked to the security team about this? Where does Debian ship
different versions of asm?
Debian has four versions of asm. Each version is incompatible with the
previous one, and they share the same namespace (org.objectweb.asm.*).
That
On 02/11/2014 04:29 AM, Emmanuel Bourg wrote:
I prepared an update of the cglib package on alioth:
- The Built-Using field has been added
- debian/copyright now mentions the inclusion of the asm classes
- the asm license file is now included in cglib-nodep.jar like the jar
distributed by
Le 12/02/2014 06:31, tony mancill a écrit :
The attribution looks appropriate to me. I changed the version number
to we're not uploading a new upstream source version just to switch to
XZ compression. That'll take effect with the next upstream upload (or
repack, if that ends up being
On 02/11/2014 10:58 PM, Emmanuel Bourg wrote:
Le 12/02/2014 06:31, tony mancill a écrit :
The attribution looks appropriate to me. I changed the version number
to we're not uploading a new upstream source version just to switch to
XZ compression. That'll take effect with the next upstream
Package: libcglib-java
Version: 2.2.2+dfsg-5
Severity: serious
libcglib-java uses jarjar to incoporate libasm3-java. It does this
without mentioning the license of the incorporated stuff or even listing
it as Built-Using.
Bastian
-- System Information:
Debian Release: jessie/sid
APT prefers
On 02/10/2014 12:54 PM, Bastian Blank wrote:
Package: libcglib-java
Version: 2.2.2+dfsg-5
Severity: serious
libcglib-java uses jarjar to incoporate libasm3-java. It does this
without mentioning the license of the incorporated stuff or even listing
it as Built-Using.
Hi Bastian,
Thanks
On Mon, Feb 10, 2014 at 08:16:10PM -0800, tony mancill wrote:
Instead of Built-Using or updating debian/copyright, it seems preferable
to refactor the source to use the actual libasm3-java JAR, although I
haven't yet looked into how much effort that will require.
cglib internaly builds both
Le 11/02/2014 05:16, tony mancill a écrit :
Instead of Built-Using or updating debian/copyright, it seems preferable
to refactor the source to use the actual libasm3-java JAR, although I
haven't yet looked into how much effort that will require.
Please don't depend on asm3 at runtime. jarjar
10 matches
Mail list logo
