Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Binary JAR files in release from tools/ and extensions/ folders #268

Open
Lupphes opened this issue Jul 17, 2024 · 4 comments
Open

Binary JAR files in release from tools/ and extensions/ folders #268

Lupphes opened this issue Jul 17, 2024 · 4 comments

Comments

@Lupphes
Copy link

Lupphes commented Jul 17, 2024

While updating a license for the Fedora package docbook5-style-xsl, the legal team discovered that we were unintentionally packaging multiple JAR binaries from the package's tools/ folder.

The binary files are downloaded from the repository and then packed with RPM, which is shipped.

In the past, this problem was present just for the folder extensions/, which is not packaged into Fedora (if statement in the spec file). However, after closer inspection, we found the tools/ folder and two additional files, which do not present a problem.
All binaries listed:

$ grep -rIL .  | grep -vE '\.png|\.pdf|\.gif|\.tif|\.ico|\.jpg|\.bmp'
extensions/lucene-analyzers-3.0.0.jar
extensions/xalan27.jar
extensions/saxon65.jar
extensions/lucene-core-3.0.0.jar
extensions/tagsoup-1.2.1.jar
extensions/webhelpindexer.jar
tools/lib/calabash.jar
tools/lib/saxon.jar
tools/lib/isorelax.jar
tools/lib/xalan/xsltc.jar
tools/lib/xalan/xalan.jar
tools/lib/xalan/serializer.jar
tools/lib/saxon9he.jar
tools/lib/commons-codec-1.3.jar
tools/lib/jing.jar
tools/lib/ant-contrib-1.0b3.jar
tools/lib/xml-apis.jar
tools/lib/commons-logging-1.1.1.jar
tools/lib/saxon9-ant.jar
tools/lib/jython.jar
tools/lib/xmlresolver.jar
tools/lib/commons-httpclient-3.1.jar
tools/lib/xercesImpl.jar
slides/slidy/scripts/slidy.js.gz
roundtrip/template.dot

These files:

slides/slidy/scripts/slidy.js.gz
roundtrip/template.dot

Can probably be easily removed as slidy.js.gz is just an accidental archive and a text document's template.dot preamble. The rest of the files are JAR binary files.

The final JAR files should not be shipped in the release, nor should there be a way to build them if required. Could you please provide some guidance on this?

Related BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2260534
@ikerexxe
Copy link

ikerexxe commented Aug 5, 2024

If I understand the problem correctly, it is more of a packaging problem than a licensing problem. The jar files stored in the extensions/ and tools/ folders are already provided by other projects (i.e. xalan is provided by ant-apache-xalan2), so there is no need for this project to include them, but you should add them as dependencies to be installed.

@andreboscatto
Copy link

Looking from a broader perspective, this problem is affecting many distributions, including Fedora, and several core projects, like PAM.

So having it fixed upstream instead of removing those files per distribution will help sanitize the state of the project and will avoid future issues when other distributions start complaining about this problem.

@Lupphes
Copy link
Author

Lupphes commented Aug 6, 2024
edited
Loading

I've done a bit of research on the packages.

Not all of the JAR files are from Oasis but from other 3rd-party companies/projects. Some of these packages are not even available in Fedora anymore as they are orphaned.

Files are in Fedora in a different package:

  1. extensions/lucene-analyzers-3.0.0.jar
    • Fedora Package: lucene-analysis-common
    • JAR: /usr/share/java/lucene/lucene-analysis-common.jar
    • Status: Verified
  2. extensions/xalan27.jar
    • Fedora Package: ant-apache-xalan2
    • JAR: /usr/share/java/ant/ant-apache-xalan2.jar
    • Status: Verified
  3. extensions/lucene-core-3.0.0.jar
    • Fedora Package: lucene-core
    • JAR: /usr/share/java/lucene/lucene-core.jar
    • Status: Verified
  4. extensions/tagsoup-1.2.1.jar
    • Fedora Package: tagsoup
    • JAR: /usr/share/java/tagsoup.jar
    • Status: Verified
  5. tools/lib/commons-codec-1.3.jar
    • Fedora Package: apache-commons-codec
    • JAR: /usr/share/java/commons-codec.jar
    • Status: Verified
  6. tools/lib/xml-apis.jar
    • Fedora Package: xml-commons-apis
    • JAR: /usr/share/java/xml-commons-apis.jar
    • Status: Verified
  7. tools/lib/commons-logging-1.1.1.jar
    • Fedora Package: apache-commons-logging
    • JAR: /usr/share/java/commons-logging.jar
    • Status: Verified
  8. tools/lib/xmlresolver.jar
    • Fedora Package: xml-commons-resolver
    • JAR: /usr/share/java/xml-commons-resolver.jar
    • Status: Verified
  9. tools/lib/xercesImpl.jar
    • Fedora Package: xerces-j2
    • JAR: /usr/share/java/xercesImpl.jar
    • Status: Verified
  10. tools/lib/xalan/xsltc.jar, tools/lib/xalan/xalan.jar, tools/lib/xalan/serializer.jar
    • Fedora Package: xalan-j2
    • JARs: /usr/share/java/xalan-j2.jar, /usr/share/java/xalan-j2-serializer.jar, /usr/share/java/jaxp_transform_impl.jar
    • Status: Verified
  11. tools/lib/ant-contrib-1.0b3.jar
    • Fedora Package: ant-contrib
    • JAR: /usr/share/java/ant-contrib.jar
    • Status: Verified

Orphaned Fedora Packages --- File was not in Fedora

  1. tools/lib/isorelax.jar
    • Fedora Package: isorelax
    • JAR: /usr/share/java/isorelax.jar
    • Status: Orphaned
  2. tools/lib/jing.jar
    • Fedora Package: jing
    • JAR: /usr/share/java/jing.jar
    • Status: Orphaned
  3. tools/lib/jython.jar
    • Fedora Package: jython
    • JAR: /usr/share/java/jython.jar
    • Status: Orphaned
  4. tools/lib/commons-httpclient-3.1.jar
    • Fedora Package: jakarta-commons-httpclient
    • JAR: /usr/share/java/commons-httpclient.jar
    • Status: Orphaned
  5. extensions/saxon65.jar
    • Fedora Package: saxon
    • Related JARs: /usr/share/java/saxon/saxon.jar, /usr/share/java/saxon/saxon9he.jar
    • Status: Orphaned
  6. tools/lib/saxon.jar
    • Fedora Package: saxon
    • Related JARs: /usr/share/java/saxon/saxon.jar, /usr/share/java/saxon/saxon9he.jar
    • Status: Orphaned
  7. tools/lib/saxon9he.jar
    • Fedora Package: saxon
    • JAR: /usr/share/java/saxon/saxon9he.jar
    • Status: Orphaned
  8. tools/lib/saxon9-ant.jar
    • Fedora Package: saxon
    • JAR: /usr/share/java/saxon/saxon9-ant.jar
    • Status: Orphaned

It needs to be Built from the Source

  1. extensions/webhelpindexer.jar
    • Status: Not available in Fedora; needs source
  2. tools/lib/calabash.jar

@Lupphes
Copy link
Author

Lupphes commented Aug 6, 2024

Additionally, there are a few files that may also packaged by accident:

slides/slidy/scripts/slidy.js.gz
roundtrip/template.dot

slides/slidy/graphics/nofold.bmp
slides/slidy/graphics/nofold-dim.bmp
slides/slidy/graphics/unfold.bmp
slides/slidy/graphics/fold-dim.bmp
slides/slidy/graphics/unfold-dim.bmp
slides/slidy/graphics/fold.bmp
doc/reference.txt.gz # Old release, probably already deleted

.bmp files, currently without a specified license, are used for howto documentation, such as docbook-5.0/tools/db4-entities.pl script. Both of them should license be verified.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ikerexxe @andreboscatto @Lupphes