On 02/06/2014 12:34 PM, Aleksandar Kurtakov wrote:
The spec file is here:
<https://github.com/victims/victims-client-java/blob/master/victims-client-java.spec>
As you can see, I use the usual Maven packaging framework.
Bundling (and this is what your example is) is entirely forbidden - not just for Java but for everything.
https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries
Even though Maven calls this dependency type "bundle", it is not
bundling in the sense of the quoted page. The *sources* do not contain
copies of the library dependencies, neither in source form nor as
compiled classes. The guidelines cited above deal with what is
contained in source RPMs—it does not even mention static linking.
> Do we need to add special link to that page in java guidelines? I
don't think that adding links to all the generic guidelines would make
the java one better it would just make it bigger and harder to digest.
I see two problems: The guidelines do not explicitly deal with copying
class files between JARs (jarjar would be another option in this space).
Contrast this with static linking, which is covered here:
<https://fedoraproject.org/wiki/Packaging:Guidelines#Statically_Linking_Executables>
The other aspect is that the maven-local tools silently create
applications which are not complying with this (implicit so far) policy.
--
Florian Weimer / Red Hat Product Security Team
--
java-devel mailing list
java-devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/java-devel
