----- Original Message ----- > From: "Florian Weimer" <fweimer@xxxxxxxxxx> > To: "Aleksandar Kurtakov" <akurtako@xxxxxxxxxx> > Cc: "Andrew Haley" <aph@xxxxxxxxxx>, "java-devel" <java-devel@xxxxxxxxxxxxxxxxxxxxxxx> > Sent: Thursday, February 6, 2014 1:54:12 PM > Subject: Re: Why no Class-Path manifest attribute? > > On 02/06/2014 12:34 PM, Aleksandar Kurtakov wrote: > > >> The spec file is here: > >> > >> <https://github.com/victims/victims-client-java/blob/master/victims-client-java.spec> > >> > >> As you can see, I use the usual Maven packaging framework. > > > > Bundling (and this is what your example is) is entirely forbidden - not > > just for Java but for everything. > > > > https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries > > Even though Maven calls this dependency type "bundle", it is not > bundling in the sense of the quoted page. The *sources* do not contain > copies of the library dependencies, neither in source form nor as > compiled classes. The guidelines cited above deal with what is > contained in source RPMs—it does not even mention static linking. I make perfect difference between bundle and bundling. What maven does is bundling libraries which is even against OSGi (what this is supposed to be) best practices. The fact that something is not in the source tarball but ends up in the final jar doesn't mean it's not bundled library, there are way too many ways to bundle to try getting a listing of them all. >From the problems listed on this page your example has - Security, Bugfixes and Old Code categories of problems present which makes it perfectly fit into the same category. Not to mention what problem such packages cause to OSGi containers when people abuse maven bundle plugin to make it easy by totally unrelated OSGi bundles start to expose similar things to the container (in your case victims-client-java exposing maven-model). No matter what would one say/think/decide about using Class-Path (I don't have strong opinion on it) using bundle plugin in the way you propose is recipe for disaster and we already fixed way too many problems in many packages caused by abusing of maven-bundle-plugin. It should *ONLY* be used when one knows that he wants to make an OSGi bundle and thus consider the effect his change would have on OSGi containers. Alexander Kurtakov Red Hat Eclipse Team > > > Do we need to add special link to that page in java guidelines? I > don't think that adding links to all the generic guidelines would make > the java one better it would just make it bigger and harder to digest. > > I see two problems: The guidelines do not explicitly deal with copying > class files between JARs (jarjar would be another option in this space). > Contrast this with static linking, which is covered here: > > <https://fedoraproject.org/wiki/Packaging:Guidelines#Statically_Linking_Executables> > > The other aspect is that the maven-local tools silently create > applications which are not complying with this (implicit so far) policy. > > -- > Florian Weimer / Red Hat Product Security Team > -- java-devel mailing list java-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/java-devel