[Fedora-packaging] java: building from source vs signed .jar's

Tom "spot" Callaway tcallawa at redhat.com
Mon Feb 18 17:13:00 UTC 2008


On Mon, 2008-02-18 at 08:04 -0600, Rex Dieter wrote:
> I've been approached by the dev's of a GPL'd java app (www.geogebra.org),
> wanting my assistance wrt rpm packaging (and eventual inclusion in fedora I
> hope), but there's a snag.  They want (need) their java applet runable over
> the web (webstart'able), and that means signed jars.  They proposed we
> simply package their prebuilt (and signed) .jars, but that is contrary to
> our usual "build from source" position.
> 
> So, the dilemma is
> 1. come up with packaging policy and mechanism for fedora to produce signed
> jars.  I raised this issue in the past, but we punted, since fedora, at the
> time, didn't include any java implementations that supported this.  icedtea
> changes that.
> 2. allow an exception to the "build from source" guideline for pregenerated,
> signed .jar's.
> 3. just say no
> 4. insert suggestion here.
> ...
> 99. profit! 

OK, so this is my stance:

* Unless Fedora can sign the jars that we build from source, this is a
showstopper.

We cannot permit pre-generated signed jars. I've seen too many
horrifying java crapboxes stuffed full of proprietary components,
ancient components, and illegal components to simply permit this under
any conditions. If it doesn't build from source, we aren't shipping it.

Now, I would be interested in hearing whether we can do this with
IcedTea or not, and if so, how to accomplish it. This seems like it
would be a very necessary component to the non-existent Java packaging
guidelines.

~spot




More information about the Fedora-packaging mailing list