(i'd just like to add a few clarifications)<br>
<br>
On 5/28/06, <b class="gmail_sendername">Karl Trygve Kalleberg</b> &lt;<a href="mailto:karltk@gentoo.org">karltk@gentoo.org</a>&gt; wrote:<div><span class="gmail_quote"></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Calvin Austin wrote:<br><br>&gt; 1. source vs jars ebuilds.<br>&gt; I built everything from source minus one jar file. I had to drop to<br>&gt; source 1.4 or patch the code in some cases. However some projects are<br>&gt; based on maven jar repositories, getting a source version of these can
<br>&gt; be a huge project in itself.<br><br>That's true, but we'll of course never include any .jars from Maven in<br>our tree, since we cannot know which evil backdoors they put into their<br>code: we don't have the source code.
</blockquote><div><br>
for jars with a full and correct POM (maven project descriptor),&nbsp;
the source code used to build the release will be available from the
tag in the appropriate repository as noted in the POM. however, most
jars do not have fully correct POMs...<br>
</div><br>
for apache jars, the maven repository @ ibiblio is just a mirror of the
normative java repository @ apache. providing that the binaries are
verified against the signature files created by the release manager and
hosted by apache, they are as trustworthy as building new jars from the
source distributions.<br>
<br>
maven2 is starting to distribute source jars (for IDEs). these should match exactly the binary version. <br>
<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Also, we can never know if we need to do a security update, since the<br>versions of the jars in the maven repo do not always correspond to an
<br>actual upstream release of anything.</blockquote><div><br>
IMHO there are two separate issues here:<br>
<br>
1 there are a relatively small number of jars (which were uploaded in
the early days of maven) whose exact provinence is unknown (at least in
terms of the tag from which the build was created) and some of which
are badly numbered. this issue really hurt the maven team a year or two
ago and took a lot of energy to address. the maven2 repository is much
cleaner and is much better supervised. so, i believe that (going
forward) this particular problem is overstated.<br>
</div><br>
2 security patches are relatively rare in the java world: new minor
releases are much more common. this is particular because many common
security issues with C and C++ are prevented by the langauge but is
also cultural. this approach seems likely to cause difficulties
downstream. <br>
<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">In conclusion: binary .jars are banned.</blockquote><div><br>
 otherwise this wouldn't be gentoo ;-)<br>
</div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">&gt; 2. Using open source components vs certified binary components.<br>&gt; Downloading certified jars from Sun or other vendors was a pain, however
<br>&gt; picking up a free implementation that may have never been certified may<br>&gt; be just as bad if you don't know what you are doing</blockquote><div><br>
passing a TCK is quite a lot of effort. the process takes a long time
even if the implementation is already ready without the right contacts,
it can also take hard cash. it's probably beyond the means of open
source projects which aren't backed by a big organisation. <br>
<br>
</div></div>- robert<br>