Bug 820117

Summary: azureus: Bundled libraries
Product: [Fedora] Fedora Reporter: Mikolaj Izdebski <mizdebsk>
Component: azureusAssignee: David Juran <djuran>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: djuran, langel, sergio
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: azureus-5.2.0.0-6.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-03-18 08:08:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 814687    
Attachments:
Description Flags
remove half unbundle bouncycastle
none
remove half unbundle bouncycastle updated
none
sorry, another update to remove half unbundle bouncycastle none

Description Mikolaj Izdebski 2012-05-09 08:26:05 UTC 
azureus is bundling several libraries, including:

	apache-commons-lang
        bouncycastle
        json

According to Fedora Java Packaging Guidelines this is unacceptable. See: https://fedoraproject.org/wiki/Packaging:Java#Pre-built_JAR_files_.2F_Other_bundled_software

Please remove these libraries from packaging and add them as external dependencies.
Comment 1 Fedora End Of Life 2013-04-03 14:34:36 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
Comment 2 Sergio Basto 2014-02-16 03:20:01 UTC 
Created attachment 863653 [details]
remove half unbundle bouncycastle

(In reply to Mikolaj Izdebski from comment #0)
> azureus is bundling several libraries, including:
> 
> 	apache-commons-lang
>       bouncycastle
>       json
>

apache-commons is already unbundle :

rm -fR org/apache

Json was recently unbundle :
rm -fR org/json

what is not unbundle :
# http://www.programmers-friend.org/download/ not found in fedora repos 
#rm -fR org/pf

and bouncycastle , 

bouncycastle .spec try unbundled but requires org.bouncycastle.jce.provider 
which is not part of bouncycastle 1.46 on fedora

by this link  http://www.cs.berkeley.edu/~jonah/bc/org/bouncycastle/jce/provider/JCEECDHKeyAgreement.html
seems need Bouncy Castle Cryptography Library 1.37

so I propose revert this half unbundling , because as it is, azureus use 2 bouncycastle jars, one bundled and one from the system , for me seems that is not good.
Comment 3 Sergio Basto 2014-02-16 03:24:36 UTC 
Created attachment 863654 [details]
remove half unbundle bouncycastle updated
Comment 4 Sergio Basto 2014-02-16 03:29:23 UTC 
Created attachment 863655 [details]
sorry, another update to  remove half unbundle bouncycastle
Comment 5 David Juran 2014-02-24 06:11:29 UTC 
I'm not sure I understand the reason for the patch in #4. 
For sure, the bundled BouncyCastle classes are still used until someone comes around to patch the source and I don't claim to understand all the fine details of classloading but I don't really see any harm in having BouncyCastle in the classpath. In my opinion, we should focus on really removing the bundled BouncyCastle cocde from azureus instead. Or to put it the other way around, what is the problem you're trying to solve?
Comment 6 Sergio Basto 2014-02-24 14:54:36 UTC 
(In reply to David Juran from comment #5)
> I don't claim to understand all the
> fine details of classloading but I don't really see any harm in having
> BouncyCastle in the classpath. 

As I see it, is more optimized if we just use one BouncyCastle, is not a good option have two BouncyCastle in the classpath . On the other hand will be more easier remove bundled BouncyCastle code .

> In my opinion, we should focus on really
> removing the bundled BouncyCastle code from azureus instead. 

I'm focus on this, but don't had much time , I will try find a manual that explains how upgrade BouncyCastle from 1.37 to 1.46

> Or to put it
> the other way around, what is the problem you're trying to solve?

Meanwhile I had use Azureus with my this patch and F21 commits and I like the results, anyway I also use swt M5, so I can't ensure that patch solves crashes . 

Thanks,
Comment 7 Fedora Update System 2014-03-07 19:17:41 UTC 
azureus-5.2.0.0-6.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/azureus-5.2.0.0-6.fc20
Comment 8 Fedora Update System 2014-03-09 04:42:16 UTC 
Package azureus-5.2.0.0-6.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing azureus-5.2.0.0-6.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-3656/azureus-5.2.0.0-6.fc20
then log in and leave karma (feedback).
Comment 9 Sergio Basto 2014-03-11 18:23:45 UTC 
Hi, Juran 

IMHO , we should merge azureus-SecureMessageServiceClientHelper-bcprov.patch into azureus-5.3.0.0-no-bundled-bouncycastle patch since they try resolve the same thing , unbundle bouncycastle 

and why for F20 we have Azureus outdated, I don't see any reason for F19 , F20 and rawhide haven't the same source . The kernel guys update F19 with kernel major version 3.12 to 3.13 which bumped many bugs and if kernel don't have this limits , why you are so conservative in updates of Azureus , but not with yours patches.
Comment 10 Mikolaj Izdebski 2014-03-12 11:17:53 UTC 
(In reply to Sergio Monteiro Basto from comment #9)
> and why for F20 we have Azureus outdated, I don't see any reason for F19 ,
> F20 and rawhide haven't the same source . The kernel guys update F19 with
> kernel major version 3.12 to 3.13 which bumped many bugs and if kernel don't
> have this limits , why you are so conservative in updates of Azureus , but
> not with yours patches.

See: http://fedoraproject.org/wiki/Updates_Policy#Stable_Releases

Kernel package has exception granted by FESCO and that's why major updates can be pushed to stable releases.
Comment 11 Sergio Basto 2014-03-12 17:58:26 UTC 
"particularly when those features would materially affect the user or developer experience"
not the case , my interpretation Azureus 5.3.0.0 is stable, was consider stable by upstream, so should go to stable releases. 

kernel is an exception , Firefox (enabled gstreamer)  , libreoffice (4.1.3 to 4.2.1), kde ( 4.11 to 4.12) after F20 released, are also exceptions ? 

Conclusion please update Azureus in F20 and possible in F19 , or let me update it for you, give me commit permissions .
Comment 12 Fedora Update System 2014-03-18 08:08:46 UTC 
azureus-5.2.0.0-6.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.