Bug 838625

Summary: felix-osgi-foundation: Bundled libraries
Product: [Fedora] Fedora Reporter: Mikolaj Izdebski <mizdebsk>
Component: felix-osgi-foundationAssignee: Mat Booth <mat.booth>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: mat.booth
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 878469 (view as bug list) Environment:
Last Closed: 2013-03-18 15:52:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 504493, 878469    

Description Mikolaj Izdebski 2012-07-09 15:57:22 UTC 
Description of problem:
felix-osgi-foundation is bundling many libraries.
Bundling is against Fedora Policy, see:
http://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries

Version-Release number of selected component (if applicable):
1.2.0-8.fc17.noarch

Additional information:
Bundled libraries are contained in /usr/share/java/felix/org.osgi.foundation.jar.
The following Java packages are bundled in this jar:

java.io.*
java.lang.*
java.lang.ref.*
java.lang.reflect.*
java.math.*
java.net.*
java.security.*
java.security.acl.*
java.security.cert.*
java.security.interfaces.*
java.security.spec.*
java.text.*
java.text.resources.*
java.util.*
java.util.jar.*
java.util.zip.*
javax.microedition.io.*

Those classes often don't match their corresponding non-bundled versions. Many of them refer to native code. There's quite high chance that there were some security bugfixes, which obviously couldn't affect felix-osgi-foundation.

What's even more interesting: This package doesn't contain ANY Felix or OSGi-related classes - it consists only of bundled libraries.
In my opinion this package is a candidate for removal.
Comment 1 Mikolaj Izdebski 2012-11-20 13:54:41 UTC 
Is there any progress on this bug?
Comment 2 Mat Booth 2013-03-18 15:52:33 UTC 
See Section 999 of the OSGi Compendium Spec:

http://www.osgi.org/Download/Release4V43

This bundle contains the platform class definitions that comprise OSGi Defined Execution Environments. An execution environment is the minimum set of classes that are supposed to be available from a platform to be able to support the framework.

I don't think there is actually any duplication of code, it is just empty stubs used only for compilation (I assume to make sure your project does not use a class that is not provided by your target OSGi Execution Environment.)

This package should NOT be deployed with a project or used in production in any way, it is provided only for compilation.

I hope this addresses your concerns. I am going to close this NOTABUG.