Bug 1206893 - Binary blobs in upstream tarball we build from
Summary: Binary blobs in upstream tarball we build from
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: eclipse
Version: 23
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Mat Booth
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-03-29 11:27 UTC by Pavel Raiskup
Modified: 2015-08-19 08:14 UTC (History)
9 users (show)

Fixed In Version: eclipse-4.5.0-12.fc23
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-18 05:17:33 UTC


Attachments (Terms of Use)
tar tf R4_platform-aggregator-I20150317-2000.tar.xz | grep -e '\.jar$' -e '\.njar$' -e '\.class$' -e '\.so$' (975 bytes, text/plain)
2015-03-30 06:04 UTC, Pavel Raiskup
no flags Details

Description Pavel Raiskup 2015-03-29 11:27:04 UTC
I can see that output of the following command is not empty:

tar tf R4_platform-aggregator-I20150317-2000.tar.xz \
    | grep -e \\.jar$ -e \\.njar$

Do you think that we could call something like:

    find -delete -name '*.jar' -o -name '*.njar' -o -name '*.class'

.. somewhere early in %prep phase, as soon as the tarballs are extracted?
That would kind of work-around our guarantees that we don't build from hacked
binary blobs.

I was unable to check whether those binary files are actually used
because the eclipse package fails to build in my mock profile even if I do not
edit it.  However, if those actually are used - it would be probably serious
packaging problem against our Java PG.

(background story: I tried to resolve similar problems in my package and I
picked eclipse randomly as typical java package I should learn from, but
found similar issues)

Pavel

Comment 1 Alexander Kurtakov 2015-03-30 05:25:30 UTC
Pavel, would you please put the actual list of jars here?

Comment 2 Pavel Raiskup 2015-03-30 06:04:17 UTC
Created attachment 1008207 [details]
tar tf R4_platform-aggregator-I20150317-2000.tar.xz |  grep -e '\.jar$' -e '\.njar$' -e '\.class$' -e '\.so$'

Comment 3 Jan Kurik 2015-07-15 14:20:06 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23

Comment 4 Roland Grunberg 2015-07-20 17:20:31 UTC
Looking at R4_platform-aggregator-R4_5.tar.xz , the osgi.annotation.jar is no longer part of the sources that we're using. We provide it by symbolically linking to the system's version [1]. The other jars listed are simply test data consumed by org.eclipse.equinox.p2.tests.

Upstream has been pretty good about removing pre-built things from the build and providing the ability to do things from source, but should we have such a removal just in case something slips through ?

[1] http://pkgs.fedoraproject.org/cgit/eclipse.git/tree/eclipse.spec?id=03e744976bf53693b3d58583730b1297fa3619ae#n555

Comment 5 Mat Booth 2015-08-12 08:52:23 UTC
As Roland says, osgi.annotation.jar is no longer bundled. 

The only remaining binary blobs in the source tarball are test data that we cannot (or will not in the future) be able to generate from source.

For example, some jars that I have chosen not to remove contain java 1.1 bytecode for the specific purpose of testing JDT -- however, the generation of java 1.1 bytecodes in deprecated by OpenJDK and is a function that will be removed in the future. It is important that JDT remains backwards compatible but in the future it will not be possible to generate these test cases from source (in Fedora.)

I am going to mark this bug resolved, but please re-open if you feel strongly otherwise.

Comment 6 Fedora Update System 2015-08-12 08:53:44 UTC
cbi-plugins-1.1.2-3.fc22, tycho-extras-0.23.0-2.fc22, tycho-0.23.0-5.fc22.2, eclipse-4.5.0-5.fc22, eclipse-ecf-3.10.0-5.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/FEDORA-2015-11679/eclipse-4.5.0-5.fc22,eclipse-ecf-3.10.0-5.fc22,cbi-plugins-1.1.2-3.fc22,tycho-extras-0.23.0-2.fc22,tycho-0.23.0-5.fc22.2

Comment 7 Fedora Update System 2015-08-12 08:56:35 UTC
eclipse-4.5.0-12.fc23, eclipse-ecf-3.10.0-5.fc23 has been submitted as an update for Fedora 23.
https://admin.fedoraproject.org/updates/eclipse-4.5.0-12.fc23,eclipse-ecf-3.10.0-5.fc23

Comment 8 Fedora Update System 2015-08-12 20:11:17 UTC
Package eclipse-4.5.0-12.fc23, eclipse-ecf-3.10.0-5.fc23:
* should fix your issue,
* was pushed to the Fedora 23 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing eclipse-4.5.0-12.fc23 eclipse-ecf-3.10.0-5.fc23'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-13296/eclipse-4.5.0-12.fc23,eclipse-ecf-3.10.0-5.fc23
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2015-08-18 05:17:33 UTC
cbi-plugins-1.1.2-3.fc22, tycho-extras-0.23.0-2.fc22, tycho-0.23.0-5.fc22.2, eclipse-4.5.0-5.fc22, eclipse-ecf-3.10.0-5.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2015-08-19 08:14:34 UTC
eclipse-4.5.0-12.fc23, eclipse-ecf-3.10.0-5.fc23 has been pushed to the Fedora 23 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.