Friends don't let friends use binary bits of unknown origins, not to speak of Fedora Packaging Guidelines violations, and possible breach of bringing proprietary SW into libre-licenses seeking distribution. Was rather shocked that once I confused adb from android-tools with adbe package, I observed a JAR file being installed along, and indeed, this file is not built from sources: https://github.com/ashishb/adb-enhanced/commit/c90b6b31700ebb117e50c3d03ab5fda38ced15b9 and -- AFAIK -- therefore forbidden from Fedora proper unless an exception was granted, which does not seem to be the case, see [bug 1814795]. In the same vein, the reviewer apparently checked out something that should not have been in the first place (for one if there are more eligible): > [x]: Sources contain only permissible code or content. And sadly, that's just for a starter. The other possible problem related to "binary blob carried from upstream", even if it was allowed, is that code that you don't have sources to is totally non-transparent, which is just a step from being actively harmful. Lo and behold, when thrown into VirusTotal.com, at least a single AV engine recognizes that JAR as having traits of something previously recognized as malicious: https://www.virustotal.com/gui/file/2a6e4d0d4bd77c94d0e09baade739596c35d73bb91cc79a17930e1574c41f272 This admittedly might be a false positive (previous scan for the file of the same hash was showing all-green), but do friends let friends expose themselves to unjustified risks? Enthusiasm of everyone involved in bringing new kinds of out-of-the-box "versatility" to Fedora is indeed admirable and all, but I am afraid it went way too wrong here, nothing short of a textbook example of how not to do it, that is, how recklessly. Please, drop that JAR file from the package immediately, and try to find a way of how to restore it by building it from sources as expected in Fedora context, assuming the sources are likewise under licensing that Fedora permits. That being said, setting this bug as a blocker for [FE-Legal], and rushing to remove that accidentally installed package locally. As mentioned, I've meant to install android-tools anyway, but at least this critical double-check emerged from this thinko.
OK, apksigner.jar can possibly be built anew using public sources that appear to be under Apache-2.0 (SPDX notation) license: https://android.googlesource.com/platform/tools/apksig/+/master/src/main/java/com/android/apksig/ApkSigner.java But then it might be a good idea to package it separately and for the purpose of Fedora downstream, make adb-enhanced contain a respective symlink into where the file is placed by that other package, which would consequently become its "Requires:" specified dependency. Thanks for considering these circumstances and options.
I can't speak to the Fedora packaging guidelines, but from the Fedora legal standpoint, this package (at least in this form) must be removed from Fedora.
This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle. Changing version to 38.
> # Uses abe.jar taken from https://sourceforge.net/projects/adbextractor/ abe (https://github.com/nelenkov/android-backup-extractor) uses ASL 2.0. abe.jar and apksigner.jar should definitly not be part of the package.