Friends don't let friends use binary bits of unknown origins, not to speak of Fedora Packaging Guidelines violations, and possible breach of bringing proprietary SW into libre-licenses seeking distribution. Was rather shocked that once I confused adb from android-tools with adbe package, I observed a JAR file being installed along, and indeed, this file is not built from sources: https://github.com/ashishb/adb-enhanced/commit/c90b6b31700ebb117e50c3d03ab5fda38ced15b9 and -- AFAIK -- therefore forbidden from Fedora proper unless an exception was granted, which does not seem to be the case, see [bug 1814795]. In the same vein, the reviewer apparently checked out something that should not have been in the first place (for one if there are more eligible): > [x]: Sources contain only permissible code or content. And sadly, that's just for a starter. The other possible problem related to "binary blob carried from upstream", even if it was allowed, is that code that you don't have sources to is totally non-transparent, which is just a step from being actively harmful. Lo and behold, when thrown into VirusTotal.com, at least a single AV engine recognizes that JAR as having traits of something previously recognized as malicious: https://www.virustotal.com/gui/file/2a6e4d0d4bd77c94d0e09baade739596c35d73bb91cc79a17930e1574c41f272 This admittedly might be a false positive (previous scan for the file of the same hash was showing all-green), but do friends let friends expose themselves to unjustified risks? Enthusiasm of everyone involved in bringing new kinds of out-of-the-box "versatility" to Fedora is indeed admirable and all, but I am afraid it went way too wrong here, nothing short of a textbook example of how not to do it, that is, how recklessly. Please, drop that JAR file from the package immediately, and try to find a way of how to restore it by building it from sources as expected in Fedora context, assuming the sources are likewise under licensing that Fedora permits. That being said, setting this bug as a blocker for [FE-Legal], and rushing to remove that accidentally installed package locally. As mentioned, I've meant to install android-tools anyway, but at least this critical double-check emerged from this thinko.
OK, apksigner.jar can possibly be built anew using public sources that appear to be under Apache-2.0 (SPDX notation) license: https://android.googlesource.com/platform/tools/apksig/+/master/src/main/java/com/android/apksig/ApkSigner.java But then it might be a good idea to package it separately and for the purpose of Fedora downstream, make adb-enhanced contain a respective symlink into where the file is placed by that other package, which would consequently become its "Requires:" specified dependency. Thanks for considering these circumstances and options.
I can't speak to the Fedora packaging guidelines, but from the Fedora legal standpoint, this package (at least in this form) must be removed from Fedora.
This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle. Changing version to 38.
> # Uses abe.jar taken from https://sourceforge.net/projects/adbextractor/ abe (https://github.com/nelenkov/android-backup-extractor) uses ASL 2.0. abe.jar and apksigner.jar should definitly not be part of the package.
This message is a reminder that Fedora Linux 38 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 38 on 2024-05-21. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '38'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 38 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
Fedora Linux 38 entered end-of-life (EOL) status on 2024-05-21. Fedora Linux 38 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora Linux please feel free to reopen this bug against that version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see the version field. If you are unable to reopen this bug, please file a new report against an active release. Thank you for reporting this bug and we are sorry it could not be fixed.