Red Hat Bugzilla – Bug 253134
Review Request: jlint - Java program checker
Last modified: 2007-11-30 17:12:13 EST
Spec URL: http://jjames.fedorapeople.org/jlint/jlint.spec
SRPM URL: http://jjames.fedorapeople.org/jlint/jlint-3.1-1.src.rpm
Jlint will check your Java code and find bugs, inconsistencies and
synchronization problems by doing data flow analysis and building the lock
graph. Jlint is extremely fast - even on large projects, it requires only one
second to check all classes! It is easy to learn and requires no changes to
the class files. Jlint has been used in an industrial environment and
successfully uncovered faults with little effort!
The original version of Jlint was written by Konstantin Knizhnik. It was
extended by Cyrille Artho to perform more extensive synchronization checks.
Is this your first package submission to Fedora?
No, Jerry (in case you're the same Jerry James) already maintains some packages
in Fedora. Dunno whether the different email address here from the earlier ones
is a problem (earlier are assigned to Jerry.James at usu.edu in the no longer
jlint is already in Fedora CVS, orphaned and dropped from the distro a few
releases ago. I used to maintain it, and speaking from that experience, I would
suggest using the package already in CVS as the base, or most importantly using
Konstantin Knizhnik's original 1.x versions instead of the extended 3.x ones.
When I last compared them, 1.x gave much better results than 3.x which reported
lots of false positives, which is why I kept the Fedora package at 1.x. I don't
remember more details and I'm no longer using jlint, so I'm afraid there's no
more info about this I can share.
I'm the same Jerry James. I changed jobs, and hence email addresses. I updated
my Fedora Account with the new email address, and added an identity to my GPG
key. Is there something else I need to do? Did I miss a wiki page somewhere on
what to do when one's email address changes?
The web page where I found jlint listed as an orphan said it had been removed
from CVS. Is that information incorrect?
I've never compared the 1.x version to the 3.x version. I'll do that before
proceeding further with this request. Thanks.
I suppose the mail address is ok, I just didn't recognize it.
jlint is in CVS, except for the FC-6 and F-7 branches. FC-5 contains the last
revision I've worked on, and devel contains just the "dead.package" marker file.
The 1.x version has not been touched in 9 years. The 3.x version has not been
touched in 9 months. I have some hopes that the 3.x version can be updated as
needed; I have little hope that the 1.x version will be. I can't know for
certain without seeing your test cases, Ville, but it is possible that the
spurious warnings you got from 3.x are due to the new tests introduced in 3.x,
rather than corrupted tests that were present in 1.x. If you send me code that
triggers spurious warnings, I pledge to work with upstream to make those
warnings go away. Can we proceed with the review using the 3.x version?
(In reply to comment #5)
> The 1.x version has not been touched in 9 years. The 3.x version has not
> been touched in 9 months.
The most recent modification inside the 1.21 tarball is from 2004-04-05, and the
last code modification from 2003-12-08 so it's not quite that old. The newest
modification in the 3.x series is compilation fixes for gcc 3.4.x, no other
changes in 3.1 vs 3.0 according to the release notes. 3.0 was released 2004-06-22.
Additionally, the original 1.x author was very responsive to my mails, whereas
the sourceforge tracker for 3.x does not look too promising regarding upstream
activity (not a single comment to any open item in almost 3 years):
> If you send me code that
> triggers spurious warnings, I pledge to work with upstream to make those
> warnings go away.
Sorry, as said, I don't have more details about this handy any more. Will send
if I remember more details or come across them again.
> Can we proceed with the review using the 3.x version?
Your call, but before that I do suggest taking a closer look at the 3.x
upstream's activity as well as comparing 1.x functionality to 3.x (unless you
already did and I just failed to parse it from your earlier comments). Also,
it'd be better to find someone who actually uses jlint/antic nowadays to do the
review, but I can chime in later if nobody shows up.
Now I'm concerned about licensing issues. The 1.x code just says that it is
"freeware", with no indication of what the author thinks that means. The 3.x
code claims to be released under the GPL, but since it is a derivative work of
code with no clear license, I'm not sure that's legal. I'm now inclined to drop
jlint and work on getting findbugs into Fedora instead. Unless someone really,
really wants me to keep pursuing jlint, I'm going to close this review request
and leave jlint alone.
I have no objections to that, but as said, the 1.x author at least used to
respond pretty quickly to mails so I suppose clarifying the license wouldn't
take much more than just asking him.
Upstream chose an MIT license and also fixed the 64-bit compilation issues. The
new URLs are:
Spec URL: http://jjames.fedorapeople.org/jlint/jlint.spec
SRPM URL: http://jjames.fedorapeople.org/jlint/jlint-1.23-1.src.rpm
Looks good to me, approved.
One minor nit (can be done after import): since VENDINFO.DIZ is no longer
shipped, could drop the related sed'ing in %prep as well.
Package Change Request
Package Name: jlint
New Branches: FC-6 F-7
Updated Fedora Owners: jjames
This is a revival of a previously orphaned package.
jlint-1.23-1.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report.
jlint-1.23-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.