The geronimo-osgi-support package is bundling it's dependencies. (Even core Java classes like java.lang.Object are bundled.)
geronimo-osgi-support is bundling many an external libraries. According to Fedora Java Packaging Guidelines this is unacceptable. See: https://fedoraproject.org/wiki/Packaging:Java#Pre-built_JAR_files_.2F_Other_bundled_software The list of bundled Java packages is: info.dmtree.* info.dmtree.notification.* info.dmtree.notification.spi.* info.dmtree.registry.* info.dmtree.security.* info.dmtree.spi.* java.io.* java.lang.* java.lang.ref.* java.lang.reflect.* java.math.* java.net.* java.security.* java.security.acl.* java.security.cert.* java.security.interfaces.* java.security.spec.* java.text.* java.text.resources.* java.util.* java.util.jar.* java.util.zip.* javax.microedition.io.* javax.servlet.* javax.servlet.http.* Those classes often don't match their corresponding non-bundled versions. Many of them refer to native code. There's quite high chance that there were some security bugfixes, which obviously couldn't affect geronimo-osgi-support. Because of the above I would appreciate if bundled librarioes were removed from geronimo-osgi-support packaging and added as external dependencies.