Bug 820117 - azureus: Bundled libraries
azureus: Bundled libraries
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: azureus (Show other bugs)
20
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: David Juran
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 814687
  Show dependency treegraph
 
Reported: 2012-05-09 04:26 EDT by Mikolaj Izdebski
Modified: 2014-03-18 04:08 EDT (History)
3 users (show)

See Also:
Fixed In Version: azureus-5.2.0.0-6.fc20
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-03-18 04:08:46 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
remove half unbundle bouncycastle (2.58 KB, patch)
2014-02-15 22:20 EST, Sergio Monteiro Basto
no flags Details | Diff
remove half unbundle bouncycastle updated (2.56 KB, patch)
2014-02-15 22:24 EST, Sergio Monteiro Basto
no flags Details | Diff
sorry, another update to remove half unbundle bouncycastle (2.04 KB, patch)
2014-02-15 22:29 EST, Sergio Monteiro Basto
no flags Details | Diff

  None (edit)
Description Mikolaj Izdebski 2012-05-09 04:26:05 EDT
azureus is bundling several libraries, including:

	apache-commons-lang
        bouncycastle
        json

According to Fedora Java Packaging Guidelines this is unacceptable. See: https://fedoraproject.org/wiki/Packaging:Java#Pre-built_JAR_files_.2F_Other_bundled_software

Please remove these libraries from packaging and add them as external dependencies.
Comment 1 Fedora End Of Life 2013-04-03 10:34:36 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
Comment 2 Sergio Monteiro Basto 2014-02-15 22:20:01 EST
Created attachment 863653 [details]
remove half unbundle bouncycastle

(In reply to Mikolaj Izdebski from comment #0)
> azureus is bundling several libraries, including:
> 
> 	apache-commons-lang
>       bouncycastle
>       json
>

apache-commons is already unbundle :

rm -fR org/apache

Json was recently unbundle :
rm -fR org/json

what is not unbundle :
# http://www.programmers-friend.org/download/ not found in fedora repos 
#rm -fR org/pf

and bouncycastle , 

bouncycastle .spec try unbundled but requires org.bouncycastle.jce.provider 
which is not part of bouncycastle 1.46 on fedora

by this link  http://www.cs.berkeley.edu/~jonah/bc/org/bouncycastle/jce/provider/JCEECDHKeyAgreement.html
seems need Bouncy Castle Cryptography Library 1.37

so I propose revert this half unbundling , because as it is, azureus use 2 bouncycastle jars, one bundled and one from the system , for me seems that is not good.
Comment 3 Sergio Monteiro Basto 2014-02-15 22:24:36 EST
Created attachment 863654 [details]
remove half unbundle bouncycastle updated
Comment 4 Sergio Monteiro Basto 2014-02-15 22:29:23 EST
Created attachment 863655 [details]
sorry, another update to  remove half unbundle bouncycastle
Comment 5 David Juran 2014-02-24 01:11:29 EST
I'm not sure I understand the reason for the patch in #4. 
For sure, the bundled BouncyCastle classes are still used until someone comes around to patch the source and I don't claim to understand all the fine details of classloading but I don't really see any harm in having BouncyCastle in the classpath. In my opinion, we should focus on really removing the bundled BouncyCastle cocde from azureus instead. Or to put it the other way around, what is the problem you're trying to solve?
Comment 6 Sergio Monteiro Basto 2014-02-24 09:54:36 EST
(In reply to David Juran from comment #5)
> I don't claim to understand all the
> fine details of classloading but I don't really see any harm in having
> BouncyCastle in the classpath. 

As I see it, is more optimized if we just use one BouncyCastle, is not a good option have two BouncyCastle in the classpath . On the other hand will be more easier remove bundled BouncyCastle code .

> In my opinion, we should focus on really
> removing the bundled BouncyCastle code from azureus instead. 

I'm focus on this, but don't had much time , I will try find a manual that explains how upgrade BouncyCastle from 1.37 to 1.46

> Or to put it
> the other way around, what is the problem you're trying to solve?

Meanwhile I had use Azureus with my this patch and F21 commits and I like the results, anyway I also use swt M5, so I can't ensure that patch solves crashes . 

Thanks,
Comment 7 Fedora Update System 2014-03-07 14:17:41 EST
azureus-5.2.0.0-6.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/azureus-5.2.0.0-6.fc20
Comment 8 Fedora Update System 2014-03-08 23:42:16 EST
Package azureus-5.2.0.0-6.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing azureus-5.2.0.0-6.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-3656/azureus-5.2.0.0-6.fc20
then log in and leave karma (feedback).
Comment 9 Sergio Monteiro Basto 2014-03-11 14:23:45 EDT
Hi, Juran 

IMHO , we should merge azureus-SecureMessageServiceClientHelper-bcprov.patch into azureus-5.3.0.0-no-bundled-bouncycastle patch since they try resolve the same thing , unbundle bouncycastle 

and why for F20 we have Azureus outdated, I don't see any reason for F19 , F20 and rawhide haven't the same source . The kernel guys update F19 with kernel major version 3.12 to 3.13 which bumped many bugs and if kernel don't have this limits , why you are so conservative in updates of Azureus , but not with yours patches.
Comment 10 Mikolaj Izdebski 2014-03-12 07:17:53 EDT
(In reply to Sergio Monteiro Basto from comment #9)
> and why for F20 we have Azureus outdated, I don't see any reason for F19 ,
> F20 and rawhide haven't the same source . The kernel guys update F19 with
> kernel major version 3.12 to 3.13 which bumped many bugs and if kernel don't
> have this limits , why you are so conservative in updates of Azureus , but
> not with yours patches.

See: http://fedoraproject.org/wiki/Updates_Policy#Stable_Releases

Kernel package has exception granted by FESCO and that's why major updates can be pushed to stable releases.
Comment 11 Sergio Monteiro Basto 2014-03-12 13:58:26 EDT
"particularly when those features would materially affect the user or developer experience"
not the case , my interpretation Azureus 5.3.0.0 is stable, was consider stable by upstream, so should go to stable releases. 

kernel is an exception , Firefox (enabled gstreamer)  , libreoffice (4.1.3 to 4.2.1), kde ( 4.11 to 4.12) after F20 released, are also exceptions ? 

Conclusion please update Azureus in F20 and possible in F19 , or let me update it for you, give me commit permissions .
Comment 12 Fedora Update System 2014-03-18 04:08:46 EDT
azureus-5.2.0.0-6.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.