(Sorry for the TOFU Mail; send from my Handheld.) Hi!
Again such a package will only be accepted, if the security team gave their okay, as it still might not solve their problem completely: If a security problem is found and fixed in bsh, does jedit need to be recompiled, too, to pick up the security patch applied to bsh? Best regards, Alexander Gabriele Giacone <1o5g4...@gmail.com> schrieb am 04.04.2010 22:28: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [ CC-ing debian-java and mkoch - bsh maintainers. This thread starts from <4bb3cd1c.8000...@gmail.com> ] On 04/03/2010 11:43 PM, Michael Tautschnig wrote: >> * Gabriele Giacone: >> >>> For example openjdk-6-source: source code is in both orig tarball and >>> openjdk-6-source binary package. This is a duplication, isn't it? >> >> First, the duplication refers to source packages. Good, so my proposal below (bsh-src + patch) could be ok. >> Second, >> openjdk-6-source is like the emacs*-el packages, it provides IDE >> navigation support. >> >>> Regarding jedit, what about adding the creation of bsh-src binary >>> package, adding bsh-src to jedit's Build-Depends and applying jedit >>> patch at build time? >> >> You could use reflection or AOP for that so that you don't need source >> code at all. IMHO this could be the best solution but I'm not a developer. >> However, the correct way is to get the changes you need into the >> upstream version, or adjust the client code. We do this for non-Java >> code all the time. > > As I understood Gabriele, bsh is dead upstream, so it's actually up to Debian > maintainers of bsh and Gabriele to sort that out, I guess. I haven't yet > understood how intrusive that patch is, i.e., whether it breaks bsh core > functionality or merely extends bsh. Gabriele? bsh maintainers? Michael (mt), I pasted true changes (excluding references to "org.gjt.sp.jedit.bsh" instead of "bsh", comments and some StringBuffer that become StringBuilder) here [1]. Personally I wouldn't apply that changes to bsh sources to satisfy a jedit-only need. I would proceed in this way: bsh: add bsh-src binary creation jedit: - - remove Debian bsh sources (added to the rejected package [2]) - - add bsh-src as builddep - - apply jedit patch and build against patched bsh. - - switch to "public" package like bsh so if someone wanted to write a reflection/AOP patch, it would easily be done without asking. Would it be rejected again? Gabriele [1] http://paste.debian.net/67419 [2] http://mentors.debian.net/debian/pool/main/j/jedit/jedit_4.3.1+dfsg-1.dsc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAku49kYACgkQp3cdCbVcnCtqQwCg+GSyNP95pCMb2gx51Lydod5a P1YAoMyl1YY/RB5OnVJzCqIAMOuvB+Gr =OpiL -----END PGP SIGNATURE-----
