Hi Justin, I wonder where exactly (most) of these files come from. I just did: $ wget https://dist.apache.org/repos/dist/dev/incubator/netbeans/incubating-netbeans-java/incubating-9.0-rc1-rc1/incubating-netbeans-java-9.0-rc1-source.zip [this is the URL from the first e-mail in this thread] $ sha1sum incubating-netbeans-java-9.0-rc1-source.zip
a1a265455c8246f849b14982fa3c36b351b21876 incubating-netbeans-java-9.0-rc1-source.zip [I note this is the same SHA1 sum that was mentioned in the first e-mail in this thread] $ unzip -t incubating-netbeans-java-9.0-rc1-source.zip | grep dummy-signed-twice.jar | wc -l 0 $ unzip -t incubating-netbeans-java-9.0-rc1-source.zip | grep dummy-signed.jar | wc -l 0 So it seems [1] and [2] are not in the source zip. These have been removed from the repository by: https://github.com/apache/incubator-netbeans/commit/4abdad79e682d4d93ebc92ff986e82bf0c0d44a1 $ unzip -t incubating-netbeans-java-9.0-rc1-source.zip | grep JavaApp_repo.zip | wc -l 1 So yes, [3] is in the source zip. I went through the file content and I don't see a compile code in there - could you please be more specific what nested file there is a compiled code? And, ideally, what is the very exact definition of "compiled code"? $ unzip -t incubating-netbeans-java-9.0-rc1-source.zip | grep TestJDK.class | wc -l 0 So it seems [4] is not in the source zip. This has been removed from the repository by: https://github.com/apache/incubator-netbeans/commit/4abdad79e682d4d93ebc92ff986e82bf0c0d44a1 $ unzip -t incubating-netbeans-java-9.0-rc1-source.zip | grep test91098.class | wc -l 0 $ unzip -t incubating-netbeans-java-9.0-rc1-source.zip | grep left-square.class | wc -l 0 $ unzip -t incubating-netbeans-java-9.0-rc1-source.zip | grep SwitchData.class | wc -l 0 So it seems [5][6][7] are not in the source zip. These have been removed from the repository by: https://github.com/apache/incubator-netbeans/commit/41cb237b46176b30de4d0c40f1c0be3e411fc9dc Thanks, Jan On Sat, May 26, 2018 at 3:14 PM, Justin Mclean <jus...@classsoftware.com> wrote: > Hi, > > Sorry but it -1 binding from me as the source release contains compiled > code. It’s not an open source release if it contains jars that contain > compiled code e.g. [1][2] And before you ask there is no exception for test > resources. If you need compiled code make it compile as part of the build > process. Even worse the release also looks to contain compiled code here > [3] and there are also several class files included[4][5][6][7][8]. There > are several other files and archives that look like compiled code. I have > to ask how did the vote get past the PPMC and it’s mentors with these > issues? And what can be done so this doesn't happen again? Please check > that your rat exclusions have not been set to too wide and rat shovel pick > up these issues. > > Thanks, > Justin > > 1. ./autoupdate.services/test/unit/src/org/netbeans/api/ > autoupdate/data/dummy-signed-twice.jar > 2. ./autoupdate.services/test/unit/src/org/netbeans/api/ > autoupdate/data/dummy-signed.jar > 3. ./mercurial/test/qa-functional/data/JavaApp_repo.zip > 4. ./nbi/engine/src/org/netbeans/installer/utils/applications/ > TestJDK.class > 5. ./classfile/test/unit/src/regression/datafiles/test91098.class > 6. ./classfile/test/unit/src/regression/datafiles/left-square.class > 7. ./classfile/test/unit/src/regression/datafiles/SwitchData.class > --------------------------------------------------------------------- > To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org > For additional commands, e-mail: general-h...@incubator.apache.org > >
