[very much RFC][icedtea-web] fix for [Bug 564] NetX depends on sun.misc.BASE64Encoder
Deepak Bhole
dbhole at redhat.com
Tue Oct 11 10:08:57 PDT 2011
* Omair Majid <omajid at redhat.com> [2011-10-07 13:01]:
> On 10/07/2011 12:09 PM, Jiri Vanek wrote:
> >Only drawback of copypasting this explicit code is that we lost possible
> >updates from third party (where is it much more used then in icedtea-web)
>
> Actually, I am against copying code into icedtea-web. Not only do we
> lose the benefit from updates, if any security issues are discovered
> in the code (not that sun.misc.BASE64Encoder is likely to have
> many), we will have to update the code in icedtea-web as well. To be
> safe, that would mean that we look every security update for openjdk
> and double check that the code we copied into icedtea-web is not
> affected by the fix.
>
> I think https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries#Why_no_Bundled_Libraries
> gives many more reasons why copying code ("bundling") into
> icedtea-web may be a bad idea.
>
> Still, if others think it is fine to copy a small (and rather safe)
> piece of code into icedtea-web, then please don't let me stop you.
>
True. My response was specific to Base64Encoder only though. Since 2009,
there have been no security updates to that file:
http://hg.openjdk.java.net/jdk6/jdk6-gate/jdk/log/b139627f7bc3/src/share/classes/sun/misc/BASE64Encoder.java
It doesn't seem like the kind that would have too many (if any). Given
that, I felt copying might be more viable here.
Cheers,
Deepak
More information about the distro-pkg-dev
mailing list