[very much RFC][icedtea-web] fix for [Bug 564] NetX depends on sun.misc.BASE64Encoder
Dr Andrew John Hughes
ahughes at redhat.com
Mon Oct 17 05:36:06 PDT 2011
On 12:41 Mon 17 Oct , Jiri Vanek wrote:
> On 10/11/2011 07:08 PM, Deepak Bhole wrote:
> > * Omair Majid<omajid at redhat.com> [2011-10-07 13:01]:
> >> On 10/07/2011 12:09 PM, Jiri Vanek wrote:
> >>> Only drawback of copypasting this explicit code is that we lost possible
> >>> updates from third party (where is it much more used then in icedtea-web)
> >>
> >> Actually, I am against copying code into icedtea-web. Not only do we
> >> lose the benefit from updates, if any security issues are discovered
> >> in the code (not that sun.misc.BASE64Encoder is likely to have
> >> many), we will have to update the code in icedtea-web as well. To be
> >> safe, that would mean that we look every security update for openjdk
> >> and double check that the code we copied into icedtea-web is not
> >> affected by the fix.
> >>
> >> I think https://fedoraproject.org/wiki/Packaging:No_Bundled_Libraries#Why_no_Bundled_Libraries
> >> gives many more reasons why copying code ("bundling") into
> >> icedtea-web may be a bad idea.
> >>
> >> Still, if others think it is fine to copy a small (and rather safe)
> >> piece of code into icedtea-web, then please don't let me stop you.
> >>
> >
> > True. My response was specific to Base64Encoder only though. Since 2009,
> > there have been no security updates to that file:
> > http://hg.openjdk.java.net/jdk6/jdk6-gate/jdk/log/b139627f7bc3/src/share/classes/sun/misc/BASE64Encoder.java
> >
8, or at least 7, is the place to check for updates, not 6. Fortunately, it does concur:
$ hg log src/share/classes/sun/misc/BASE64Encoder.java
changeset: 2362:00cd9dc3c2b5
parent: 2360:cf44386c8fe3
user: ohair
date: Tue May 25 15:58:33 2010 -0700
summary: 6943119: Rebrand source copyright notices
changeset: 0:37a05a11f281
tag: jdk7-b24
user: duke
date: Sat Dec 01 00:00:00 2007 +0000
summary: Initial load
> > It doesn't seem like the kind that would have too many (if any). Given
> > that, I felt copying might be more viable here.
> >
> > Cheers,
> > Deepak
>
> 2011-10-17 Jiri Vanek <jvanek at redhat.com>
>
> PR564: NetX depends on sun.misc.BASE64Encoder
> * configure.ac: removed IT564 comment, removed check for sun.misc.BASE64Encoder
> * netx/net/sourceforge/jnlp/security/CertificateUtils.java : sun.misc.BASE64Encoder;
> replaced (just changed import) by internal implementation from
> net.sourceforge.jnlp.util.replacements.BASE64Encoder;
> * netx/net/sourceforge/jnlp/util/replacements/BASE64Encoder.java:
> * netx/net/sourceforge/jnlp/util/replacements/CharacterEncoder.java:
> New files, internal implementation of BASE64Encoder, copied from OpenJDK
> * tests/netx/unit/net/sourceforge/jnlp/util/replacements/BASE64EncoderTest.java
> New file, t test internal base64encoder implementation
>
There's a typo in the Changelog: ", t test" -> "to test"
Otherwise, looks good to me, assuming it builds and the test passes.
You should close the Bugzilla bug for this once committed.
--
Andrew :)
Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
Support Free Java!
Contribute to GNU Classpath and IcedTea
http://www.gnu.org/software/classpath
http://icedtea.classpath.org
PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20111017/b30455a1/attachment.bin
More information about the distro-pkg-dev
mailing list