[security-dev 00408]: Re: xml-stylesheet data files usage in tests removed by fsg.sh

Mark Wielaard mark at klomp.org
Sun Nov 16 12:07:05 UTC 2008


Hi,

On Sun, 2008-11-16 at 00:51 +0000, Andrew John Hughes wrote:
> 2008/11/15 Mark Wielaard <mark at klomp.org>:
> > The IcedTea fsg.sh (Free Software Guidelines) script that scrubs any
> > dubious contents from the files distributed through OpenJDK has the
> > following:
> >
> > # has w3c copyright. license to be checked / needs checking after decoding
> > rm -f \
> >  openjdk/jdk/test/javax/xml/crypto/dsig/data/xml-stylesheet \
> >  openjdk/jdk/test/javax/xml/crypto/dsig/data/xml-stylesheet.b64
> >
> > These files are local copies of the following files:
> > http://www.w3.org/TR/xml-stylesheet
> > http://www.w3.org/Signature/2002/04/xml-stylesheet.b64
> > (The second is a base64 encoded version of the first.)
> >
> > These files are used in the following tests:
> > openjdk/jdk/test/javax/xml/crypto/dsig/GenerationTests.java
> > openjdk/jdk/test/javax/xml/crypto/dsig/ValidationTests.java
> > (Which currently obviously fail without those files in the data dir)
> >
> > These tests references the merlin-xmldsig-twenty-three Baltimore test
> > vectors (also distributed by the w3c):
> > http://www.w3.org/Signature/2001/04/05-xmldsig-interop.html
> >
> > The xml-stylesheet file references:
> > http://www.w3.org/Consortium/Legal/ipr-notice.html#Copyright and
> > http://www.w3.org/Consortium/Legal/copyright-software.html
> > Which seem to imply we may freely distribute them.
> >
> > So I would like to remove these "cleanups" from fsg.sh.
> > Opinions?
>
> doko is the origin of these IIRC.

Matthias, what do you think? If you think there are still issues with
these files could you add a bug report that blocks the IcedTea legal
meta-bug: http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=138

> Interestingly, I don't think these tests are in OJ7.  At least, I
> don't recall seeing these failures.

The files are certainly there under 7, and they are removed by the
fsg.sh script. The Generation and Validation Tests that use them are
also there. I'll do a build and a make check to see what is happening
there.

Cheers,

Mark




More information about the security-dev mailing list