On Mon, 2008-02-18 at 08:04 -0600, Rex Dieter wrote:
I've been approached by the dev's of a GPL'd java app
(
www.geogebra.org),
wanting my assistance wrt rpm packaging (and eventual inclusion in fedora I
hope), but there's a snag. They want (need) their java applet runable over
the web (webstart'able), and that means signed jars. They proposed we
simply package their prebuilt (and signed) .jars, but that is contrary to
our usual "build from source" position.
So, the dilemma is
1. come up with packaging policy and mechanism for fedora to produce signed
jars. I raised this issue in the past, but we punted, since fedora, at the
time, didn't include any java implementations that supported this. icedtea
changes that.
2. allow an exception to the "build from source" guideline for pregenerated,
signed .jar's.
3. just say no
4. insert suggestion here.
...
99. profit!
OK, so this is my stance:
* Unless Fedora can sign the jars that we build from source, this is a
showstopper.
We cannot permit pre-generated signed jars. I've seen too many
horrifying java crapboxes stuffed full of proprietary components,
ancient components, and illegal components to simply permit this under
any conditions. If it doesn't build from source, we aren't shipping it.
Now, I would be interested in hearing whether we can do this with
IcedTea or not, and if so, how to accomplish it. This seems like it
would be a very necessary component to the non-existent Java packaging
guidelines.
~spot