search

docbook / xslt10-stylesheets

XSLT 1.0 Stylesheets for DocBook
98 stars 76 forks source link

Binary JAR files in release from tools/ and extensions/ folders #268

Open Lupphes opened 3 months ago

Lupphes commented 3 months ago

While updating a license for the Fedora package docbook5-style-xsl, the legal team discovered that we were unintentionally packaging multiple JAR binaries from the package's tools/ folder.

The binary files are downloaded from the repository and then packed with RPM, which is shipped.

In the past, this problem was present just for the folder extensions/, which is not packaged into Fedora (if statement in the spec file). However, after closer inspection, we found the tools/ folder and two additional files, which do not present a problem. All binaries listed:

$ grep -rIL .  | grep -vE '\.png|\.pdf|\.gif|\.tif|\.ico|\.jpg|\.bmp'
extensions/lucene-analyzers-3.0.0.jar
extensions/xalan27.jar
extensions/saxon65.jar
extensions/lucene-core-3.0.0.jar
extensions/tagsoup-1.2.1.jar
extensions/webhelpindexer.jar
tools/lib/calabash.jar
tools/lib/saxon.jar
tools/lib/isorelax.jar
tools/lib/xalan/xsltc.jar
tools/lib/xalan/xalan.jar
tools/lib/xalan/serializer.jar
tools/lib/saxon9he.jar
tools/lib/commons-codec-1.3.jar
tools/lib/jing.jar
tools/lib/ant-contrib-1.0b3.jar
tools/lib/xml-apis.jar
tools/lib/commons-logging-1.1.1.jar
tools/lib/saxon9-ant.jar
tools/lib/jython.jar
tools/lib/xmlresolver.jar
tools/lib/commons-httpclient-3.1.jar
tools/lib/xercesImpl.jar
slides/slidy/scripts/slidy.js.gz
roundtrip/template.dot

These files:

slides/slidy/scripts/slidy.js.gz
roundtrip/template.dot

Can probably be easily removed as slidy.js.gz is just an accidental archive and a text document's template.dot preamble. The rest of the files are JAR binary files.

The final JAR files should not be shipped in the release, nor should there be a way to build them if required. Could you please provide some guidance on this?

Related BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2260534

ikerexxe commented 2 months ago

If I understand the problem correctly, it is more of a packaging problem than a licensing problem. The jar files stored in the extensions/ and tools/ folders are already provided by other projects (i.e. xalan is provided by ant-apache-xalan2), so there is no need for this project to include them, but you should add them as dependencies to be installed.

andreboscatto commented 2 months ago

Looking from a broader perspective, this problem is affecting many distributions, including Fedora, and several core projects, like PAM.

So having it fixed upstream instead of removing those files per distribution will help sanitize the state of the project and will avoid future issues when other distributions start complaining about this problem.

Lupphes commented 2 months ago

I've done a bit of research on the packages.

Not all of the JAR files are from Oasis but from other 3rd-party companies/projects. Some of these packages are not even available in Fedora anymore as they are orphaned.

Files are in Fedora in a different package:

  1. extensions/lucene-analyzers-3.0.0.jar
    • Fedora Package: lucene-analysis-common
    • JAR: /usr/share/java/lucene/lucene-analysis-common.jar
    • Status: Verified
  2. extensions/xalan27.jar
    • Fedora Package: ant-apache-xalan2
    • JAR: /usr/share/java/ant/ant-apache-xalan2.jar
    • Status: Verified
  3. extensions/lucene-core-3.0.0.jar
    • Fedora Package: lucene-core
    • JAR: /usr/share/java/lucene/lucene-core.jar
    • Status: Verified
  4. extensions/tagsoup-1.2.1.jar
    • Fedora Package: tagsoup
    • JAR: /usr/share/java/tagsoup.jar
    • Status: Verified
  5. tools/lib/commons-codec-1.3.jar
    • Fedora Package: apache-commons-codec
    • JAR: /usr/share/java/commons-codec.jar
    • Status: Verified
  6. tools/lib/xml-apis.jar
    • Fedora Package: xml-commons-apis
    • JAR: /usr/share/java/xml-commons-apis.jar
    • Status: Verified
  7. tools/lib/commons-logging-1.1.1.jar
    • Fedora Package: apache-commons-logging
    • JAR: /usr/share/java/commons-logging.jar
    • Status: Verified
  8. tools/lib/xmlresolver.jar
    • Fedora Package: xml-commons-resolver
    • JAR: /usr/share/java/xml-commons-resolver.jar
    • Status: Verified
  9. tools/lib/xercesImpl.jar
    • Fedora Package: xerces-j2
    • JAR: /usr/share/java/xercesImpl.jar
    • Status: Verified
  10. tools/lib/xalan/xsltc.jar, tools/lib/xalan/xalan.jar, tools/lib/xalan/serializer.jar
    • Fedora Package: xalan-j2
    • JARs: /usr/share/java/xalan-j2.jar, /usr/share/java/xalan-j2-serializer.jar, /usr/share/java/jaxp_transform_impl.jar
    • Status: Verified
  11. tools/lib/ant-contrib-1.0b3.jar
    • Fedora Package: ant-contrib
    • JAR: /usr/share/java/ant-contrib.jar
    • Status: Verified

Orphaned Fedora Packages --- File was not in Fedora

  1. tools/lib/isorelax.jar
    • Fedora Package: isorelax
    • JAR: /usr/share/java/isorelax.jar
    • Status: Orphaned
  2. tools/lib/jing.jar
    • Fedora Package: jing
    • JAR: /usr/share/java/jing.jar
    • Status: Orphaned
  3. tools/lib/jython.jar
    • Fedora Package: jython
    • JAR: /usr/share/java/jython.jar
    • Status: Orphaned
  4. tools/lib/commons-httpclient-3.1.jar
    • Fedora Package: jakarta-commons-httpclient
    • JAR: /usr/share/java/commons-httpclient.jar
    • Status: Orphaned
  5. extensions/saxon65.jar
    • Fedora Package: saxon
    • Related JARs: /usr/share/java/saxon/saxon.jar, /usr/share/java/saxon/saxon9he.jar
    • Status: Orphaned
  6. tools/lib/saxon.jar
    • Fedora Package: saxon
    • Related JARs: /usr/share/java/saxon/saxon.jar, /usr/share/java/saxon/saxon9he.jar
    • Status: Orphaned
  7. tools/lib/saxon9he.jar
    • Fedora Package: saxon
    • JAR: /usr/share/java/saxon/saxon9he.jar
    • Status: Orphaned
  8. tools/lib/saxon9-ant.jar
    • Fedora Package: saxon
    • JAR: /usr/share/java/saxon/saxon9-ant.jar
    • Status: Orphaned

It needs to be Built from the Source

  1. extensions/webhelpindexer.jar
    • Status: Not available in Fedora; needs source
  2. tools/lib/calabash.jar
Lupphes commented 2 months ago

Additionally, there are a few files that may also packaged by accident:

slides/slidy/scripts/slidy.js.gz
roundtrip/template.dot

slides/slidy/graphics/nofold.bmp
slides/slidy/graphics/nofold-dim.bmp
slides/slidy/graphics/unfold.bmp
slides/slidy/graphics/fold-dim.bmp
slides/slidy/graphics/unfold-dim.bmp
slides/slidy/graphics/fold.bmp
doc/reference.txt.gz # Old release, probably already deleted

.bmp files, currently without a specified license, are used for howto documentation, such as docbook-5.0/tools/db4-entities.pl script. Both of them should license be verified.