AW: Re: jedit_4.3.1+dfsg-1_amd64.changes REJECTED

To: "Gabriele Giacone" <1o5g4r8o@gmail.com>, "Michael Tautschnig" <mt@debian.org>, "Florian Weimer" <fw@deneb.enyo.de>, "security@debian.org" <security@debian.org>, "Debian Security" <debian-security@lists.debian.org>, "Torsten Werner" <twerner@debian.org> , "Alexander Reichle-Schmehl" <tolimar@debian.org>
Cc: "Debian Java" <debian-java@lists.debian.org>, "Michael Koch" <konqueror@gmx.de>
Subject: AW: Re: jedit_4.3.1+dfsg-1_amd64.changes REJECTED
From: "Alexander Reichle-Schmehl" <alexander@schmehl.info>
Date: Mon, 5 Apr 2010 10:20:20 +0200
Message-id: <[🔎] 20100405082033.9F500846F69@melusine.alphascorpii.net>
Reply-to: "Alexander Reichle-Schmehl" <alexander@schmehl.info>
In-reply-to: <[🔎] 4BB8F651.2040902@gmail.com>

(Sorry for the TOFU Mail; send from my Handheld.)

Hi!

Again such a package will only be accepted, if the security team gave their okay, as it still might not solve their problem completely: If a security problem is found and fixed in bsh, does jedit need to be recompiled, too, to pick up the security patch applied to bsh?

Best regards,
Alexander

Gabriele Giacone <1o5g4r8o@gmail.com> schrieb am 04.04.2010 22:28:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[ CC-ing debian-java and mkoch - bsh maintainers. This thread starts
from <4BB3CD1C.8000005@gmail.com> ]

On 04/03/2010 11:43 PM, Michael Tautschnig wrote:
>> * Gabriele Giacone:
>>
>>> For example openjdk-6-source: source code is in both orig tarball and
>>> openjdk-6-source binary package. This is a duplication, isn't it?
>>
>> First, the duplication refers to source packages.
Good, so my proposal below (bsh-src + patch) could be ok.

>> Second,
>> openjdk-6-source is like the emacs*-el packages, it provides IDE
>> navigation support.
>>
>>> Regarding jedit, what about adding the creation of bsh-src binary
>>> package, adding bsh-src to jedit's Build-Depends and applying jedit
>>> patch at build time?
>>
>> You could use reflection or AOP for that so that you don't need source
>> code at all.

IMHO this could be the best solution but I'm not a developer.

>> However, the correct way is to get the changes you need into the
>> upstream version, or adjust the client code. We do this for non-Java
>> code all the time.
>
> As I understood Gabriele, bsh is dead upstream, so it's actually up to Debian
> maintainers of bsh and Gabriele to sort that out, I guess. I haven't yet
> understood how intrusive that patch is, i.e., whether it breaks bsh core
> functionality or merely extends bsh. Gabriele? bsh maintainers?
Michael (mt), I pasted true changes (excluding references to
"org.gjt.sp.jedit.bsh" instead of "bsh", comments and some StringBuffer
that become StringBuilder) here [1].
Personally I wouldn't apply that changes to bsh sources to satisfy a
jedit-only need.

I would proceed in this way:
bsh: add bsh-src binary creation
jedit:
- - remove Debian bsh sources (added to the rejected package [2])
- - add bsh-src as builddep
- - apply jedit patch and build against patched bsh.
- - switch to "public" package like bsh so if someone wanted to
write a reflection/AOP patch, it would easily be done without asking.

Would it be rejected again?

Gabriele

[1] http://paste.debian.net/67419
[2]
http://mentors.debian.net/debian/pool/main/j/jedit/jedit_4.3.1+dfsg-1.dsc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAku49kYACgkQp3cdCbVcnCtqQwCg+GSyNP95pCMb2gx51Lydod5a
P1YAoMyl1YY/RB5OnVJzCqIAMOuvB+Gr
=OpiL
-----END PGP SIGNATURE-----

Reply to:

References:
- Re: jedit_4.3.1+dfsg-1_amd64.changes REJECTED
  - From: Gabriele Giacone <1o5g4r8o@gmail.com>

Prev by Date: Re: jedit_4.3.1+dfsg-1_amd64.changes REJECTED
Next by Date: Re: jedit_4.3.1+dfsg-1_amd64.changes REJECTED
Previous by thread: Re: jedit_4.3.1+dfsg-1_amd64.changes REJECTED
Next by thread: Re: jedit_4.3.1+dfsg-1_amd64.changes REJECTED
Index(es):
- Date
- Thread