GNU bug report logs - #41360
[PATCH 00/12] Package java-openjfx

Previous Next

Package: guix-patches;

Reported by: Alexey Abramov <levenson <at> mmer.org>

Date: Sun, 17 May 2020 13:30:02 UTC

Severity: normal

Tags: patch

Full log

Message #116 received at 41360 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Alexey Abramov <levenson <at> mmer.org>
Cc: 41360 <at> debbugs.gnu.org
Subject: Re: [bug#41360] [PATCH 09/12] gnu: java-openjfx-web: Add new variable.
Date: Wed, 03 Jun 2020 17:47:03 +0200

Hi Alexey,

Alexey Abramov <levenson <at> mmer.org> skribis:

> Ludovic Courtès <ludo <at> gnu.org> writes:

[...]

>>> +             (let* ((module (string-append (getcwd) "/modules/web"))
>>> +                    (classes (string-append module "/build/classes/java/main"))
>>> +                    (web-generated-headers (string-append module "/build/generated-src/headers"))
>>> +                    (web-generated-classes '("com.sun.webkit.ContextMenu"
>>> +                                             "com.sun.webkit.ContextMenuItem"
>>> +                                             "com.sun.webkit.CursorManager"
>>
>> Perhaps add a comment explaining how you obtained this list of classes
>> so that our future selves know how to update it.
>>
>> Since this is a Web thing, could you check whether it contains pre-built
>> (“minified”) JavaScript?  If it does, that’s a problem because we
>> generally provide only software built from source.
>
> We build not only a web component here, but webkit as well. Webkit requires some extra 3rd party libraries icu, libxml, libxslt and sqlite which are already in openjfx source bundle. We also build them now.

Oh sorry, I had overlooked that and it’s problematic.

The policy in Guix is to not use bundled software: it’s a waste of
resources (especially for large pieces of software like WebKit), but
more importantly it’s a security issue (nobody will notice if
‘java-openjfx-web’ includes an outdated, vulnerable version of WebKit).

So the solution is to:

  1. Pass the relevant flags to tell the build system to use the
     “system” copies of these libraries.  If there’s no such flag, patch
     the build system to not try to build these things.

  2. Add a snippet to remove bundled copies of these libraries, to make
     sure they’re not picked up by mistake.

Sometimes it’s just a build flag, and sometimes it’s harder.  If it
turns out to be difficult, let us know, and perhaps we can find an
interim solution.

Could you take a look?  Let me know what you think!

Thanks,
Ludo’.
This bug report was last modified 2 years and 278 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.