[Mageia-dev] Java-Policy first draft published
misc at zarb.org
Fri Jan 21 16:14:39 CET 2011
On Fri, Jan 21, 2011 at 10:06:21AM +0100, Thierry Vignaud wrote:
> On 21 January 2011 00:01, nicolas vigier <boklm at mars-attacks.org> wrote:
> >> Shipping binary jar given by upstream tarball cause trouble because you
> >> 1) cannot patch them in case of bug
> >> 2) cannot see how and what was compiled
> >> That's not very free software friendly, and I think we should refuse
> >> that.
> > I've already seen while trying to package java apps, a jar being shipped,
> > but sources not available anywhere on the internet, except after
> > searching for a few hours on an old website on archive.org with broken
> > link to the sources zip, and developers not aware of the issue, because
> > they never tried to find the sources, and always used this binary .jar
> > they found on a random web site.
> And they never though about security...
Security is not a problem , it is java, no null pointer exception /o\.
But that's not only security, there is simply bugs that happen, and API
problem ( that IMHO happens more often than security issue ).
More information about the Mageia-dev