gump-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Wilkins <>
Subject Re: Favor for the Gump Project
Date Tue, 19 Oct 2004 22:27:29 GMT


No problem applying that patch, as it just makes sealing configurable.

But I'm curious as to why you are getting this problem?   The servlet
classes should not be in the org.mortbay.jetty.jar file.  They should
only be in javax.servlet.jar.   If you have multiple sources of the 
servlet API, then perhaps it would be best to somehow only include
one of them.  The Jetty servlet API files are taken directly from the
apache geronimo project.

Eitherway, we will commit this patch shortly.


Stefano Mazzocchi wrote:
> Greg,
> I'm writing you on behalf of Gump ( the continous 
> integration tool that the ASF runs to understand project dependencies 
> issues.
> As you might know, Jetty is required to build some of the ASF project 
> and we recently found out (with not ease of pain!) that jetty is causing 
> a little problem with the fact that it's 'sealing' the jars that it 
> produces.
> For example, if you take a look here:
> you'll see that the 20 projects are prevented from building because the 
> cactus-framework depends on jetty *and* on the servlet API *and* the ant 
> build file for cactus-framework checks for the availability of the 
> servlet API 2.4, resulting in the servlet API classes to be loaded both 
> from the jetty.jar and from the servlet-api.jar, but since jetty.jar is 
> sealed, a security violation is thrown!
> Now, Gump, as a practice, does *NOT* ask projects to change their 
> descriptors for him, but we believe that it would be enough to apply the 
> following patch
> 15:31:49.000000000 -0700
> @@ -220,7 +220,7 @@
>      <jar jarfile="${servlet.jar}" basedir="${classes}" >
>         <include name="javax/servlet/**" />
>         <manifest>
> -         <attribute name="Sealed" value="true"/>
> +         <attribute name="Sealed" value="${jar.sealed}"/>
>           <attribute name="Built-By" value="${}"/>
>           <attribute name="Specification-Title" value="Java API for 
> Servlets"/>
>           <attribute name="Specification-Version" value="2.4"/>
> @@ -237,7 +237,7 @@
>    <target name="jetty.jar" depends="classes,servlet.jar" >
>      <jar jarfile="${jetty.jar}">
>         <manifest>
> -         <attribute name="Sealed" value="true"/>
> +         <attribute name="Sealed" value="${jar.sealed}"/>
>           <attribute name="Built-By" value="${}"/>
>           <attribute name="Specification-Version" 
> value="${RELEASE.MAJOR}"/>
>           <attribute name="Implementation-Version" 
> value="${RELEASE.MAJOR.MINOR}"/>
> so that "jar sealing" could be turned on and off at need.
> We deeply apologize for the incovenience and we realize it's none of 
> your concern if gump builds or not, but this very simple patch would 
> help up a great deal.
> Thanks for your understanding.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message