gump-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Bartel <j...@mortbay.com>
Subject Re: Favor for the Gump Project
Date Thu, 21 Oct 2004 02:31:44 GMT
Well actually, the real cause is likely to be that the 
org.mortbay.jetty.jar puts the (sealed) javax.servlet.jar on the 
Classpath: entry of it's Manifest file.  That's the only way the sealed 
servlet jar could get into the Gump build.

If we took out that Classpath: entry, then the problem should go away. I 
don't think Jetty relies on that Classpath: entry anyway.

Jan

Greg Wilkins wrote:
> 
> Stefano,
> 
> No problem applying that patch, as it just makes sealing configurable.
> 
> But I'm curious as to why you are getting this problem?   The servlet
> classes should not be in the org.mortbay.jetty.jar file.  They should
> only be in javax.servlet.jar.   If you have multiple sources of the 
> servlet API, then perhaps it would be best to somehow only include
> one of them.  The Jetty servlet API files are taken directly from the
> apache geronimo project.
> 
> Eitherway, we will commit this patch shortly.
> 
> cheers
> 
> 
> Stefano Mazzocchi wrote:
> 
>> Greg,
>>
>> I'm writing you on behalf of Gump (http://gump.apache.org) the 
>> continous integration tool that the ASF runs to understand project 
>> dependencies issues.
>>
>> As you might know, Jetty is required to build some of the ASF project 
>> and we recently found out (with not ease of pain!) that jetty is 
>> causing a little problem with the fact that it's 'sealing' the jars 
>> that it produces.
>>
>> For example, if you take a look here:
>>
>>   http://brutus.apache.org/gump/test/project_todos.html
>>
>> you'll see that the 20 projects are prevented from building because 
>> the cactus-framework depends on jetty *and* on the servlet API *and* 
>> the ant build file for cactus-framework checks for the availability of 
>> the servlet API 2.4, resulting in the servlet API classes to be loaded 
>> both from the jetty.jar and from the servlet-api.jar, but since 
>> jetty.jar is sealed, a security violation is thrown!
>>
>> Now, Gump, as a practice, does *NOT* ask projects to change their 
>> descriptors for him, but we believe that it would be enough to apply 
>> the following patch
>>
>> 15:31:49.000000000 -0700
>> @@ -220,7 +220,7 @@
>>      <jar jarfile="${servlet.jar}" basedir="${classes}" >
>>         <include name="javax/servlet/**" />
>>         <manifest>
>> -         <attribute name="Sealed" value="true"/>
>> +         <attribute name="Sealed" value="${jar.sealed}"/>
>>           <attribute name="Built-By" value="${user.name}"/>
>>           <attribute name="Specification-Title" value="Java API for 
>> Servlets"/>
>>           <attribute name="Specification-Version" value="2.4"/>
>> @@ -237,7 +237,7 @@
>>    <target name="jetty.jar" depends="classes,servlet.jar" >
>>      <jar jarfile="${jetty.jar}">
>>         <manifest>
>> -         <attribute name="Sealed" value="true"/>
>> +         <attribute name="Sealed" value="${jar.sealed}"/>
>>           <attribute name="Built-By" value="${user.name}"/>
>>           <attribute name="Specification-Version" 
>> value="${RELEASE.MAJOR}"/>
>>           <attribute name="Implementation-Version" 
>> value="${RELEASE.MAJOR.MINOR}"/>
>>
>> so that "jar sealing" could be turned on and off at need.
>>
>> We deeply apologize for the incovenience and we realize it's none of 
>> your concern if gump builds or not, but this very simple patch would 
>> help up a great deal.
>>
>> Thanks for your understanding.
>>
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@gump.apache.org
For additional commands, e-mail: general-help@gump.apache.org


Mime
View raw message