www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From robert burrell donkin <rdon...@apache.org>
Subject Re: maven2 based releases for the james project and ASF policy
Date Mon, 25 Sep 2006 19:10:34 GMT
On Mon, 2006-09-25 at 12:15 +0100, Steve Loughran wrote:
> On 25/09/06, Brett Porter <brett@apache.org> wrote:
> >
> > On 23/09/2006, at 10:31 PM, robert burrell donkin wrote:
> >
> > >
> > > perhaps (but then why not use standard jar signing...?)
> >
> > I pointed that out in the proposal - that can be used when suitable,
> > but the repository generally needs to be independent of Java solutions.
> 
> Java classloaders behave differently with signed jars, ways that are
> not fully compatible with the OSS ethos. Specifically, non-empty
> packages in signed JARs become sealed against classes/resources from
> other JARs not signed by the same signatory. So I'd lose my right to
> insert a new class into org.apache.log4J, org.apache.tools.ant.tasks,
> etc, not without stripping the signatures off the original JARs. You
> can already encounter this problem with Java1.4 and Xerces and our
> friend 'sealing violation'.

that's a good enough reason for me

- robert

Mime
View raw message