nmap: package-installs-java-bytecode
Lukas Schwaighofer
lukas at schwaighofer.name
Tue Sep 26 20:19:42 UTC 2017
Hi Hilko,
nmap-common includes two .java files, along with their .class files.
These class files are now flagged by the newly added lintian tag
package-installs-java-bytecode [1].
I believe nmap's use case is quite special: The class files are used
by the NSE script "jdwp-inject" and intended to be executed remotely
(if the injection succeeds). Therefore I think the fact that we are
shipping the class files (and not jar archives) by itself is fine.
However, if I read the java policy correctly, any .class files shipped
by upstream must be removed (even from the source package). That gives
us two choices:
* not ship the class files at all; the included README explains how to
create them
* build-depend on default-jdk and re-create the class files when
building the package
- we still need to override the lintian tag in that case and should
probably also ask debian-java at lists.debian.org if they are fine
with that as per java policy
What do you think?
Regards
Lukas
[1] https://lintian.debian.org/tags/package-installs-java-bytecode.html
More information about the Pkg-security-team
mailing list