[bug#41360] [PATCH 09/12] gnu: java-openjfx-web: Add new variable.

guix-patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#41360] [PATCH 09/12] gnu: java-openjfx-web: Add new variable.

From:	Ludovic Courtès
Subject:	[bug#41360] [PATCH 09/12] gnu: java-openjfx-web: Add new variable.
Date:	Wed, 03 Jun 2020 17:47:03 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)

Hi Alexey,

Alexey Abramov <levenson@mmer.org> skribis:

> Ludovic Courtès <ludo@gnu.org> writes:

[...]

>>> +             (let* ((module (string-append (getcwd) "/modules/web"))
>>> +                    (classes (string-append module 
>>> "/build/classes/java/main"))
>>> +                    (web-generated-headers (string-append module 
>>> "/build/generated-src/headers"))
>>> +                    (web-generated-classes '("com.sun.webkit.ContextMenu"
>>> +                                             
>>> "com.sun.webkit.ContextMenuItem"
>>> +                                             "com.sun.webkit.CursorManager"
>>
>> Perhaps add a comment explaining how you obtained this list of classes
>> so that our future selves know how to update it.
>>
>> Since this is a Web thing, could you check whether it contains pre-built
>> (“minified”) JavaScript?  If it does, that’s a problem because we
>> generally provide only software built from source.
>
> We build not only a web component here, but webkit as well. Webkit requires 
> some extra 3rd party libraries icu, libxml, libxslt and sqlite which are 
> already in openjfx source bundle. We also build them now.

Oh sorry, I had overlooked that and it’s problematic.

The policy in Guix is to not use bundled software: it’s a waste of
resources (especially for large pieces of software like WebKit), but
more importantly it’s a security issue (nobody will notice if
‘java-openjfx-web’ includes an outdated, vulnerable version of WebKit).

So the solution is to:

  1. Pass the relevant flags to tell the build system to use the
     “system” copies of these libraries.  If there’s no such flag, patch
     the build system to not try to build these things.

  2. Add a snippet to remove bundled copies of these libraries, to make
     sure they’re not picked up by mistake.

Sometimes it’s just a build flag, and sometimes it’s harder.  If it
turns out to be difficult, let us know, and perhaps we can find an
interim solution.

Could you take a look?  Let me know what you think!

Thanks,
Ludo’.

[Prev in Thread]

Current Thread

[Next in Thread]

[bug#41360] [PATCH 09/12] gnu: java-openjfx-web: Add new variable., Ludovic Courtès <=
- [bug#41360] [PATCH 09/12] gnu: java-openjfx-web: Add new variable., Alexey Abramov, 2020/06/07

Prev by Date: [bug#41690] [PATCH 1/1] website: Add fetch methods to JSON sources and packages list.
Next by Date: [bug#41360] [PATCH v3 1/9] gnu: java-openjfx-build: Add helpful patch.
Previous by thread: [bug#41690] [PATCH 0/1] Add svn-multi, hg, url/{tarbomb, zipbomb} to {sources, packages}.json
Next by thread: [bug#41360] [PATCH 09/12] gnu: java-openjfx-web: Add new variable.
Index(es):
- Date
- Thread