Bug#738583: libcglib-java - Uses jarjar without proper copyright or Built-Using
Emmanuel Bourg
ebourg at apache.org
Tue Feb 11 22:56:33 UTC 2014
Le 11/02/2014 21:22, Bastian Blank a écrit :
> Have you talked to the security team about this? Where does Debian ship
> different versions of asm?
Debian has four versions of asm. Each version is incompatible with the
previous one, and they share the same namespace (org.objectweb.asm.*).
That means two versions can't coexist safely in the same classpath, this
is guaranteed to break at runtime. That's why widely used libraries like
cglib relocate the asm classes under a different namespace to avoid
conflicts (net.sf.cglib.asm.*).
I'm not sure to see why the security team would care about this though.
Emmanuel Bourg
More information about the pkg-java-maintainers
mailing list