On 21 January 2011 00:01, nicolas vigier <bo...@mars-attacks.org> wrote: >> Shipping binary jar given by upstream tarball cause trouble because you >> 1) cannot patch them in case of bug >> 2) cannot see how and what was compiled >> >> That's not very free software friendly, and I think we should refuse >> that. > > I've already seen while trying to package java apps, a jar being shipped, > but sources not available anywhere on the internet, except after > searching for a few hours on an old website on archive.org with broken > link to the sources zip, and developers not aware of the issue, because > they never tried to find the sources, and always used this binary .jar > they found on a random web site.
And they never though about security...