[cross-project-issues-dev] A caution on signed/unsigned jars (especially

[David M Williams <david_williams@xxxxxxxxxx>]

At the Orbit status call today, I drew
the short straw to write this "caution" about some Orbit bundles.

(Which is only fair, since I brought
it up :) 

As everyone probably knows, some bundles
are purposely distributed by multiple projects. 

And, some projects sign their bundles,
and some do not. 

This combination gives rise to some
cases where some bundles with identical names and versions
are distributed, but not quite identical
... the executable code is identical, but some are signed, some are not.


One example we noticed in WTP is javax.servlet.jsp
... the platform signs it, we in WTP do not. 
The signed jars are slightly larger
in size than their unsigned counterparts. 

One reason this might be an issue, is
that signed jars can potentially have performance implications, 
so, could theoretically effect "final
testing", or could effect "performance in the field", depending
on what the user 
ends up with in their installation.


Consumers of Europa should be aware
of this, since it may effect how they want to "build" their 
distributions. Typically people should
keep a signed jar, if there is one, and not replace it with an unsigned
jar. 

I know the way I sometimes install is
to unzip the platform, and then unzip WTP, saying to automatically replace
existing files (since otherwise I am
prompted a number of times if I want to replace certain redundant 
legal files ... .which is a whole other
bag of worms :). So ... I think from now on I will not do this automatic
replacement! 

There is no known "real" problem
with this issue we know of, but we thought it best to make everyone 
aware the issue, if you were not already.
 

For next release, I think we will all
sign, and we will sign in Orbit, so should not be a problem then.