Include a completely shaded Jython
dscho opened this issue · 4 comments
Let's use https://maven.apache.org/plugins/maven-shade-plugin/ to include a complete jython-standalone. That will finally take care of the many bug reports (none of whose reporters help us resolve the issue, of course).
It will distinctly not address the problem that Jython_Interpreter is still vulnerable. Oh well, I guess I will have to sink yet another week into finalizing the interpreter rewrite. Fun fun.
I think Jython_Interpreter will benefit from the fix, too, with no extra effort. The scheme I have in mind is to rewrite jython-standalone to have all of its dependencies shaded (i.e.: leaving org.python.* unshaded), similar to this description but with a limited inclusion pattern. Then we can upload that artifact as org.scijava:jython-scijava or some such, and use it as the dependency for this project (scripting-jython) as well as Jython_Interpreter, and ship it on the Fiji update site instead of jython-standalone.
The scheme I have in mind is to rewrite jython-standalone to have all of its dependencies shaded (i.e.: leaving org.python.* unshaded), similar to this description but with a limited inclusion pattern.
The downside is that this involves a lot of manual labor, as opposed to simply including all of jython-standalone -- shaded -- into scripting-jython. If you think that it still worth your time to do the former rather than the latter, who am I to stop you? ;-)