Maxime Devos schreef op vr 18-03-2022 om 21:07 [+0100]:
> I've been reading the source code, not seeing anything
> ‘suspicous’ (malware etc.) so far (I'm currently at
> xalan-j_2_7_2/src/org/apache/xalan/templates/FuncKey.java, 25%).

Now I'm at 42% (src/org/apache/xalan/xsltc/compiler/XPathLexer.java).
I've found two binaries (*):

  * src/org/apache/xalan/xsltc/compiler/XPathLexer.java
  * src/org/apache/xalan/xsltc/compiler/XPathParser.java

They appear to be generated by a lexer and parser generator --
apparently it's named ‘java_cup’?  Given that they are in the 'xsltc'
part, which is currently unused in the java-xalan package IIUC, I
believe it would be sufficient to just delete these two files.

(*) Here I mean 'binaries'='generated, not source code' -- it's still
.java and not .class.

Greetings,
Maxime.