diff --git a/.gitignore b/.gitignore
index b4bfa2e..25135ae 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,3 +4,4 @@ xalan-j_2_7_1-src.tar.gz
 /serializer-2.7.1.pom
 /xalan-2.7.1.pom
 /xsltc-2.7.1.pom
+/xalan-j2-2.7.1.tar.gz
diff --git a/generate-tarball.sh b/generate-tarball.sh
new file mode 100755
index 0000000..bee814c
--- /dev/null
+++ b/generate-tarball.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+set -e
+
+name=xalan-j2
+version="$(sed -n 's/Version:\s*//p' *.spec)"
+
+# RETRIEVE
+wget "http://archive.apache.org/dist/xml/xalan-j/xalan-j_${version//./_}-src.tar.gz" -O "${name}-${version}.orig.tar.gz"
+
+rm -rf tarball-tmp
+mkdir tarball-tmp
+cd tarball-tmp
+tar xf "../${name}-${version}.orig.tar.gz"
+
+# CLEAN TARBALL
+find -name '*.jar' -delete
+find -name '*.class' -delete
+rm */src/*.tar.gz
+
+tar cf "../${name}-${version}.tar.gz" *
+cd ..
+rm -r tarball-tmp "${name}-${version}.orig.tar.gz"
diff --git a/sources b/sources
index 183e10d..cfbfa6a 100644
--- a/sources
+++ b/sources
@@ -1,5 +1,4 @@
-3461365d8636e454f73e14884c3f8692  xalan-j2-notarget.patch
-fc805051f0fe505c7a4b1b5c8db9b9e3  xalan-j_2_7_1-src.tar.gz
-982e76686b5205871877ddc5f1406dfe  serializer-2.7.1.pom
-007fd1a7f92ad9df04af5235fc2ed5f0  xalan-2.7.1.pom
-422e0e6e9ab48831f2a38e72a4fbbe75  xsltc-2.7.1.pom
+SHA512 (xalan-j2-2.7.1.tar.gz) = 695d3dd18974e0041a398774106ff2cf76435b1827e2c698036d6384cabbe8811e3045fb8ea115bf15f91136af1b56617cac647e06d25ced07b9e1e880714552
+SHA512 (xalan-2.7.1.pom) = 70ac6007b72674ddc861e73bd5c84732fefc71b7e60ed4030066d2ebc6367fa2ba4dda064b369544b70bd329a04e4b79c13e73f136710b2adf2a6616ce72bb03
+SHA512 (serializer-2.7.1.pom) = 910c397021681d4b3617a99cf5639e449bb8964c3ea81d3c03d0df1d6054c04ceb5ffcc9d0fd4201dfaa348fad4581449dd720d5a85b99c61b415c332dd4222c
+SHA512 (xsltc-2.7.1.pom) = a4cc7c36ea6cb37ffde9cf1b5e661aa82803b12ed51dd6ade70d52d7f33d0191ee66d6a9d7688b1119dcafd07c4e0aa0af6cb3be355b6e8a30ee8e1f7e2aa94d
diff --git a/xalan-j2.spec b/xalan-j2.spec
index 790a3bf..32efbef 100644
--- a/xalan-j2.spec
+++ b/xalan-j2.spec
@@ -32,18 +32,22 @@
 
 Name:           xalan-j2
 Version:        2.7.1
-Release:        35%{?dist}
+Release:        36%{?dist}
 Epoch:          0
 Summary:        Java XSLT processor
 # src/org/apache/xpath/domapi/XPathStylesheetDOM3Exception.java is W3C
 License:        ASL 2.0 and W3C
 URL:            http://xalan.apache.org/
-Source0:        http://archive.apache.org/dist/xml/xalan-j/xalan-j_2_7_1-src.tar.gz
+
+# ./generate-tarball.sh
+Source0:        %{name}-%{version}.tar.gz
 Source1:        %{name}-serializer-MANIFEST.MF
 Source2:        http://repo1.maven.org/maven2/xalan/xalan/2.7.1/xalan-2.7.1.pom
 Source3:        http://repo1.maven.org/maven2/xalan/serializer/2.7.1/serializer-2.7.1.pom
 Source4:        xsltc-%{version}.pom
 Source5:        %{name}-MANIFEST.MF
+# Remove bundled binaries which cannot be easily verified for licensing
+Source6:        generate-tarball.sh
 
 Patch0:         %{name}-noxsltcdeps.patch
 # Fix CVE-2014-0107: insufficient constraints in secure processing
@@ -115,11 +119,6 @@ Demonstrations and samples for %{name}.
 find . -name '*.jar' -delete
 find . -name '*.class' -delete
 
-# this tar.gz contains bundled software, some of which has unclear
-# licensing terms (W3C Software/Document license) . We could probably
-# replicate this with our jars but it's too much work so just generate
-# non-interlinked documentation
-rm src/*tar.gz
 sed -i '/<!-- Expand jaxp sources/,/<delete file="${xml-commons-srcs.tar}"/{d}' build.xml
 
 # Remove classpaths from manifests
@@ -209,6 +208,9 @@ mv %{_javadir}/jaxp_transform_impl.jar{.tmp,} || :
 %{_datadir}/%{name}
 
 %changelog
+* Tue Jul 31 2018 Michael Simacek <msimacek@redhat.com> - 0:2.7.1-36
+- Repack the tarball without binaries
+
 * Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0:2.7.1-35
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild