[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [orbit-dev] Add versions without CVEs?
|
>> For the orbit changes I would like to submit, how should I do this?
I believe I found the answers needed for this.
I added an ssh key to my profile for eclipse git.
I cloned the repo and am following the instructions on the wiki to build it and add a new bundle.
Currently I am a bit hungup with ebr, but I know how to fix it.
I expect to finish setting my build environment up tomorrow and hope to submit a change request tomorrow.
The first change will be to add dom4j 2.1.1 because I can use dom4j 1.6.1 for reference.
Tony
On 2/12/19, 1:06 PM, "Homer, Tony" <tony.homer@xxxxxxxxx> wrote:
Hi Roland-
I imagine you are referring to docker-client.
In our product, we depend on this also and for the same CVE response exercise we needed to update to a newer version than what is available in Orbit.
Actually we had to fork docker-client because some of the dependencies in the latest version have CVEs.
It was a pain, but using your changes in linuxtools was a big help - thanks for that!
I plan to open some tickets with docker-client so that we can start depending on upstream again.
Anyway, that is a different topic!
For the orbit changes I would like to submit, how should I do this?
I have a CLA on file - I suppose I should be able to push to the repo, so I will try it.
Tony
On 2/12/19, 6:50 AM, "orbit-dev-bounces@xxxxxxxxxxx on behalf of Roland Grunberg" <orbit-dev-bounces@xxxxxxxxxxx on behalf of rgrunber@xxxxxxxxxx> wrote:
Hello Tony,
The change is definitely wanted. In fact a plugin I help maintain has transitive
dependencies to the Jackson stack, and even the upstream for that has moved
to 2.9.8. If 2.9.2 -> 2.9.8 are merely security fixes (as the version
would imply)
then it shouldn't be too complicated. However I haven't had too much time to
look at this, and I'm not sure if I'll get that much more.
Also, we do have commons-compress 1.18.0 since 2018-12, so I guess what
you're really requesting here is the removal of all the bundles below that to
prevent usage of it in future releases.
We could easily review/accept contributions that stay under 1000 LOC. I think
this is possible if the Jackson 2.9.2 is modified to 2.9.8. If it gets
to be over that
amount, we would likely need to file a CQ. If you'd like to submit a
contribution,
that sounds good, and I can maybe find the time to review. I'll also
need to file
some CQs for the updated bundles.
Cheers,
Roland Grunberg
_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/orbit-dev
