[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [orbit-dev] Add versions without CVEs?
|
Hi Roland-
The first change request is taking longer than expected, but I'm still working on it!
I started with adding dom4j 2.1.1 because I thought it would be straightforward, considering that dom4j 1.6.1 is already present.
However, I'm having a bit of trouble and hope you can give me some guidance.
I am following the steps here: https://wiki.eclipse.org/Orbit/Adding_Bundles_To_Orbit_In_5_Minutes
And referring here for details: https://wiki.eclipse.org/Orbit/Adding_Bundles_to_Orbit
After cloning the repo, I ran the following command in orbit-recipes/xml:
mvn org.eclipse.ebr:ebr-maven-plugin:create-recipe -DartifactId=dom4j -DgroupId=org.dom4j -Dversion=2.1.1 -DbundleSymbolicName=org.dom4j
This succeeded in generating the project, but there are some differences between 2.1.1 and 1.6.1 that I am unsure about.
xml/org.dom4j_2.1.1/src/main/resources/about_files/about_files/license
The license file is named "BSD_3-CLAUSE_NEW_LICENSE.html" and contains the contents from https://github.com/dom4j/dom4j/blob/master/LICENSE.
That is, it includes all of the contents of the web page including all of the github framing.
This is because https://github.com/dom4j/dom4j/blob/master/LICENSE is listed in the dom4j 2.1.1 pom.
Should I keep it as is, rename it to License.html leaving contents alone, replace the entire file with raw LICENSE file or something else?
I am guessing it is not very important as long as the license contents are there and readable.
xml/org.dom4j_2.1.1/pom.xml
Of course there are expected differences due to version.
The generated name is dom4j instead of DOM4J - is that ok or does it need to match the 1.6.1 name?
The recipe.excludes property is missing - I assume this was added manually and I should add it as well?
xml/org.dom4j_2.1.1/osgi.bnd
Export-Package has some extra lines:
*.implementation.*;x-internal:=true;version="${package-version}", \
*.impl.*;x-internal:=true;version="${package-version}", \
With regard to dependencies, dom4j 2.1.1 lists several optional dependencies with <scope>runtime</scope>.
Should I add these to osgi.bnd Import-Package?
How do I map the maven coordinates from https://search.maven.org/artifact/org.dom4j/dom4j/2.1.1/jar to package ids?
For future reference, would you prefer that I just open a change request and discuss this there?
Or is it ok to ask questions like this on orbit-dev?
Thanks!
Tony
P.S. Some other details about issues I ran into.
I had some trouble with getting ebr setup.
I worked around all of the issues but thought I would mention what happened.
I am on Ubuntu 18.04 and the latest maven available is 3.5.2-2, but ebr wants 3.5.3.
I had a few other issues with building ebr which I was able to workaround by skipping tests and/or commenting out test modules or plugins like spotbugs.
Finally ebr built and installed.
After that I tried to do 'mvn ebr:create-recipe' but got a "no plugin found for prefix 'ebr'" error.
I worked around this by using explicit coordinates.
Another issue I ran into is that ebr does not support proxy when retrieving the license file - I'm behind a corporate proxy.
I hacked in some hard-coded support for my proxy to get around this, but I suppose I could just manually copy it (as suggested by the error message).
On 2/12/19, 3:48 PM, "Homer, Tony" <tony.homer@xxxxxxxxx> wrote:
>> For the orbit changes I would like to submit, how should I do this?
I believe I found the answers needed for this.
I added an ssh key to my profile for eclipse git.
I cloned the repo and am following the instructions on the wiki to build it and add a new bundle.
Currently I am a bit hungup with ebr, but I know how to fix it.
I expect to finish setting my build environment up tomorrow and hope to submit a change request tomorrow.
The first change will be to add dom4j 2.1.1 because I can use dom4j 1.6.1 for reference.
Tony
On 2/12/19, 1:06 PM, "Homer, Tony" <tony.homer@xxxxxxxxx> wrote:
Hi Roland-
I imagine you are referring to docker-client.
In our product, we depend on this also and for the same CVE response exercise we needed to update to a newer version than what is available in Orbit.
Actually we had to fork docker-client because some of the dependencies in the latest version have CVEs.
It was a pain, but using your changes in linuxtools was a big help - thanks for that!
I plan to open some tickets with docker-client so that we can start depending on upstream again.
Anyway, that is a different topic!
For the orbit changes I would like to submit, how should I do this?
I have a CLA on file - I suppose I should be able to push to the repo, so I will try it.
Tony
On 2/12/19, 6:50 AM, "orbit-dev-bounces@xxxxxxxxxxx on behalf of Roland Grunberg" <orbit-dev-bounces@xxxxxxxxxxx on behalf of rgrunber@xxxxxxxxxx> wrote:
Hello Tony,
The change is definitely wanted. In fact a plugin I help maintain has transitive
dependencies to the Jackson stack, and even the upstream for that has moved
to 2.9.8. If 2.9.2 -> 2.9.8 are merely security fixes (as the version
would imply)
then it shouldn't be too complicated. However I haven't had too much time to
look at this, and I'm not sure if I'll get that much more.
Also, we do have commons-compress 1.18.0 since 2018-12, so I guess what
you're really requesting here is the removal of all the bundles below that to
prevent usage of it in future releases.
We could easily review/accept contributions that stay under 1000 LOC. I think
this is possible if the Jackson 2.9.2 is modified to 2.9.8. If it gets
to be over that
amount, we would likely need to file a CQ. If you'd like to submit a
contribution,
that sounds good, and I can maybe find the time to review. I'll also
need to file
some CQs for the updated bundles.
Cheers,
Roland Grunberg
_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/orbit-dev