[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [orbit-dev] switch from com.spotify.docker.client to org.mandas.docker.client
|
- From: "Homer, Tony" <tony.homer@xxxxxxxxx>
- Date: Fri, 17 Jan 2020 17:43:46 +0000
- Accept-language: en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IbCJcdac9tY0BUjCzfJze4ee0JGt78+98vdE0wBlSoM=; b=YfU5vRGF1ZitctRAw7ewoMBDTPVHathqAGrnYXmTtCZUntMDBX9QwDBeXUth6uToIygte37kbysC6D3VV//zrIP3chtahtGS27Ea5AX5loAai2KVReiQ9mUVeQNsA3YMoRgETO0i2r2anL1aYMk5t5rj/EXSvroUFLAIT7Marc3Farn1/g1dmfTdw4cqN3NNucyHfBWzXaCRUgGoUTrDohmf23but82CkheHZBUdUhThbZ/IPY84V7G88gyq2uQpoHYPe54kT3Eb7gUAJsXBkO66DM8NjlO50hbuX3bDlQoYxvsQ+5o6FJ29/MP6w+MUpehrso60DyrLrYxkjkTdcA==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BQ25Q3fM/VV61QYL/nNzqYlXG/pmNM6cxjzDuag6E3i/bsGOCQs9GQkDV1nOZXNqNwILQd+UbSSPuMUbehqufEQP50e9Vky0LyMZ1T1zkqWtHlBaaTdmn7L9mjqy1u8xKdeSWaUG2ssB/yEw3PWupjv7X9dpyVop8WTKSXtTmZ9f/WcZ8uwglwdKb8fkDjL974umQfENDg9MsYuLkRMPvUiT4GoEC/+qKniqL17v4aNVKmCuL4mOQDE9DBE4pCGrPZDKaNUYFRWKgWlYZvkil9kMGkuu5/mrQgUGiPvqiy6nk1hSccRBEZKX07szrhLLFP8uc1fx+4P1/D0qL8bpKQ==
- Delivered-to: orbit-dev@xxxxxxxxxxx
- List-archive: <https://www.eclipse.org/mailman/private/orbit-dev>
- List-help: <mailto:orbit-dev-request@eclipse.org?subject=help>
- List-subscribe: <https://www.eclipse.org/mailman/listinfo/orbit-dev>, <mailto:orbit-dev-request@eclipse.org?subject=subscribe>
- List-unsubscribe: <https://www.eclipse.org/mailman/options/orbit-dev>, <mailto:orbit-dev-request@eclipse.org?subject=unsubscribe>
- Thread-index: AQHVzV2rqoRK870/xkqbK0m0t0EnLQ==
- Thread-topic: [orbit-dev] switch from com.spotify.docker.client to org.mandas.docker.client
- User-agent: Microsoft-MacOutlook/10.21.0.200104
> Yes, because we're now replacing it with an "updated" version. Those wishing to continue using the older bundle, which depends on a vulnerable libraries could technically just use an older release build.
Would this apply to dependencies which are being updated as well? I think we discussed this at EclipseCon and IIRC, you said that we should only keep the newest minor version (in some cases we may keep several major versions e.g., Junit 4 and 5). For one example, Orbit currently provides org.slf4j.api 1.7.2 and 1.7.10. I propose that we add 1.7.29. Would we remove both 1.7.2 and 1.7.10? In other words, would the general guide be to remove all of the old minor versions when we add an update to a newer minor version?
On 1/17/20 , 9:29 AM, "Homer, Tony" <tony.homer@xxxxxxxxx> wrote:
Thanks for the feedback and guidance, Roland and Matthias!
I was planning on using ebr to generate the first draft of the recipes and then use a diff tool to compare with the old version with an eye to merging the old osgi.bnd into the new, so thanks for confirming that is the way to go, Roland!
I will send a message to cross-project-issues with a brief summary of the background and the proposed change including the list of dependency changes, then get started on the change requests.
Tony
On 1/17/20 , 8:28 AM, "orbit-dev-bounces@xxxxxxxxxxx on behalf of Roland Grunberg" <orbit-dev-bounces@xxxxxxxxxxx on behalf of rgrunber@xxxxxxxxxx> wrote:
On Thu, Jan 16, 2020 at 5:41 PM Homer, Tony <tony.homer@xxxxxxxxx> wrote:
> Should I open 22 change requests (1 + 13 + 8), one giant change request for all of these changes or somewhere in between?
As Matthias mentioned, they would need to be filed separately. The good
news is that only a license check would be required, and since many of
the packages are just updates, it should go through quickly.
It would be nice to have a list of which packages are being updated, and
which will be new. (eg. foo 1.0.0 -> 1.1.0). I'm guessing Jackson and
Jersey packages will be the majority of the updates and probably JNR
as well ?
> Should the obsolete Spotify Docker Client and/or it’s dependencies be removed from Orbit?
> What other communications are needed (e.g., cross-project-issues-dev)?
Yes, because we're now replacing it with an "updated" version. Those
wishing to continue using the older bundle, which depends on a vulnerable
libraries could technically just use an older release build.
I say "updated" because we're basically updating "com.spotify.docker.client" to
"org.mandas.docker.client" yet the versions are completely different. Not only
is the Bundle-SymbolicName changing, but all the package names as well.
This would definitely need to be communicated. Does "org.mandas.docker.client"
maintain the same package structure as docker-client ? Projects would need
to be aware of how to migrate. I think it would be worth it to post to
cross-projecct-issues with the list of dependencies you plan to update. I would
also make it clear that the dependencies being removed can still be accessed
by using an older release build.
> Any other comments or guidance on this set of changes?
I would make sure to use the "osgi.bnd" of the original bundles that are being
updated, and hopefully the main things changing in there are version numbers.
I would also CC Jeff Johnston from Linux Tools Project on this so that he can
test out a draft build of the changes against the Docker tooling within that
project.
Cheers,
Roland Grunberg
_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/orbit-dev
