Re: [tycho-user] is it possible to override version requirements?

[Christoph Läubrich <laeubi@xxxxxxxxxxxxxx>]

First of all, whenever you encounter such a problem you should try to 
convince the project to use package imports with proper version ranges.

That way it is just a matter of delete the old bundle and install the 
new one with the fix and your done without any rebuild required. That's 
how OSGi is supposed to work.

For a temporary fix (@Mickael please don't read any further here ;-))

Prepare a patched bundle and use the *same version* in the manifest 
(just with a different qualifier e.g. 
org.apache.httpcomponents.httpclient4.5.10.patched-4_5_12, and proceed 
as described above.

That way you don't even need to rebuild the whole package and as long as 
there is no binary incompatibility your all set.

Am 30.01.21 um 23:27 schrieb Homer, Tony:
> I maintain a fork of epp.packages which is intended to enable me to 
> build Eclipse for C/C++ Developers using a target to override some 
> dependency versions.
>
> This allows me to mitigate some CVEs that show up in between SimRels or 
> are missed in a SimRel.
>
> Then I can, for example, build an updated version of Eclipse for C/C++ 
> Developers 2020-12 with CVE-XYZ mitigated by updating a vulnerable 
> dependency.
>
> To do this, I do something like
>
>  1. build a non-vulnerable version that is not yet available in Orbit
>     and publish it in a P2
>  2. add it to my target definition
>  3. add a version restriction filter to target-platform-definition
>     (https://wiki.eclipse.org/Tycho/Target_Platform#Filtering
>     <https://wiki.eclipse.org/Tycho/Target_Platform#Filtering>)
>  4. make plans to upstream to Orbit for the next SimRel
>
> I run into a problem many times where one of the Eclipse dependencies 
> wants an exact version of a third-party dependency which has a CVE.
>
> [ERROR] Cannot resolve project dependencies:
>
> [ERROR]   Software being installed: 
> org.eclipse.epp.package.cpp.feature.feature.group 4.18.0.qualifier
>
> [ERROR]   Missing requirement: 
> org.eclipse.ecf.filetransfer.httpclient45.feature.feature.group 
> 1.0.702.v20201025-2303 requires 'org.eclipse.equinox.p2.iu; 
> org.apache.httpcomponents.httpclient 
> [4.5.10.v20200830-2311,4.5.10.v20200830-2311]' but it could not be found
>
> In this case, I usually I either temporarily remove the feature or 
> follow our internal procedure for temporarily living with the CVE.
>
> I’ve thought about building my own 
> org.apache.httpcomponents.httpclient_4.5.10.v20200830-2311 which 
> actually contains a newer version of httpclient, but I’m not sure how to 
> do it and it is probably not a good idea 😊
>
> However, today I wondered, is it somehow to possible to override the 
> dependency requirements?
>
> That is, org.eclipse.epp.package.cpp.feature.feature.group_4.18.0 wants 
> to have org.apache.httpcomponents.httpclient_4.5.10.v20200830-2311.
>
> Is there some way for me to tell Tycho to let it use 
> org.apache.httpcomponents.httpclient_4.5.14 instead (assuming that I 
> have made org.apache.httpcomponents.httpclient_4.5.14 available)?
>
> I looked at the Tycho docs and don’t see anything there, so I thought I 
> would come here and ask.
>
> Thanks for reading!
>
> Tony Homer
>
>
> _______________________________________________
> tycho-user mailing list
> tycho-user@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user