[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [tycho-user] is it possible to override version requirements?
|
First of all, whenever you encounter such a problem you should try to
convince the project to use package imports with proper version ranges.
That way it is just a matter of delete the old bundle and install the
new one with the fix and your done without any rebuild required. That's
how OSGi is supposed to work.
For a temporary fix (@Mickael please don't read any further here ;-))
Prepare a patched bundle and use the *same version* in the manifest
(just with a different qualifier e.g.
org.apache.httpcomponents.httpclient4.5.10.patched-4_5_12, and proceed
as described above.
That way you don't even need to rebuild the whole package and as long as
there is no binary incompatibility your all set.
Am 30.01.21 um 23:27 schrieb Homer, Tony:
I maintain a fork of epp.packages which is intended to enable me to
build Eclipse for C/C++ Developers using a target to override some
dependency versions.
This allows me to mitigate some CVEs that show up in between SimRels or
are missed in a SimRel.
Then I can, for example, build an updated version of Eclipse for C/C++
Developers 2020-12 with CVE-XYZ mitigated by updating a vulnerable
dependency.
To do this, I do something like
1. build a non-vulnerable version that is not yet available in Orbit
and publish it in a P2
2. add it to my target definition
3. add a version restriction filter to target-platform-definition
(https://wiki.eclipse.org/Tycho/Target_Platform#Filtering
<https://wiki.eclipse.org/Tycho/Target_Platform#Filtering>)
4. make plans to upstream to Orbit for the next SimRel
I run into a problem many times where one of the Eclipse dependencies
wants an exact version of a third-party dependency which has a CVE.
[ERROR] Cannot resolve project dependencies:
[ERROR] Software being installed:
org.eclipse.epp.package.cpp.feature.feature.group 4.18.0.qualifier
[ERROR] Missing requirement:
org.eclipse.ecf.filetransfer.httpclient45.feature.feature.group
1.0.702.v20201025-2303 requires 'org.eclipse.equinox.p2.iu;
org.apache.httpcomponents.httpclient
[4.5.10.v20200830-2311,4.5.10.v20200830-2311]' but it could not be found
In this case, I usually I either temporarily remove the feature or
follow our internal procedure for temporarily living with the CVE.
I’ve thought about building my own
org.apache.httpcomponents.httpclient_4.5.10.v20200830-2311 which
actually contains a newer version of httpclient, but I’m not sure how to
do it and it is probably not a good idea 😊
However, today I wondered, is it somehow to possible to override the
dependency requirements?
That is, org.eclipse.epp.package.cpp.feature.feature.group_4.18.0 wants
to have org.apache.httpcomponents.httpclient_4.5.10.v20200830-2311.
Is there some way for me to tell Tycho to let it use
org.apache.httpcomponents.httpclient_4.5.14 instead (assuming that I
have made org.apache.httpcomponents.httpclient_4.5.14 available)?
I looked at the Tycho docs and don’t see anything there, so I thought I
would come here and ask.
Thanks for reading!
Tony Homer
_______________________________________________
tycho-user mailing list
tycho-user@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/tycho-user