Over on orbit-dev, Roland Grunberg suggested that I notify this list about this proposed change due to the potential impact on other projects.
Please refer to https://bugs.eclipse.org/bugs/show_bug.cgi?id=558284 for detailed background info. In a nutshell, com.spotify.docker.client (currently available via Orbit) is no longer maintained and has dependencies with CVEs. A Java docker client is needed by linux-tools docker tooling (and at least one downstream project which is maintained by my team). org.mandas.docker.client is a fork of Spotify Docker Client which is being actively maintained with special consideration for CVE mitigation. It preserves the existing interface but changes the package name from com.spotify to org.mandas, so projects using it as a dependency will need to make some updates (but they should be mostly straightforward). The dependency set is almost entirely updated and in some cases changed in order to eliminate problematic or unmaintained dependencies. The proposal is to replace com.spotify.docker.client with org.mandas.docker.client in Orbit. This will require a large number of updates in Orbit (many of the updates should be made anyway due to CVEs in the versions which are currently availabl e in Orbit). The proposed list of changes follows. Update to org.slf4j.api 1.7.29, remove 1.7.2 and 1.7.10 Update jackson to 2.10.1, remove 2.9.9/2.9.93 (this set of changes will include com.fasterxml.jackson.core.jackson-annotations, com.fasterxml.jackson.core.jackson-core, com.fasterxml.jackson.core.jackson-databind, com.fasterxml.jackson.datatype.jackson-datatype-guava, com.fasterxml.jackson.jaxrs.jackson-jaxrs-base, com.fasterxml.jackson.jaxrs.jackson-jaxrs-json-provider) Update to jersey 2.29.1, remove 2.22.1 (this set of changes will include org.glassfish.jersey.apache.connector, org.glassfish.jersey.bundles.repackaged.jersey-guava, org.glassfish.jersey.containers.servlet, org.glassfish.jersey.containers.servlet.core, org.glassfish.jersey.core.jersey-client, org.glassfish.jersey.core.jersey-common, org.glassfish.jersey.core.jersey-server, org.glassfish.jersey.ext.entityfiltering, org.glassfish.jersey.media.jersey-media-json-jackson) Update to javax.activation 1.1.1, remove 1.1.0 Update to org.apache.commons.compress 1.19, remove 1.6.0, 1.15.0, 1.18.0 Update to com.github.jnr.unixsocket 0.24.0, remove 0.18.0 Update to org.mockito.core 3.2.0, remove 2.23.0 Update to ch.qos.logback.* 1.2.3, remove 1.0.7, 1.1.2 (this set of changes will include ch.qos.logback.classic, ch.qos.logback.core, ch.qos.logback.slf4j) Add org.immutables.value 2.8.2 Add com.google.google-auth-library-oauth2-http 0.18.0 Add com.google.jimfs 1.1 Add joda-time 2.10.5 Add org.awaitility 4.0.1 Add com.squareup.okhttp3.mockwebserver 4.2.2 Add com.spotify.hamcrest-jackson 1.1.5 Add com.spotify.hamcrest-pojo 1.1.5 _______________________________________________ cross-project-issues-dev mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
