> Orbit essentially is like Maven Central
In that case I don't understand why do we need Orbit at all. With the
latest announcements regarding tycho capabilities from Christoph + lack
of resources to support Orbit in safe form it seems to be useless.
Regards,
AF
1/13/2022 1:29 PM, Gunnar Wagenknecht пишет:
On Jan 13, 2022, at 10:55, Aleksandar Kurtakov <akurt...@redhat.com>
wrote:
IMHO, people should actively remove content from Orbit that has CVEs.
Much like with any other project. Even without replacing it with a
fixed version. We will be better with less but trusted content than
questioning ourselves for each artifact.
Agreed. There is usually a clean-up/removal of unneeded stuff. But the
downloads are still available for projects consuming the repositories.
>[...] That is definitely something
> new, since Orbit was a trusted source of 3rd party libraries
for many
> years.
That's a misconception. Orbit essentially is like Maven Central.
Instead of Maven Artifacts it distributes Eclipse plug-in artifacts.
Maven Central still distributes the vulnerable Log4j version and ton
of other libraries with CVEs. Does that make it a less trustworthy
source now? I don't think so. Consumers still need to stay on top of
those.
-Gunnar
--
Gunnar Wagenknecht
gun...@wagenknecht.org, http://guw.io/
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list,
visithttps://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@eclipse.org
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
