On Thu, Jan 13, 2022 at 12:49 PM Alexander Fedorov < alexander.fedo...@arsysop.ru> wrote:
> > Orbit essentially is like Maven Central > > In that case I don't understand why do we need Orbit at all. With the > latest announcements regarding tycho capabilities from Christoph + lack of > resources to support Orbit in safe form it seems to be useless. > I fully agree with you here and that's how we plan to do things for Eclipse Platform starting from the 2022-06 release. For me Orbit is on life support until some final bits are in place to use plain Maven Central. Note that there are some things like Ant where Orbit does way more so it may stay in some very reduced form for such cases. > > Regards, > AF > > 1/13/2022 1:29 PM, Gunnar Wagenknecht пишет: > > > On Jan 13, 2022, at 10:55, Aleksandar Kurtakov <akurt...@redhat.com> > wrote: > > > IMHO, people should actively remove content from Orbit that has CVEs. Much > like with any other project. Even without replacing it with a fixed > version. We will be better with less but trusted content than questioning > ourselves for each artifact. > > > Agreed. There is usually a clean-up/removal of unneeded stuff. But the > downloads are still available for projects consuming the repositories. > > >[...] That is definitely something >> > new, since Orbit was a trusted source of 3rd party libraries for many >> > years. >> > > > That's a misconception. Orbit essentially is like Maven Central. Instead > of Maven Artifacts it distributes Eclipse plug-in artifacts. Maven Central > still distributes the vulnerable Log4j version and ton of other libraries > with CVEs. Does that make it a less trustworthy source now? I don't think > so. Consumers still need to stay on top of those. > > -Gunnar > > > -- > Gunnar Wagenknecht > gun...@wagenknecht.org, http://guw.io/ > > > > _______________________________________________ > cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev > > > _______________________________________________ > cross-project-issues-dev mailing list > cross-project-issues-dev@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev > -- Aleksandar Kurtakov Red Hat Eclipse Team
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
