On Thu, Jan 13, 2022 at 3:11 PM Jonah Graham <jo...@kichwacoders.com> wrote:
> > > On Thu., Jan. 13, 2022, 05:49 Alexander Fedorov, < > alexander.fedo...@arsysop.ru> wrote: > >> > Orbit essentially is like Maven Central >> >> In that case I don't understand why do we need Orbit at all. With the >> latest announcements regarding tycho capabilities from Christoph + lack of >> resources to support Orbit in safe form it seems to be useless. >> > > You have hit the nail on the head! Although useless is going a little far. > Orbit does not likely have a long term future. However as there are many > projects that build from it still we need it. Also there is a problem if > multiple projects start contributing the same version of third party lib > that will hopefully be solved in the future with PGP signing. > > Orbit should not be directly contributing to simrel, but for a variety of > reasons it does (see comments in the file) > > As mentioned in the Gerrit, passage's p2 repo should be publishing its > third party deps and it should be possible for consumers to install passage > from passage's p2 repo without requiring an orbit repo be added too. > > I know for sure that numerous projects are not quite doing that (again see > comments in orbit.aggrcon) but hopefully at some point the temporary > contribution of orbit to simrel directly can be removed. > I would dare to say that as long as the workarounds are in simrel nothing will get fixed - it's time to face reality. > > HTH, > Jonah > > >> >> Regards, >> AF >> >> 1/13/2022 1:29 PM, Gunnar Wagenknecht пишет: >> >> >> On Jan 13, 2022, at 10:55, Aleksandar Kurtakov <akurt...@redhat.com> >> wrote: >> >> >> IMHO, people should actively remove content from Orbit that has CVEs. >> Much like with any other project. Even without replacing it with a fixed >> version. We will be better with less but trusted content than questioning >> ourselves for each artifact. >> >> >> Agreed. There is usually a clean-up/removal of unneeded stuff. But the >> downloads are still available for projects consuming the repositories. >> >> >[...] That is definitely something >>> > new, since Orbit was a trusted source of 3rd party libraries for many >>> > years. >>> >> >> >> That's a misconception. Orbit essentially is like Maven Central. Instead >> of Maven Artifacts it distributes Eclipse plug-in artifacts. Maven Central >> still distributes the vulnerable Log4j version and ton of other libraries >> with CVEs. Does that make it a less trustworthy source now? I don't think >> so. Consumers still need to stay on top of those. >> >> -Gunnar >> >> >> -- >> Gunnar Wagenknecht >> gun...@wagenknecht.org, http://guw.io/ >> >> >> >> _______________________________________________ >> cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org >> To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >> >> >> _______________________________________________ >> cross-project-issues-dev mailing list >> cross-project-issues-dev@eclipse.org >> To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >> > _______________________________________________ > cross-project-issues-dev mailing list > cross-project-issues-dev@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev > -- Aleksandar Kurtakov Red Hat Eclipse Team
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
