On Thu., Jan. 13, 2022, 08:18 Aleksandar Kurtakov, <akurt...@redhat.com> wrote:
> > > On Thu, Jan 13, 2022 at 3:11 PM Jonah Graham <jo...@kichwacoders.com> > wrote: > >> >> >> On Thu., Jan. 13, 2022, 05:49 Alexander Fedorov, < >> alexander.fedo...@arsysop.ru> wrote: >> >>> > Orbit essentially is like Maven Central >>> >>> In that case I don't understand why do we need Orbit at all. With the >>> latest announcements regarding tycho capabilities from Christoph + lack of >>> resources to support Orbit in safe form it seems to be useless. >>> >> >> You have hit the nail on the head! Although useless is going a little >> far. Orbit does not likely have a long term future. However as there are >> many projects that build from it still we need it. Also there is a problem >> if multiple projects start contributing the same version of third party lib >> that will hopefully be solved in the future with PGP signing. >> >> Orbit should not be directly contributing to simrel, but for a variety of >> reasons it does (see comments in the file) >> >> As mentioned in the Gerrit, passage's p2 repo should be publishing its >> third party deps and it should be possible for consumers to install passage >> from passage's p2 repo without requiring an orbit repo be added too. >> >> I know for sure that numerous projects are not quite doing that (again >> see comments in orbit.aggrcon) but hopefully at some point the temporary >> contribution of orbit to simrel directly can be removed. >> > > I would dare to say that as long as the workarounds are in simrel nothing > will get fixed - it's time to face reality. > Probably correct, but I don't have the nerve to disable (or knowledge/time to fix) Mylyn. > >> >> HTH, >> Jonah >> >> >>> >>> Regards, >>> AF >>> >>> 1/13/2022 1:29 PM, Gunnar Wagenknecht пишет: >>> >>> >>> On Jan 13, 2022, at 10:55, Aleksandar Kurtakov <akurt...@redhat.com> >>> wrote: >>> >>> >>> IMHO, people should actively remove content from Orbit that has CVEs. >>> Much like with any other project. Even without replacing it with a fixed >>> version. We will be better with less but trusted content than questioning >>> ourselves for each artifact. >>> >>> >>> Agreed. There is usually a clean-up/removal of unneeded stuff. But the >>> downloads are still available for projects consuming the repositories. >>> >>> >[...] That is definitely something >>>> > new, since Orbit was a trusted source of 3rd party libraries for many >>>> >>>> > years. >>>> >>> >>> >>> That's a misconception. Orbit essentially is like Maven Central. Instead >>> of Maven Artifacts it distributes Eclipse plug-in artifacts. Maven Central >>> still distributes the vulnerable Log4j version and ton of other libraries >>> with CVEs. Does that make it a less trustworthy source now? I don't think >>> so. Consumers still need to stay on top of those. >>> >>> -Gunnar >>> >>> >>> -- >>> Gunnar Wagenknecht >>> gun...@wagenknecht.org, http://guw.io/ >>> >>> >>> >>> _______________________________________________ >>> cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org >>> To unsubscribe from this list, visit >>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>> >>> >>> _______________________________________________ >>> cross-project-issues-dev mailing list >>> cross-project-issues-dev@eclipse.org >>> To unsubscribe from this list, visit >>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>> >> _______________________________________________ >> cross-project-issues-dev mailing list >> cross-project-issues-dev@eclipse.org >> To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >> > > > -- > Aleksandar Kurtakov > Red Hat Eclipse Team > _______________________________________________ > cross-project-issues-dev mailing list > cross-project-issues-dev@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
