On Thu, Jan 13, 2022 at 3:47 PM Jonah Graham <jo...@kichwacoders.com> wrote:
> > > On Thu., Jan. 13, 2022, 08:18 Aleksandar Kurtakov, <akurt...@redhat.com> > wrote: > >> >> >> On Thu, Jan 13, 2022 at 3:11 PM Jonah Graham <jo...@kichwacoders.com> >> wrote: >> >>> >>> >>> On Thu., Jan. 13, 2022, 05:49 Alexander Fedorov, < >>> alexander.fedo...@arsysop.ru> wrote: >>> >>>> > Orbit essentially is like Maven Central >>>> >>>> In that case I don't understand why do we need Orbit at all. With the >>>> latest announcements regarding tycho capabilities from Christoph + lack of >>>> resources to support Orbit in safe form it seems to be useless. >>>> >>> >>> You have hit the nail on the head! Although useless is going a little >>> far. Orbit does not likely have a long term future. However as there are >>> many projects that build from it still we need it. Also there is a problem >>> if multiple projects start contributing the same version of third party lib >>> that will hopefully be solved in the future with PGP signing. >>> >>> Orbit should not be directly contributing to simrel, but for a variety >>> of reasons it does (see comments in the file) >>> >>> As mentioned in the Gerrit, passage's p2 repo should be publishing its >>> third party deps and it should be possible for consumers to install passage >>> from passage's p2 repo without requiring an orbit repo be added too. >>> >>> I know for sure that numerous projects are not quite doing that (again >>> see comments in orbit.aggrcon) but hopefully at some point the temporary >>> contribution of orbit to simrel directly can be removed. >>> >> >> I would dare to say that as long as the workarounds are in simrel nothing >> will get fixed - it's time to face reality. >> > > Probably correct, but I don't have the nerve to disable (or knowledge/time > to fix) Mylyn. > ^^ Exactly - the amount of complains from people not paying attention and putting burden on others to workaround for them is what made me lost trust that simrel is viable approach. > > >> >>> >>> HTH, >>> Jonah >>> >>> >>>> >>>> Regards, >>>> AF >>>> >>>> 1/13/2022 1:29 PM, Gunnar Wagenknecht пишет: >>>> >>>> >>>> On Jan 13, 2022, at 10:55, Aleksandar Kurtakov <akurt...@redhat.com> >>>> wrote: >>>> >>>> >>>> IMHO, people should actively remove content from Orbit that has CVEs. >>>> Much like with any other project. Even without replacing it with a fixed >>>> version. We will be better with less but trusted content than questioning >>>> ourselves for each artifact. >>>> >>>> >>>> Agreed. There is usually a clean-up/removal of unneeded stuff. But the >>>> downloads are still available for projects consuming the repositories. >>>> >>>> >[...] That is definitely something >>>>> > new, since Orbit was a trusted source of 3rd party libraries for many >>>>> >>>>> > years. >>>>> >>>> >>>> >>>> That's a misconception. Orbit essentially is like Maven Central. >>>> Instead of Maven Artifacts it distributes Eclipse plug-in artifacts. Maven >>>> Central still distributes the vulnerable Log4j version and ton of other >>>> libraries with CVEs. Does that make it a less trustworthy source now? I >>>> don't think so. Consumers still need to stay on top of those. >>>> >>>> -Gunnar >>>> >>>> >>>> -- >>>> Gunnar Wagenknecht >>>> gun...@wagenknecht.org, http://guw.io/ >>>> >>>> >>>> >>>> _______________________________________________ >>>> cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org >>>> To unsubscribe from this list, visit >>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>> >>>> >>>> _______________________________________________ >>>> cross-project-issues-dev mailing list >>>> cross-project-issues-dev@eclipse.org >>>> To unsubscribe from this list, visit >>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>> >>> _______________________________________________ >>> cross-project-issues-dev mailing list >>> cross-project-issues-dev@eclipse.org >>> To unsubscribe from this list, visit >>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>> >> >> >> -- >> Aleksandar Kurtakov >> Red Hat Eclipse Team >> _______________________________________________ >> cross-project-issues-dev mailing list >> cross-project-issues-dev@eclipse.org >> To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >> > _______________________________________________ > cross-project-issues-dev mailing list > cross-project-issues-dev@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev > -- Aleksandar Kurtakov Red Hat Eclipse Team
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
