Hi Martin, That is intentional*.
Each release since we transitioned Orbit from CVS to Git is like that. This is the message from the orbit announcement emails[0]: This is a composite repository combining a newer build (R20201118194144) that is based on the last good build from CVS (20160520211859, Neon) and the latest build from the orbit-recipes master branch [1]. * Please see my other email to cross-project-issues about removal of this for 2022-06 [2]. [0] https://www.eclipse.org/lists/orbit-dev/msg05549.html [1] https://ci.eclipse.org/orbit/job/orbit-recipes/355/ [2] https://www.eclipse.org/lists/cross-project-issues-dev/msg18987.html forwarded from https://www.eclipse.org/lists/orbit-dev/msg05551.html Jonah ~~~ Jonah Graham Kichwa Coders www.kichwacoders.com On Thu, 24 Feb 2022 at 03:27, Martin Lippert <mlipp...@gmail.com> wrote: > Hey! > > Quick question: > why do those update sites refer to the latest S or R builds AS WELL AS a > specific release repo from 2020 ? > > The content of the latest-S looks like: > > <child location="../drops/R20201118194144/repository"/> > <child location="../drops2/S20220215213605/repository“/> > > Any idea why the R20201118194144 repo is included here? > > Cheers > Martin > > > > Am 24.02.2022 um 06:47 schrieb Ed Willink <ed.will...@gmail.com>: > > Hi > > For those needing to update: Orbit now has: > > <repository location= > "https://download.eclipse.org/tools/orbit/downloads/latest-S"; > <https://download.eclipse.org/tools/orbit/downloads/latest-S>/> > <repository location= > "https://download.eclipse.org/tools/orbit/downloads/latest-R"; > <https://download.eclipse.org/tools/orbit/downloads/latest-R>/> > > so there is no need to update ever again. Just rebuild. > > Regards > > Ed Willink > On 24/02/2022 02:13, Jonah Graham wrote: > > Hi folks, > > I have now checked and the EPP packages that have org.apache.log4j now > have the 1.2.19 reload4j version. > > Some progress has already been made on the bugs, so with a bit more work > we can have the whole simrel free of the 1.2.15 version of log4j. > > However, individual projects need to update to the newest Orbit version > and rebuild. Numerous projects still have the 1.2.15 version in their p2 > repos. > > Thanks, > Jonah > > ~~~ > Jonah Graham > Kichwa Coders > www.kichwacoders.com > > > On Wed, 23 Feb 2022 at 12:22, Jonah Graham <jo...@kichwacoders.com> wrote: > >> Hi folks, >> >> The SimRel release will include the reload4j version of the bundle. Most >> p2 install resolutions will pull in the reload4j version. >> >> However it also includes the 1.2.15 version because of some hard >> dependencies on the 1.2.15 version (Bug 578940 >> <https://bugs.eclipse.org/bugs/show_bug.cgi?id=578940> Bug 578941 >> <https://bugs.eclipse.org/bugs/show_bug.cgi?id=578941>) >> >> When I do the EPP build I will verify/report whether any of the packages >> contain the 1.2.15 version. >> >> Jonah >> >> >> ~~~ >> Jonah Graham >> Kichwa Coders >> www.kichwacoders.com >> >> >> On Wed, 16 Feb 2022 at 03:04, Dirk Fauth via cross-project-issues-dev < >> cross-project-issues-dev@eclipse.org> wrote: >> >>> Just as an information for people that did not get the current status >>> via other channels. >>> >>> The re-bundled version of reload4j is available in the latest stable >>> build of Eclipse Orbit. >>> >>> Logpresso has added handling for the re-bundled variant and will not >>> detect the vulnerability in its latest version. >>> >>> Christian Dietrich <christian.dietr...@itemis.de> schrieb am Di., 8. >>> Feb. 2022, 17:18: >>> >>>> yes i tried to use the pomDependencies consider features >>>> https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190576 >>>> >>>> https://ci.eclipse.org/orbit/job/gerrit-orbit-recipes/1782/artifact/releng/repository-all/target/repository/ >>>> but i get signing warning and also naming conventions etc >>>> are completely "bogus" >>>> Am 08.02.22 um 17:16 schrieb Ed Merks: >>>> >>>> Christian, >>>> >>>> I *assume *it is not jar signed but rather only has an external PGP >>>> signature. >>>> >>>> Regards,... >>>> Ed >>>> On 08.02.2022 16:48, Christian Dietrich wrote: >>>> >>>> is the orginal signing not enhough? >>>> and what about about.html and other eclipse rule foo. >>>> Am 08.02.22 um 16:32 schrieb Matthias Sohn: >>>> >>>> I went ahead and pushed the naive addition of reload4j 1.2.19 disguised >>>> as bundle org.apache.log4j to Orbit >>>> https://git.eclipse.org/r/c/orbit/orbit-recipes/+/190574 >>>> feel free to change this if someone finds out how to use EBR to only >>>> sign the upstream artefact. >>>> -Matthias >>>> >>>> On Tue, Feb 8, 2022 at 4:04 PM Dirk Fauth via cross-project-issues-dev < >>>> cross-project-issues-dev@eclipse.org> wrote: >>>> >>>>> Well, from my point of view the usage of reload4j is the only >>>>> backwards compatible solution. Unfortunately not for every case, e.g. too >>>>> strict version ranges. The solution forward is of course the usage of a >>>>> log >>>>> wrapper to decouple development from deployment. >>>>> >>>>> Anyhow I don't know how to add a bundle jar signed and unchanged to >>>>> Orbit. I am only aware of the re-bundling via EBR. Doing that will cause a >>>>> change in the jar structure that causes for example logpresso to identify >>>>> a >>>>> CVE, although it is fixed. Which is actually only an issue in the >>>>> detection. But that was one of the reasons why I contacted the reload4j >>>>> project to change the base to avoid the re-bundling. >>>>> >>>>> Anyone who knows how to only sign and publish to Orbit without >>>>> re-bundling? >>>>> >>>>> Ed Merks <ed.me...@gmail.com> schrieb am Di., 8. Feb. 2022, 15:54: >>>>> >>>>>> Dirk, >>>>>> >>>>>> Thanks. That's really great! It would be great for this release >>>>>> cycle if it were jar signed and available from Orbit so that we could >>>>>> ship >>>>>> it with 2022-03... >>>>>> >>>>>> There are people who are concerned: >>>>>> >>>>>> >>>>>> https://www.eclipse.org/forums/index.php/mv/msg/1109656/1849775/#msg_1849775 >>>>>> >>>>>> Though I'm not sure if they would consider the problem being fixed in >>>>>> 1.2.19 a fact and even if its a fact if it would be a fact that >>>>>> matters... >>>>>> >>>>>> Regards, >>>>>> Ed >>>>>> >>>>>> On 08.02.2022 15:48, Dirk Fauth via cross-project-issues-dev wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> I got in contact with the reload4j team. They changed the >>>>>> Bundle-SymbolicName to org.apache.log4j and fixed several OSGi meta data >>>>>> related issues in the meanwhile. Today they published 1.2.19 which should >>>>>> work as a drop-in replacement in Eclipse based applications where >>>>>> Require-Bundle was used. My local tests worked so far. >>>>>> >>>>>> That said, re-bundling for Orbit should not be necessary as reload4j >>>>>> could directly be consumed via Maven Central. >>>>>> >>>>>> Just wanted to keep you updated. >>>>>> >>>>>> Greez, >>>>>> Dirk >>>>>> >>>>>> Ed Willink <ed.will...@gmail.com> schrieb am Mi., 26. Jan. 2022, >>>>>> 13:47: >>>>>> >>>>>>> Hi >>>>>>> >>>>>>> On 26/01/2022 07:48, Christoph Läubrich wrote: >>>>>>> > Why not using SLF4J in all places and let the user choose the >>>>>>> > implementation with their favorite CVEs? >>>>>>> >>>>>>> Use of SLF4J has been suggested before and so I tried to be a good >>>>>>> Eclipse citizen. My failed attempts are described in: >>>>>>> >>>>>>> https://bugs.eclipse.org/bugs/show_bug.cgi?id=559532 >>>>>>> >>>>>>> If SLF4J is to be used, can someone please ensure that the platform >>>>>>> is >>>>>>> fit for purpose and that there is a good tutorial on how to do >>>>>>> really >>>>>>> boring logging. >>>>>>> >>>>>>> Regards >>>>>>> >>>>>>> Ed Willink >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> This email has been checked for viruses by Avast antivirus software. >>>>>>> https://www.avast.com/antivirus >>>>>>> >>>>>>> _______________________________________________ >>>>>>> cross-project-issues-dev mailing list >>>>>>> cross-project-issues-dev@eclipse.org >>>>>>> To unsubscribe from this list, visit >>>>>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org >>>>>> To unsubscribe from this list, visit >>>>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>>>> >>>>>> _______________________________________________ >>>>>> cross-project-issues-dev mailing list >>>>>> cross-project-issues-dev@eclipse.org >>>>>> To unsubscribe from this list, visit >>>>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>>>> >>>>> _______________________________________________ >>>>> cross-project-issues-dev mailing list >>>>> cross-project-issues-dev@eclipse.org >>>>> To unsubscribe from this list, visit >>>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>>> >>>> >>>> _______________________________________________ >>>> cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org >>>> To unsubscribe from this list, visit >>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>> >>>> >>>> Vorstand/Board: Jens Wagener (Vors./chairman), Dr. Stephan Eberle, >>>> Abdelghani El-Kacimi, Wolfgang Neuhaus, Franz-Josef Schuermann >>>> Aufsichtsrat/Supervisory Board: Michael Neuhaus (Vors./chairman), >>>> Harald Goertz, Eric Swehla >>>> Sitz der Gesellschaft/Registered Office: Am Brambusch 15-24, 44536 >>>> Lünen (Germany) >>>> Registergericht/Registry Court: Amtsgericht Dortmund | HRB 20621 >>>> >>>> _______________________________________________ >>>> cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org >>>> To unsubscribe from this list, visit >>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>> >>>> >>>> _______________________________________________ >>>> cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org >>>> To unsubscribe from this list, visit >>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>> >>>> >>>> Vorstand/Board: Jens Wagener (Vors./chairman), Dr. Stephan Eberle, >>>> Abdelghani El-Kacimi, Wolfgang Neuhaus, Franz-Josef Schuermann >>>> Aufsichtsrat/Supervisory Board: Michael Neuhaus (Vors./chairman), >>>> Harald Goertz, Eric Swehla >>>> Sitz der Gesellschaft/Registered Office: Am Brambusch 15-24, 44536 >>>> Lünen (Germany) >>>> Registergericht/Registry Court: Amtsgericht Dortmund | HRB 20621 >>>> _______________________________________________ >>>> cross-project-issues-dev mailing list >>>> cross-project-issues-dev@eclipse.org >>>> To unsubscribe from this list, visit >>>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>>> >>> _______________________________________________ >>> cross-project-issues-dev mailing list >>> cross-project-issues-dev@eclipse.org >>> To unsubscribe from this list, visit >>> https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >>> >> > _______________________________________________ > cross-project-issues-dev mailing listcross-project-issues-...@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev > > > > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> > Virus-free. > www.avast.com > <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> > _______________________________________________ > cross-project-issues-dev mailing list > cross-project-issues-dev@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev > > > _______________________________________________ > cross-project-issues-dev mailing list > cross-project-issues-dev@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
