I really like the idea. But what about jar signatures? When I brought up the topic for reload4j I was told that the jars need to be signed in order to be included. Is this taken care of?
Aleksandar Kurtakov <akurt...@redhat.com> schrieb am Di., 5. Apr. 2022, 13:48: > Hey everyone, > With PGP signing support, latest Tycho work and M2E extending PDE so > *.target files can refer/use dependencies from Maven Central directly will > prefer to use dependencies from Maven Central when updating to new versions > of libraries. > This would be done only when we update to a new version of libraries or > the dependency we use is no longer available in the latest Orbit build. > When Maven Central is not OSGi artifact Orbit will be preferred. > From releng POV it would simply remove the middle man (Orbit/EBR) as Tycho > automates what was achieved via EBR as an intermediate step to be part of > the regular build. > Extra benefits are: > * Eclipse will no longer ship modified version of upstream release (PGP > signature is in p2 metadata and not modifying the jar as jarsigner does) > * Eclipse will not longer ship bundles with symbolic names that do not > match upstream developers decision (as it happens with number of Orbit > artifacts) > * Version updates could be done in chunks rather than all changes at once > to work with latest Orbit > > I strongly encourage other projects to take that path too for third party > dependencies. > > > -- > Aleksandar Kurtakov > Red Hat Eclipse Team > _______________________________________________ > cross-project-issues-dev mailing list > cross-project-issues-dev@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
