On Tue, Jan 21, 2020 at 11:12 PM Homer, Tony <tony.ho...@intel.com> wrote:
> Over on orbit-dev, Roland Grunberg suggested that I notify this list about > this proposed change due to the potential impact on other projects. > > Please refer to https://bugs.eclipse.org/bugs/show_bug.cgi?id=558284 for > detailed background info. > > In a nutshell, com.spotify.docker.client (currently available via Orbit) > is no longer maintained and has dependencies with CVEs. A Java docker > client is needed by linux-tools docker tooling (and at least one downstream > project which is maintained by my team). org.mandas.docker.client is a > fork of Spotify Docker Client which is being actively maintained with > special consideration for CVE mitigation. It preserves the existing > interface but changes the package name from com.spotify to org.mandas, so > projects using it as a dependency will need to make some updates (but they > should be mostly straightforward). The dependency set is almost entirely > updated and in some cases changed in order to eliminate problematic or > unmaintained dependencies. The proposal is to replace > com.spotify.docker.client with org.mandas.docker.client in Orbit. This will > require a large number of updates in Orbit (many of the updates should be > made anyway due to CVEs in the versions which are currently availabl > e in Orbit). The proposed list of changes follows. > > Update to org.slf4j.api 1.7.29, remove 1.7.2 and 1.7.10 > > Update jackson to 2.10.1, remove 2.9.9/2.9.93 (this set of changes will > include com.fasterxml.jackson.core.jackson-annotations, > com.fasterxml.jackson.core.jackson-core, > com.fasterxml.jackson.core.jackson-databind, > com.fasterxml.jackson.datatype.jackson-datatype-guava, > com.fasterxml.jackson.jaxrs.jackson-jaxrs-base, > com.fasterxml.jackson.jaxrs.jackson-jaxrs-json-provider) > > Update to jersey 2.29.1, remove 2.22.1 (this set of changes will include > org.glassfish.jersey.apache.connector, > org.glassfish.jersey.bundles.repackaged.jersey-guava, > org.glassfish.jersey.containers.servlet, > org.glassfish.jersey.containers.servlet.core, > org.glassfish.jersey.core.jersey-client, > org.glassfish.jersey.core.jersey-common, > org.glassfish.jersey.core.jersey-server, > org.glassfish.jersey.ext.entityfiltering, > org.glassfish.jersey.media.jersey-media-json-jackson) > > Update to javax.activation 1.1.1, remove 1.1.0 > > Update to org.apache.commons.compress 1.19, remove 1.6.0, 1.15.0, 1.18.0 > I already updated apache commons compress to 1.19.0 https://bugs.eclipse.org/bugs/show_bug.cgi?id=558859 it's available in I-builds https://download.eclipse.org/tools/orbit/downloads/drops/I20200120214610/ Update to com.github.jnr.unixsocket 0.24.0, remove 0.18.0 > > Update to org.mockito.core 3.2.0, remove 2.23.0 > > Update to ch.qos.logback.* 1.2.3, remove 1.0.7, 1.1.2 (this set of changes > will include ch.qos.logback.classic, ch.qos.logback.core, > ch.qos.logback.slf4j) > > Add org.immutables.value 2.8.2 > > Add com.google.google-auth-library-oauth2-http 0.18.0 > > Add com.google.jimfs 1.1 > > Add joda-time 2.10.5 > > Add org.awaitility 4.0.1 > > Add com.squareup.okhttp3.mockwebserver 4.2.2 > > Add com.spotify.hamcrest-jackson 1.1.5 > > Add com.spotify.hamcrest-pojo 1.1.5 > > > _______________________________________________ > cross-project-issues-dev mailing list > cross-project-issues-dev@eclipse.org > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev >
_______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@eclipse.org To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
