[orbit-dev] Platform has success consuming some upstream deps, without O

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[orbit-dev] Platform has success consuming some upstream deps, without Orbit

From: Mickael Istria <mistria@xxxxxxxxxx>
Date: Wed, 8 Dec 2021 17:56:05 +0100
Delivered-to: orbit-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/orbit-dev/>
List-help: <mailto:orbit-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/orbit-dev>, <mailto:orbit-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/orbit-dev>, <mailto:orbit-dev-request@eclipse.org?subject=unsubscribe>

Hi all,

FYI,

Platform has decided to reduce how much it relies on Orbit, at least for test dependencies at the moment. It has been identified for a long time that the current process to update dependencies for Platform is far too expensive as it requires to modify Orbit code, do builds and then update Platform... just to get an update of eg Mockito, while upstream mockito jar on Maven Central is safe to use (from IP perspective and according to Maven Central governance). The only thing that Orbit was providing which upstream jars are missing is jarsigning with Eclipse certificates.

Platform started by removing the test dependencies from SimRel to get rid of the jarsigning requirement. That was already a success for the project: less things pushed into SimRel is less constraints for Platform. So 1 first lesson is that I would recommend contributing to SimRel the bare mininal stuff that are profitable to get rid of some constraints.

Then Platform replaced in its .target defintion file (that's used by Tycho build) references to Orbit bundles by references to Maven artifacts, using the recent development in Maven-PDE support. This worked like a charm, and one benefit is that it very quickly allowed to also bump to newer versions of those dependencies *just by editing them in the .target* and Platform got and will the test dependencies up-to-date without effort.

However, signing is important. That's why Platform/p2/Tycho have enabled for a few versions a strategy that allows to add PGP signatures to p2 metadata and get those signatures verified at installation and users in order to let user decide whether to trust a given signature or not, as a way to decide whether to trust a jar or not (quite similarly to certificate checks).

A description of this strategy, containing information about how to try it right now (so you get a chance to give feedback by reporting bugs) is available at https://docs.google.com/document/d/1dl10ia092X5hN1qfKoHYvriCNM-iBqiOkfjnntxaBbk/edit . A Tycho plugin is used to add PGP signatures to artifacts that are not jarsigned. As a result the test dependencies that are fetched from Central are now signed with the Platform PGP key which highlights that they are "trusted by Eclipse Platform".

Maybe this strategy can also be profitable to your project ;)

Cheers

Mickael Istria

Eclipse IDE developer, for Red Hat Developers

Prev by Date: [orbit-dev] Declaring Build: R20211122181901 (2021-12)
Next by Date: Re: [orbit-dev] [cross-project-issues-dev] log4j vulnerability in Eclipse?
Previous by thread: [orbit-dev] Declaring Build: R20211122181901 (2021-12)
Next by thread: Re: [orbit-dev] [cross-project-issues-dev] log4j vulnerability in Eclipse?
Index(es):
- Date
- Thread

Breadcrumbs