|Re: [cross-project-issues-dev] Confusing org.apache.batik versions|
On 27/09/2017 16:42, Roland Grunberg wrote:
On Wed, Sep 27, 2017 at 7:59 AM, Aleksandar Kurtakov <akurtako@xxxxxxxxxx> wrote:On Wed, Sep 27, 2017 at 1:48 PM, Ed Willink <ed@xxxxxxxxxxxxx> wrote:I suspect that the inconsistent versions are the problem in both cases. Does anyone know what is going on?Batik versions prior to 1.9 suffer from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5662 (batik-svg.jar) but removing part of batik release will raise more questions IMHO Orbit should drop all pre 1.9 in Photon stream.This sounds fine to me. Sorry for the confusion. I'll have them removed for Photon M3.
From my understanding of the situation, this may break GMF Runtime. GMF Runtime currently depends on Batik 1.6, for example org.apache.batik.bridge;bundle-version="[1.6.0,1.7.0)", which itself Require-Bundle: org.apache.batik.css;bundle-version="[1.6.0,1.7.0)". If Batik 1.6 is removed from Photon M3 either GMF Runtime will not build, or (if we continue to build against an older Orbit), will fail to aggregate.
I can try to update GMF Runtime to be compatible with Batik 1.9, but currently not all parts of Batik that GMF Runtime requires are available in v1.9 in Orbit, and I'm not sure I'll have the bandwidth to make all the changes required.
-- *Pierre-Charles David* +33 2 51 13 52 18 <http://www.obeo.fr/> 7 Boulevard Ampère - Carquefou - France*obeo.fr* <http://www.obeo.fr/> | *twitter* <https://twitter.com/obeo_corp> | *linkedin* <https://www.linkedin.com/company/obeo>
Back to the top