[cross-project-issues-dev] proposed Orbit update: switch from com.spotif

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[cross-project-issues-dev] proposed Orbit update: switch from com.spotify.docker.client to org.mandas.docker.client

From: "Homer, Tony" <tony.homer@xxxxxxxxx>
Date: Tue, 21 Jan 2020 22:11:21 +0000
Accept-language: en-US
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HYOCOJfoLMqz0lGTOIl7w7gXbFEJf73iqDB6uzULw7A=; b=ggKcSzPeJRmA0wdh+HuMmj1VS1vB70AMH+4uC66HCGyEkee4dmHAEIA5NcCteWQluWopxgVgZjnDhfJaSYIi9sT6y/uXLl0lh0CYhy4mbweALzMsgucyMwZ1Qcbs9bTVhz2WIHQ2+kmiypQUPq4ZqN/6TR53iyk7eWMmTQsAe7JdNQmgbM57ocAPjiNJcw4BUvLV8SeeFw8IHXNFw4SLGywqxeLfK6XDfmWMIabDk6Ao9nixaefg/WmuTde4yITP6DctYEi1wOHyyvIzVvw8mks6puOrLOSEiHsE1QqQ23aa+aCslFBt/8lhAEaN0z6AdoZ1ncidg/yd3zHPW5j+MA==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=j4pqWV61E6UxRsBinipm8DsXCzi7z5fp34zRG3wwbzQsewoCYVnsRLTjI0xY1bEZuLeg6vpTm1SnqQEDWeGv2OtnefYMAW4oqZ8WL+ke8geGM3rCuBApHEF5me39uurUBDu1NI/QJIC36wne+sXMlEDVm5T+dcxaQfYt1iHvGccrWxmN2sOpoq/o5y1wdsmS8fenP+YuV7DDrVNPtxbEfR18E2PuBBZ+u6Gk9+pj4Zt+KskHFWR+qiqsjDBYdwBmUQ5EBUWYansuR5gX98gDxPx0LUQpdI/XW5YwiIkx47PrWFh2YLULYbN9z/vXch3b0DArx9Pl1w9ZAEUG+8+XGA==
Delivered-to: cross-project-issues-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/cross-project-issues-dev>
List-help: <mailto:cross-project-issues-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=unsubscribe>
Thread-index: AQHV0Im/qV1RlLEp5kmUa7COWDMFmQ==
Thread-topic: proposed Orbit update: switch from com.spotify.docker.client to org.mandas.docker.client
User-agent: Microsoft-MacOutlook/10.21.0.200113

Over on orbit-dev, Roland Grunberg suggested that I notify this list about this proposed change due to the potential impact on other projects.

Please refer to https://bugs.eclipse.org/bugs/show_bug.cgi?id=558284 for detailed background info.

In a nutshell, com.spotify.docker.client (currently available via Orbit) is no longer maintained and has dependencies with CVEs.  A Java docker client is needed by linux-tools docker tooling (and at least one downstream project which is maintained by my team).  org.mandas.docker.client is a fork of Spotify Docker Client which is being actively maintained with special consideration for CVE mitigation.  It preserves the existing interface but changes the package name from com.spotify to org.mandas, so projects using it as a dependency will need to make some updates (but they should be mostly straightforward).  The dependency set is almost entirely updated and in some cases changed in order to eliminate problematic or unmaintained dependencies.  The proposal is to replace com.spotify.docker.client with org.mandas.docker.client in Orbit. This will require a large number of updates in Orbit (many of the updates should be made anyway due to CVEs in the versions which are currently available in Orbit).  The proposed list of changes follows.

Update to org.slf4j.api 1.7.29, remove 1.7.2 and 1.7.10

Update jackson to 2.10.1, remove 2.9.9/2.9.93 (this set of changes will include com.fasterxml.jackson.core.jackson-annotations, 
com.fasterxml.jackson.core.jackson-core, com.fasterxml.jackson.core.jackson-databind, com.fasterxml.jackson.datatype.jackson-datatype-guava, com.fasterxml.jackson.jaxrs.jackson-jaxrs-base, com.fasterxml.jackson.jaxrs.jackson-jaxrs-json-provider)

Update to jersey 2.29.1, remove 2.22.1 (this set of changes will include org.glassfish.jersey.apache.connector, org.glassfish.jersey.bundles.repackaged.jersey-guava, org.glassfish.jersey.containers.servlet, org.glassfish.jersey.containers.servlet.core, org.glassfish.jersey.core.jersey-client, org.glassfish.jersey.core.jersey-common, org.glassfish.jersey.core.jersey-server, org.glassfish.jersey.ext.entityfiltering, org.glassfish.jersey.media.jersey-media-json-jackson)

Update to javax.activation 1.1.1, remove 1.1.0

Update to org.apache.commons.compress 1.19, remove 1.6.0, 1.15.0, 1.18.0

Update to com.github.jnr.unixsocket 0.24.0, remove 0.18.0

Update to org.mockito.core 3.2.0, remove 2.23.0

Update to ch.qos.logback.* 1.2.3, remove 1.0.7, 1.1.2 (this set of changes will include ch.qos.logback.classic, ch.qos.logback.core, ch.qos.logback.slf4j)

Add org.immutables.value 2.8.2

Add com.google.google-auth-library-oauth2-http 0.18.0

Add com.google.jimfs  1.1

Add joda-time 2.10.5

Add org.awaitility 4.0.1

Add com.squareup.okhttp3.mockwebserver 4.2.2 

Add com.spotify.hamcrest-jackson 1.1.5

Add com.spotify.hamcrest-pojo 1.1.5

Follow-Ups:
- Re: [cross-project-issues-dev] proposed Orbit update: switch from com.spotify.docker.client to org.mandas.docker.client
  - From: Matthias Sohn

Prev by Date: [cross-project-issues-dev] Maintenance of the macOS notarization service
Next by Date: Re: [cross-project-issues-dev] proposed Orbit update: switch from com.spotify.docker.client to org.mandas.docker.client
Previous by thread: [cross-project-issues-dev] Maintenance of the macOS notarization service
Next by thread: Re: [cross-project-issues-dev] proposed Orbit update: switch from com.spotify.docker.client to org.mandas.docker.client
Index(es):
- Date
- Thread

Breadcrumbs