Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] proposed Orbit update: switch from com.spotify.docker.client to org.mandas.docker.client
On Tue, Jan 21, 2020 at 11:12 PM Homer, Tony <tony.homer@xxxxxxxxx> wrote:
Over on orbit-dev, Roland Grunberg suggested that I notify this list about this proposed change due to the potential impact on other projects.

Please refer to https://bugs.eclipse.org/bugs/show_bug.cgi?id=558284 for detailed background info.

In a nutshell, com.spotify.docker.client (currently available via Orbit) is no longer maintained and has dependencies with CVEs.  A Java docker client is needed by linux-tools docker tooling (and at least one downstream project which is maintained by my team).  org.mandas.docker.client is a fork of Spotify Docker Client which is being actively maintained with special consideration for CVE mitigation.  It preserves the existing interface but changes the package name from com.spotify to org.mandas, so projects using it as a dependency will need to make some updates (but they should be mostly straightforward).  The dependency set is almost entirely updated and in some cases changed in order to eliminate problematic or unmaintained dependencies.  The proposal is to replace com.spotify.docker.client with org.mandas.docker.client in Orbit. This will require a large number of updates in Orbit (many of the updates should be made anyway due to CVEs in the versions which are currently availabl
 e in Orbit).  The proposed list of changes follows.

Update to org.slf4j.api 1.7.29, remove 1.7.2 and 1.7.10

Update jackson to 2.10.1, remove 2.9.9/2.9.93 (this set of changes will include com.fasterxml.jackson.core.jackson-annotations,
com.fasterxml.jackson.core.jackson-core, com.fasterxml.jackson.core.jackson-databind, com.fasterxml.jackson.datatype.jackson-datatype-guava, com.fasterxml.jackson.jaxrs.jackson-jaxrs-base, com.fasterxml.jackson.jaxrs.jackson-jaxrs-json-provider)

Update to jersey 2.29.1, remove 2.22.1 (this set of changes will include org.glassfish.jersey.apache.connector, org.glassfish.jersey.bundles.repackaged.jersey-guava, org.glassfish.jersey.containers.servlet, org.glassfish.jersey.containers.servlet.core, org.glassfish.jersey.core.jersey-client, org.glassfish.jersey.core.jersey-common, org.glassfish.jersey.core.jersey-server, org.glassfish.jersey.ext.entityfiltering, org.glassfish.jersey.media.jersey-media-json-jackson)

Update to javax.activation 1.1.1, remove 1.1.0

Update to org.apache.commons.compress 1.19, remove 1.6.0, 1.15.0, 1.18.0

I already updated apache commons compress to 1.19.0
it's available in I-builds

Update to com.github.jnr.unixsocket 0.24.0, remove 0.18.0

Update to org.mockito.core 3.2.0, remove 2.23.0

Update to ch.qos.logback.* 1.2.3, remove 1.0.7, 1.1.2 (this set of changes will include ch.qos.logback.classic, ch.qos.logback.core, ch.qos.logback.slf4j)

Add org.immutables.value 2.8.2

Add com.google.google-auth-library-oauth2-http 0.18.0

Add com.google.jimfs  1.1

Add joda-time 2.10.5

Add org.awaitility 4.0.1

Add com.squareup.okhttp3.mockwebserver 4.2.2

Add com.spotify.hamcrest-jackson 1.1.5

Add com.spotify.hamcrest-pojo 1.1.5


_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev

Back to the top