In that case I don't understand why do we need Orbit at all. With
the latest announcements regarding tycho capabilities from Christoph
+ lack of resources to support Orbit in safe form it seems to be
useless.
I fully agree with you here and that's how we plan to do things for Eclipse Platform starting from the 2022-06 release. For me Orbit is on life support until some final bits are in place to use plain Maven Central. Note that there are some things like Ant where Orbit does way more so it may stay in some very reduced form for such cases.
IMHO, people should actively remove
content from Orbit that has CVEs. Much like with any
other project. Even without replacing it with a fixed
version. We will be better with less but trusted
content than questioning ourselves for each artifact.
Agreed. There is usually a clean-up/removal of unneeded stuff.
But the downloads are still available for projects consuming the
repositories.
>[...] That is definitely
something
> new, since Orbit was a trusted source of 3rd
party libraries for many
> years.
That's a misconception. Orbit essentially is like
Maven Central. Instead of Maven Artifacts it distributes Eclipse
plug-in artifacts. Maven Central still distributes the
vulnerable Log4j version and ton of other libraries with CVEs.
Does that make it a less trustworthy source now? I don't think
so. Consumers still need to stay on top of those.
