[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse: update to 2.16.0?
|
It's not entirely clear that a generous layer of critique and
pessimism as icing on the neglect-and-apathy cake will help the
broader team be more motivated to work toward a more viable
solution. Certainly I personally find it hugely challenging to
deal with what feels like an endless stream of disruptive changes
that percolate their way through my software stack. My projects
are like book ends on this train. Add to that playing police and
being the emergency response team, complemented by disruptive
infrastructure changes to add to the confusion, and it feels like
the goodness just never ends. I could spend some time pointlessly
pointing fingers at whom to blame for all these messy things. But
I always remind myself that when I point fingers at others,
several of my own fingers are always pointing back at me. So I
try to focus on what can be done to make things better and what I
can do to enable those.
Let's also look at some of the positives. We are building a
highly complex system, comprising a great many moving parts, with
a lot of very busy people involved, to deliver some really amazing
results, on time, four times a year. Surely we're doing a few
things right...
Cheers,
Ed
On 13.01.2022 14:51, Aleksandar
Kurtakov wrote:
> Orbit essentially is like
Maven Central
In that case I don't understand why
do we need Orbit at all. With the
latest announcements regarding tycho
capabilities from Christoph + lack
of resources to support Orbit in
safe form it seems to be useless.
You have hit the nail on the
head! Although useless is going a little
far. Orbit does not likely have a long
term future. However as there are many
projects that build from it still we need
it. Also there is a problem if multiple
projects start contributing the same
version of third party lib that will
hopefully be solved in the future with PGP
signing.
Orbit should not be directly
contributing to simrel, but for a variety
of reasons it does (see comments in the
file)
As mentioned in the Gerrit,
passage's p2 repo should be publishing its
third party deps and it should be possible
for consumers to install passage from
passage's p2 repo without requiring an
orbit repo be added too.
I know for sure that
numerous projects are not quite doing that
(again see comments in orbit.aggrcon) but
hopefully at some point the temporary
contribution of orbit to simrel directly
can be removed.
I would dare to say that as long as the
workarounds are in simrel nothing will get
fixed - it's time to face reality.
Probably correct, but I don't have the
nerve to disable (or knowledge/time to fix) Mylyn.
^^ Exactly - the amount of complains from people not
paying attention and putting burden on others to workaround
for them is what made me lost trust that simrel is viable
approach.
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
--
Aleksandar Kurtakov
Red Hat Eclipse Team
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev