Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] Eclipse Platform to prefer use of dependencies from Maven Central rather than Orbit


On Tue, Apr 5, 2022 at 2:57 PM Dirk Fauth via cross-project-issues-dev <cross-project-issues-dev@xxxxxxxxxxx> wrote:
@Aleks
Maybe jetty is already signed correctly? How will be the process for unsigned content? 

This has been an ongoing topic for the last year or so. The core is https://github.com/eclipse-platform/eclipse.platform.releng.aggregator/blob/master/eclipse.platform.releng.tychoeclipsebuilder/pom.xml#L38 which defines which key to use to sign (every project has a gpg key which is available via the Jenkins build).There is a param that defines that only non-jarsigned content is signed with pgp as it's still preferred for our own artifacts to be jarsigned but changing upstream artifacts should be avoided when possible.
 


Christoph Läubrich <laeubi@xxxxxxxxxxxxxx> schrieb am Di., 5. Apr. 2022, 13:54:
 > When Maven Central is not OSGi artifact  Orbit will be preferred.

I can only encourage everyone to open a ticket for such project and help
them to include OSGi meta-data in the first place instead of putting the
effort else-where, as adding those does not harm the project but helps
integration it with just a few extra lines in the manifest.

Am 05.04.22 um 13:48 schrieb Aleksandar Kurtakov:
> Hey everyone,
> With PGP signing support, latest Tycho work and M2E extending PDE so
> *.target files can refer/use dependencies from Maven Central directly
> will prefer to use dependencies from Maven Central when updating to new
> versions of libraries.
> This would be done only when we update to a new version of libraries or
> the dependency we use is no longer available in the latest Orbit build.
> When Maven Central is not OSGi artifact  Orbit will be preferred.
>  From releng POV it would simply remove the middle man (Orbit/EBR) as
> Tycho automates what was achieved via EBR as an intermediate step to be
> part of the regular build.
> Extra benefits are:
> * Eclipse will no longer ship modified version of upstream release (PGP
> signature is in p2 metadata and not modifying the jar as jarsigner does)
> * Eclipse will not longer ship bundles with symbolic names that do not
> match upstream developers decision (as it happens with number of Orbit
> artifacts)
> * Version updates could be done in chunks rather than all changes at
> once to work with latest Orbit
>
> I strongly encourage other projects to take that path too for third
> party dependencies.
>
>
> --
> Aleksandar Kurtakov
> Red Hat Eclipse Team
>
> _______________________________________________
> cross-project-issues-dev mailing list
> cross-project-issues-dev@xxxxxxxxxxx
> To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev


--
Aleksandar Kurtakov
Red Hat Eclipse Team

Back to the top