Re: [glassfish-dev] Potentially missing third party content CQs

[Bill Shannon <bill.shannon@xxxxxxxxxx>]

antlr is going to be a problem.

I believe EclipseLink repackages some version of antlr, but I think this old version is used by the EJB CMP support, which hasn't been touched in many years.  If we have to update EJB CMP to support a newer version of antlr, that might take a long time and a significant amount of work.  I guess we're going to need someone to do more analysis and estimate the effort required.

EJB CMP is optional, but removing that support would probably be at least as much work.

Wayne Beaton wrote on 11/20/18 12:48 PM:

Greetings Eclipse GlassFish Committers.

I ran a quick scan on the project build and discovered a few dependencies that I believe must be taken through the IP Due Diligence Process.

Specifically these three "external" libraries (which I believe are otherwise unmodified "OSGi-ified" versions of third-party content):

org.glassfish.external:antlr:jar:2.7.7:compile

org.glassfish.external:dbschema:jar:6.6:compile

org.glassfish.external:derby:zip:10.13.1.1:compile

The first one is problematic. The Eclipse IP Team has rejected all versions of ANTLR  before 3.0 due to provenance issues. This particular library needs to be updated. Note that the build scripts reference both the "external" and canonical versions of Antlr 2.7.7 (though, the latter is marked "optional").

We've seen other versions of Derby, but not the one specified. We either need a new CQ for that specific version, or one of the already approved versions used instead.

I'm continuing my investigation; I'll let you know if I find anything else.

Wayne

--

Wayne Beaton

Director of Open Source Projects | Eclipse Foundation, Inc.

_______________________________________________
glassfish-dev mailing list
glassfish-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/glassfish-dev