| [mdt-papyrus.dev] Batik 1.16 and GMF Runtime 1.15.3 for Eclipse 2022-12 |
Hi Papyrus Team,
As you may have seen in this thread [1], the Orbit repo for 2022-12 has replaced all old versions of Apache Batik with the new version 1.16.0 (released on October 22). GMF Runtime, Graphiti, Sirius and Papyrus are impacted. We all depended on Batik 1.14 (released this summer), but version 1.15 and 1.16 released since then have fixed several CVEs (see [2]).
I think Graphiti has been updated (at least they contributed a
new version [3]).
I have release candidates versions of GMF Runtime (1.15.3) and
Sirius (7.0.6) which both move to Batik 1.16 ready for inclusion
[4], but can not merge them yet as it break Papyrus:
Missing requirement: Papyrus GMF Diagrams Support 4.3.0.202210051746 (org.eclipse.papyrus.infra.gmfdiag.common 4.3.0.202210051746) requires 'osgi.bundle; org.apache.batik.dom [1.14.0,1.15.0)' but it could not be found
Indeed, the repo for GMF Runtime 1.15.3 now only contains Batik
1.16:
https://download.eclipse.org/modeling/gmp/gmf-runtime/updates/milestones/S202211041032/plugins/
Do you think you can get a new version which depends on Batik 1.16
for M3 (I know it's late, M3+3 is this Wednesday), or at least for
RC1 next week?
The corresponding GMF Runtime release will be 1.15.3, see the above patch for the URL of the RC repo.
Regards,
Pierre-Charles David
PS: Note that it is probable that there will be a Batik 1.17
released in the near future; new security fixes have been merged
after the 1.16 release. I have no idea when it is planned, but we
should all be ready to switch (again...).
[1]
https://www.eclipse.org/lists/cross-project-issues-dev/msg19431.html
[2] https://github.com/eclipse/gmf-runtime/issues/23
[3]
https://git.eclipse.org/r/c/simrel/org.eclipse.simrel.build/+/196609
[4]
https://git.eclipse.org/r/c/simrel/org.eclipse.simrel.build/+/196896
-- Pierre-Charles David (Obeo)I have