Hi orbit-dev.
I'm returning to an effort that I set aside for a while after missing the cutoff for 2020-03, namely to replace com.spotify.docker.client with org.mandas.docker-client in orbit. Please see below for the original message which I had sent to cross-project-issues-dev.
org.mandas.docker-client has an updated list of dependencies vs. what I had originally shared, so I wanted to share the updated list of changes here for feedback.
After I make some progress on this I will share with cross-project-issues.
* Add org.mandas.docker-client 3.2.1
* Update jackson to 2.10.3, remove 2.9.9/2.9.93 (this set of changes will include com.fasterxml.jackson.core.jackson-annotations,
com.fasterxml.jackson.core.jackson-core, com.fasterxml.jackson.core.jackson-databind, com.fasterxml.jackson.datatype.jackson-datatype-guava, com.fasterxml.jackson.jaxrs.jackson-jaxrs-base, com.fasterxml.jackson.jaxrs.jackson-jaxrs-json-provider)
* Update to jersey 2.30.1, remove 2.22.1 (this set of changes will include org.glassfish.jersey.apache.connector, org.glassfish.jersey.bundles.repackaged.jersey-guava, org.glassfish.jersey.containers.servlet, org.glassfish.jersey.containers.servlet.core, org.glassfish.jersey.core.jersey-client, org.glassfish.jersey.core.jersey-common, org.glassfish.jersey.core.jersey-server, org.glassfish.jersey.ext.entityfiltering, org.glassfish.jersey.media.jersey-media-json-jackson)
Jersey and it's deps are
eclipse.org projects
https://projects.eclipse.org/projects/ee4j.jersey so they no longer belong to Orbit as it's not third party content thus no CQ and etc. needed. Please engage with jersey project so they provide (and probably you and/or other Orbit devs help them) p2 repo.
* Update to com.github.jnr.unixsocket 0.28.0, remove 0.18.0
* Add org.immutables.value 2.8.3
* Add com.google.google-auth-library-oauth2-http 0.20.0
* Update org.bouncycastle to 1.65.0, remove 1.61.0, 1.6.40 (this set of changes will include org.bouncycastle.bcpg, org.bouncycastle.bcpkix, org.bouncycastle.bcprov)
On 1/21/20 , 2:11 PM, "cross-project-issues-dev-bounces@xxxxxxxxxxx on behalf of Homer, Tony" <cross-project-issues-dev-bounces@xxxxxxxxxxx on behalf of tony.homer@xxxxxxxxx> wrote:
Over on orbit-dev, Roland Grunberg suggested that I notify this list about this proposed change due to the potential impact on other projects.
Please refer to https://bugs.eclipse.org/bugs/show_bug.cgi?id=558284 for detailed background info.
In a nutshell, com.spotify.docker.client (currently available via Orbit) is no longer maintained and has dependencies with CVEs. A Java docker client is needed by linux-tools docker tooling (and at least one downstream project which is maintained by my team). org.mandas.docker.client is a fork of Spotify Docker Client which is being actively maintained with special consideration for CVE mitigation. It preserves the existing interface but changes the package name from com.spotify to org.mandas, so projects using it as a dependency will need to make some updates (but they should be mostly straightforward). The dependency set is almost entirely updated and in some cases changed in order to eliminate problematic or unmaintained dependencies. The proposal is to replace com.spotify.docker.client with org.mandas.docker.client in Orbit. This will require a large number of updates in Orbit (many of the updates should be made anyway due to CVEs in the versions which are currently availabl
e in Orbit). The proposed list of changes follows.
Update to org.slf4j.api 1.7.29, remove 1.7.2 and 1.7.10
Update jackson to 2.10.1, remove 2.9.9/2.9.93 (this set of changes will include com.fasterxml.jackson.core.jackson-annotations,
com.fasterxml.jackson.core.jackson-core, com.fasterxml.jackson.core.jackson-databind, com.fasterxml.jackson.datatype.jackson-datatype-guava, com.fasterxml.jackson.jaxrs.jackson-jaxrs-base, com.fasterxml.jackson.jaxrs.jackson-jaxrs-json-provider)
Update to jersey 2.29.1, remove 2.22.1 (this set of changes will include org.glassfish.jersey.apache.connector, org.glassfish.jersey.bundles.repackaged.jersey-guava, org.glassfish.jersey.containers.servlet, org.glassfish.jersey.containers.servlet.core, org.glassfish.jersey.core.jersey-client, org.glassfish.jersey.core.jersey-common, org.glassfish.jersey.core.jersey-server, org.glassfish.jersey.ext.entityfiltering, org.glassfish.jersey.media.jersey-media-json-jackson)
Update to javax.activation 1.1.1, remove 1.1.0
Update to org.apache.commons.compress 1.19, remove 1.6.0, 1.15.0, 1.18.0
Update to com.github.jnr.unixsocket 0.24.0, remove 0.18.0
Update to org.mockito.core 3.2.0, remove 2.23.0
Update to ch.qos.logback.* 1.2.3, remove 1.0.7, 1.1.2 (this set of changes will include ch.qos.logback.classic, ch.qos.logback.core, ch.qos.logback.slf4j)
Add org.immutables.value 2.8.2
Add com.google.google-auth-library-oauth2-http 0.18.0
Add com.google.jimfs 1.1
Add joda-time 2.10.5
Add org.awaitility 4.0.1
Add com.squareup.okhttp3.mockwebserver 4.2.2
Add com.spotify.hamcrest-jackson 1.1.5
Add com.spotify.hamcrest-pojo 1.1.5
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
_______________________________________________
orbit-dev mailing list
orbit-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/orbit-dev
