Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [orbit-dev] Upgrade org.apache.axis - 1.7.0 from 1.4.0

Hi ShiHeng,

I will try to tackle some of your questions:

On Mon, 19 Oct 2020 at 21:19, ShiHeng Guan <guans@xxxxxxxxxxxx> wrote:



I want to upgrade axis because of vulnerability issue,


on maven central I see 83 dependencies. 

Yup, that is a lot :-( 

Does it mean I will need to submit CQ for each of those and their  nested dependencies in order to create recipe for axis2 1.7.0?

I hope not. As the Eclipse Foundation moves to a new IP policies it is getting easier because if code is vetted already nothing more needs to be done. There is a command line tool to automatically check code that will help (dash-licenses). The Orbit readme has recently been updated to include:

It's important to ensure that the bundle you're adding has been approved for use in at least one other Eclipse project on IPZilla or ClearlyDefined. In the latter case, please ensure the license is compatible and that the license score is at least 75. See IP Prereq Diligence for further details.


And axis is collection of module, do I need to submit recipe for each module in axis?

I don't know the answer to this one. I suspect some knowledge of the axis project may be needed, so you may be in the best position. Hopefully others on the list can comment regarding similar cases in the past.

I hope to get some feedback to understand the scope of doing this.

I hope that helps and please do ask follow up questions.


I see that few or some are already in the repository not sure of the version requirement.




orbit-dev mailing list
To unsubscribe from this list, visit

Back to the top