Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[tycho-user] is it possible to override version requirements?
  • From: "Homer, Tony" <tony.homer@xxxxxxxxx>
  • Date: Sat, 30 Jan 2021 22:27:55 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=X8XojbqQWebJ5vnh/Y2oypFzyJeXqbMmWoJJ9TQ53U8=; b=FPhdeho2zz6MdgR5lBRY0Bs5Ku9cI/Qcz7dxRtHH7u3vlyl5twARsGkoD9ahvC/0XemEQqJjbB69QOCKDidSvz467TCDc+WYeyO8ID/DAqBJhkAsyXHj/sjsG4R52C9WxcUYI8PmRH3624e2e/d9SzPdHK8RpSPJmaSgwLMBeOuLpqoHQDvsAz4pQbiSSbnox06QkjrkEqdyM5XZC74yiYqKlt6hjK04OYBbnO7GcGvFxq//TyQ4B2CI1olYSAU7JiV+i6hn6U8e4YO2EeXMDhb3X+KWt+qKxDIhGtriIKZ0Oe0RxH+bILnDQUhMd3IabsSE0lAbMu3mbVQ1QUGE7Q==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=THIuExF+JbyGd/ftI6rO7rke81lmfl4deqro1yStY2mKDTQWYZslcGUmWF8fF93f553PNVddqtW2L5eYFQRYbFAvq6XKXsQH7DLlpQ/gE+hrdxyem2bKpvhwRzPMrFhdR6rPWCxX8cOQGfOUpAEJlhxWm61Cj8nxIN2+9K+Sa/CPDoFe61U3AgBuC/kgjDR59IvSYf/9rBLrHaWPldxv79xI7jNPzV1rK9OYuRY9dzMepX+eTTRozKusjj/dUmRhGYfbIA34fFa+jrJscQJHOwP51KlWZPLw91i6GIsC160vlOs/KQ4z01mnW4xvlx5fLz2/PTtVWfu20q1ciBaxDA==
  • Delivered-to: tycho-user@xxxxxxxxxxx
  • Ironport-sdr: FimBpWVT2unNO5+Ut0XmIbX1akvvYsPi+Gl+R1roHOhknrr/+ghZpwfgVBGMqmD79cWS6aZH6E uIdOyHIr1gHg==
  • Ironport-sdr: 0HnlQ3PeXqoPP0iiPJna0kcHbCO81U8ZKWexuwW+ujj8H5l8x3OfRcFUwKsc80KgICK3QAovOM HpjJDIT714Pw==
  • List-archive: <>
  • List-help: <>
  • List-subscribe: <>, <>
  • List-unsubscribe: <>, <>
  • Thread-index: AQHW91coeRmONC9axkikTmQ3BrAxgg==
  • Thread-topic: is it possible to override version requirements?
  • User-agent: Microsoft-MacOutlook/16.45.21010502

I maintain a fork of epp.packages which is intended to enable me to build Eclipse for C/C++ Developers using a target to override some dependency versions.

This allows me to mitigate some CVEs that show up in between SimRels or are missed in a SimRel.

Then I can, for example, build an updated version of Eclipse for C/C++ Developers 2020-12 with CVE-XYZ mitigated by updating a vulnerable dependency.

To do this, I do something like

  1. build a non-vulnerable version that is not yet available in Orbit and publish it in a P2
  2. add it to my target definition
  3. add a version restriction filter to target-platform-definition (
  4. make plans to upstream to Orbit for the next SimRel


I run into a problem many times where one of the Eclipse dependencies wants an exact version of a third-party dependency which has a CVE.


[ERROR] Cannot resolve project dependencies:

[ERROR]   Software being installed: 4.18.0.qualifier

[ERROR]   Missing requirement: 1.0.702.v20201025-2303 requires 'org.eclipse.equinox.p2.iu; org.apache.httpcomponents.httpclient [4.5.10.v20200830-2311,4.5.10.v20200830-2311]' but it could not be found


In this case, I usually I either temporarily remove the feature or follow our internal procedure for temporarily living with the CVE.

I’ve thought about building my own org.apache.httpcomponents.httpclient_4.5.10.v20200830-2311 which actually contains a newer version of httpclient, but I’m not sure how to do it and it is probably not a good idea 😊


However, today I wondered, is it somehow to possible to override the dependency requirements?

That is, org.eclipse.epp.package.cpp.feature.feature.group_4.18.0 wants to have org.apache.httpcomponents.httpclient_4.5.10.v20200830-2311.

Is there some way for me to tell Tycho to let it use org.apache.httpcomponents.httpclient_4.5.14 instead (assuming that I have made org.apache.httpcomponents.httpclient_4.5.14 available)?

I looked at the Tycho docs and don’t see anything there, so I thought I would come here and ask.


Thanks for reading!

Tony Homer

Back to the top