Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [tycho-user] is it possible to override version requirements?

First of all, whenever you encounter such a problem you should try to convince the project to use package imports with proper version ranges.

That way it is just a matter of delete the old bundle and install the new one with the fix and your done without any rebuild required. That's how OSGi is supposed to work.

For a temporary fix (@Mickael please don't read any further here ;-))

Prepare a patched bundle and use the *same version* in the manifest (just with a different qualifier e.g. org.apache.httpcomponents.httpclient4.5.10.patched-4_5_12, and proceed as described above.

That way you don't even need to rebuild the whole package and as long as there is no binary incompatibility your all set.

Am 30.01.21 um 23:27 schrieb Homer, Tony:
I maintain a fork of epp.packages which is intended to enable me to build Eclipse for C/C++ Developers using a target to override some dependency versions.

This allows me to mitigate some CVEs that show up in between SimRels or are missed in a SimRel.

Then I can, for example, build an updated version of Eclipse for C/C++ Developers 2020-12 with CVE-XYZ mitigated by updating a vulnerable dependency.

To do this, I do something like

 1. build a non-vulnerable version that is not yet available in Orbit
    and publish it in a P2
 2. add it to my target definition
 3. add a version restriction filter to target-platform-definition
 4. make plans to upstream to Orbit for the next SimRel

I run into a problem many times where one of the Eclipse dependencies wants an exact version of a third-party dependency which has a CVE.

[ERROR] Cannot resolve project dependencies:

[ERROR]   Software being installed: 4.18.0.qualifier

[ERROR]   Missing requirement: 1.0.702.v20201025-2303 requires 'org.eclipse.equinox.p2.iu; org.apache.httpcomponents.httpclient [4.5.10.v20200830-2311,4.5.10.v20200830-2311]' but it could not be found

In this case, I usually I either temporarily remove the feature or follow our internal procedure for temporarily living with the CVE.

I’ve thought about building my own org.apache.httpcomponents.httpclient_4.5.10.v20200830-2311 which actually contains a newer version of httpclient, but I’m not sure how to do it and it is probably not a good idea 😊

However, today I wondered, is it somehow to possible to override the dependency requirements?

That is, org.eclipse.epp.package.cpp.feature.feature.group_4.18.0 wants to have org.apache.httpcomponents.httpclient_4.5.10.v20200830-2311.

Is there some way for me to tell Tycho to let it use org.apache.httpcomponents.httpclient_4.5.14 instead (assuming that I have made org.apache.httpcomponents.httpclient_4.5.14 available)?

I looked at the Tycho docs and don’t see anything there, so I thought I would come here and ask.

Thanks for reading!

Tony Homer

tycho-user mailing list
To unsubscribe from this list, visit

Back to the top