Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [tycho-user] is it possible to override version requirements?
  • From: "Homer, Tony" <tony.homer@xxxxxxxxx>
  • Date: Sun, 31 Jan 2021 20:52:22 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1Ox8e9ueta3exGlNvuNKB4LT4vwFMISTjSh3zvksKOY=; b=Z8mY/eaIHmAau5dABq2KcAoW+svZPWn4+QvUVyevWKApiU87qIiV20eJcgDgqw4ABsitc5Ax9G7b+WcY5iWnd3hzOk4JKcwD9uRlD5bngz/DpzRQcu4zDGQg3kIdGnZ64VUX5rA7fQIdFkuBHfc2FAztrOOLm6bybBtqpGKgm28JkR8TvugMZGXAHF5o/Q/LOTP70vEbW3+21PlPI0/UxRqV/WnugmwtM3P2YatZzHzDKREVU8hybX1F1ge8QkIXSExJhNloRotvFkET0Q1wbPzqu3hqyf8Y//VBvZBBA3L2pwtq837dJSxh17qX+oYvf7Z+LLJgpR4wogTKU3Bm7A==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=S4QGWEp0aRJHBQoF+oLnsSdolzydRMBAS36uNT/0TmxfAtCvR9Y1MCwwxdO4B50SYBzhJ1+s6sBmszvBtqlHMFILR1MINTjCKlbspI4dRHQ70HA49Cgnq7mgXtIFlkbLlQPE/wKHp7/ycRjbElZSYET4Zt5oytVo0WLdUhssR9WiBcedmV8RezpCdRuEEK0M4NAQPr19I/VWg3PEEtjmPL5ackxmahUPTAGVJ03f0aZwi7Me93GuVEF/yOZru0an8R/wwTjuKgWPMROfdn8ybapyxZl5AY17W3khVn+a8TOiY8vkMI+xMApQB1yML2pmUfFNCLaFEjZVRC6GYpOPAw==
  • Delivered-to: tycho-user@xxxxxxxxxxx
  • Ironport-sdr: LAYT69dOEXos+ZHKBhWPQXy8VbQAmEJhkOR1uY60ozLpES7SEArmI1MKxitS6W7Rh3VFnbT0uB k7WeL3XU9v2w==
  • Ironport-sdr: RvtrmU57FT7PBCyU6LXCXniQZm9QoxfezxRjHlQaXVwLukJ9AcCEtoxnxrNuMDR8ARaR+x/vsv tZKCTWc6CLnA==
  • List-archive: <>
  • List-help: <>
  • List-subscribe: <>, <>
  • List-unsubscribe: <>, <>
  • Thread-index: AQHW+BL5xpgl2AmQA06e5N+w8SOGyw==
  • Thread-topic: [tycho-user] is it possible to override version requirements?
  • User-agent: Microsoft-MacOutlook/16.45.21010502

Thanks for the responses, Mickael and Christoph.

Thanks for calling out, but as you concluded, it won't help in my case. is great for cases where I need to force a specific version and no bundles require a different one, but again, the problem I am trying to solve is the one where a bundle requires a specific version and that specific version has a CVE.  
I thought of forking ECF, but I'm afraid that there are other features that want specific versions.  I'm hoping to identify a simpler approach that can work whenever this issue occurs, which it does almost every release.  

Christoph (Mickael don't read)-
I tried something like you suggest.  I used to create an Apache HttpClient 4.5.13 masquerading as 4.5.10.v20200830-2311:
Then I deployed it to our local Nexus and added it to my target definition.
It didn't work because Tycho resolved the upstream version instead and I couldn't figure out any way to force it to take my version (which is actually 4.5.13).
I didn't think of manually replacing it!
It is terribly hacky, but a terribly hacky method is (arguably) better than no method.
I'll try it!

>First of all, whenever you encounter such a problem you should try to convince the project to use package imports with proper version ranges.
Yes, I was thinking about this also, but I wasn't sure what change to ask for.  
org.eclipse.epp.package.cpp.feature actually includes Apache HttpClient in their feature with version=0.0.0, so they end up with whatever version they resolve:
Actually there are several dependencies in the feature.
I think this might be the wrong way to do it - having it in the Import-Package section of the manifest of the bundle that has the dependency should be enough.
The org.eclipse.ecf.provider.filetransfer.httpclient45 manifest has entries for org.apache.http, so I don't think the entries in feature.xml should be needed:
Do I have that right?  I'd like confirmation before I file the bug.


On 1/31/21 , 3:10 AM, "tycho-user on behalf of Christoph Läubrich" <tycho-user-bounces@xxxxxxxxxxx on behalf of laeubi@xxxxxxxxxxxxxx> wrote:

    The point is to simply not rebuild the package at all but replace the 
    bundle in the (pre-build) installation.

    Am 31.01.21 um 12:07 schrieb Mickael Istria:
    > On Sun, Jan 31, 2021 at 10:01 AM Christoph Läubrich 
    > <laeubi@xxxxxxxxxxxxxx <mailto:laeubi@xxxxxxxxxxxxxx>> wrote:
    >     (@Mickael please don't read any further here ;-))
    > You definitely know how to catch my attention! ;)
    >     Prepare a patched bundle and use the *same version* in the manifest
    >     (just with a different qualifier e.g.
    >     org.apache.httpcomponents.httpclient4.5.10.patched-4_5_12, and proceed
    >     as described above.
    >     That way you don't even need to rebuild the whole package and as
    >     long as
    >     there is no binary incompatibility your all set.
    > I don't think it would work, the feature does require a specific fully 
    > qualified version. 4.5.10.patched-4_5_12 won't be able to match the 
    > feature requirement.
    > _______________________________________________
    > tycho-user mailing list
    > tycho-user@xxxxxxxxxxx
    > To unsubscribe from this list, visit
    tycho-user mailing list
    To unsubscribe from this list, visit

Back to the top