search

eclipse-mylyn / org.eclipse.mylyn

Eclipse Public License 2.0
13 stars 9 forks source link

Update transitive com.google.gerrit dependencies #567

Open merks opened 2 weeks ago

merks commented 2 weeks ago

While investing https://github.com/eclipse-simrel/simrel.build/issues/438 I noticed that these very old dependencies are being pulled into SimRel by Mylyn:

image

Specifically via these dependencies:

image

Searching the source, I see these bundles import the packages:

image

I can find what might be updates/replacements for the packages here:

But I don't know that anything from the above is compatible and some of their jars look like dumping grounds that include dependencies, like this one that looks like a dependency closure:

image

I'm concerned of the risk of using 13 year old libraries that work with passwords for authentication for which we have essentially no ability to update to newer versions to fix any security problems that may exist or may arise.

I'm fine to help add newer bundles to Orbit, but I'm at a bit of a loss which things are actually need and would provide suitable updated alternatives.

The 3.9.5 version of gerrit-extension-api provides quite a bit and doesn't have so many dependencies, though I've made then all optional here in order to build the jar:

Export-Package                          com.google.auto.value.extension.memoized;version="3.10.0"
                                        com.google.auto.value.extension.serializable;version="3.10.0"
                                        com.google.auto.value.extension.toprettystring;version="3.10.0"
                                        com.google.auto.value;version="3.10.0"
                                        com.google.common.annotations;version="3.10.0"
                                        com.google.common.base.internal;version="3.10.0"
                                        com.google.common.base;version="3.10.0";uses:="com.google.errorprone.annotations,javax.annotation,org.checkerframework.checker.nullness.qual"
                                        com.google.common.cache;version="3.10.0";uses:="com.google.common.base,com.google.common.collect,com.google.common.util.concurrent,com.google.errorprone.annotations,javax.annotation,org.checkerframework.checker.nullness.qual"
                                        com.google.common.collect;version="3.10.0";uses:="com.google.common.base,com.google.errorprone.annotations,javax.annotation,org.checkerframework.checker.nullness.qual"
                                        com.google.common.escape;version="3.10.0";uses:="com.google.common.base,com.google.errorprone.annotations,javax.annotation,org.checkerframework.checker.nullness.qual"
                                        com.google.common.eventbus;version="3.10.0"
                                        com.google.common.graph;version="3.10.0";uses:="com.google.common.collect,com.google.errorprone.annotations,javax.annotation"
                                        com.google.common.hash;version="3.10.0";uses:="com.google.common.base,com.google.errorprone.annotations,javax.annotation,org.checkerframework.checker.nullness.qual"
                                        com.google.common.html;version="3.10.0";uses:="com.google.common.escape"
                                        com.google.common.io;version="3.10.0";uses:="com.google.common.base,com.google.common.collect,com.google.common.graph,com.google.common.hash,com.google.errorprone.annotations,javax.annotation,org.checkerframework.checker.nullness.qual"
                                        com.google.common.math;version="3.10.0";uses:="javax.annotation"
                                        com.google.common.net;version="3.10.0";uses:="com.google.common.base,com.google.common.collect,com.google.common.escape,com.google.errorprone.annotations,javax.annotation"
                                        com.google.common.primitives;version="3.10.0";uses:="com.google.common.base,com.google.errorprone.annotations,javax.annotation"
                                        com.google.common.reflect;version="3.10.0";uses:="com.google.common.collect,com.google.common.io,com.google.errorprone.annotations,javax.annotation,org.checkerframework.checker.nullness.qual"
                                        com.google.common.util.concurrent.internal;version="3.10.0"
                                        com.google.common.util.concurrent;version="3.10.0";uses:="com.google.common.base,com.google.common.collect,com.google.common.util.concurrent.internal,com.google.errorprone.annotations,javax.annotation,org.checkerframework.checker.nullness.qual"
                                        com.google.common.xml;version="3.10.0";uses:="com.google.common.escape"
                                        com.google.gerrit.common;version="3.10.0"
                                        com.google.gerrit.extensions.annotations;version="3.10.0";uses:="com.google.inject"
                                        com.google.gerrit.extensions.api.access;version="3.10.0";uses:="com.google.gerrit.extensions.common"
                                        com.google.gerrit.extensions.api.accounts;version="3.10.0";uses:="com.google.gerrit.common,com.google.gerrit.extensions.client,com.google.gerrit.extensions.common,com.google.gerrit.extensions.restapi"
                                        com.google.gerrit.extensions.api.changes;version="3.10.0";uses:="com.google.common.collect,com.google.gerrit.common,com.google.gerrit.extensions.annotations,com.google.gerrit.extensions.api.accounts,com.google.gerrit.extensions.client,com.google.gerrit.extensions.common,com.google.gerrit.extensions.restapi"
                                        com.google.gerrit.extensions.api.config;version="3.10.0";uses:="com.google.common.collect,com.google.gerrit.common,com.google.gerrit.extensions.client,com.google.gerrit.extensions.common,com.google.gerrit.extensions.restapi,com.google.gerrit.extensions.webui"
                                        com.google.gerrit.extensions.api.groups;version="3.10.0";uses:="com.google.gerrit.extensions.client,com.google.gerrit.extensions.common,com.google.gerrit.extensions.restapi"
                                        com.google.gerrit.extensions.api.lfs;version="3.10.0"
                                        com.google.gerrit.extensions.api.plugins;version="3.10.0";uses:="com.google.gerrit.extensions.common,com.google.gerrit.extensions.restapi"
                                        com.google.gerrit.extensions.api.projects;version="3.10.0";uses:="com.google.common.collect,com.google.gerrit.common,com.google.gerrit.extensions.api.access,com.google.gerrit.extensions.api.changes,com.google.gerrit.extensions.api.config,com.google.gerrit.extensions.client,com.google.gerrit.extensions.common,com.google.gerrit.extensions.restapi"
                                        com.google.gerrit.extensions.api;version="3.10.0";uses:="com.google.gerrit.extensions.api.accounts,com.google.gerrit.extensions.api.changes,com.google.gerrit.extensions.api.config,com.google.gerrit.extensions.api.groups,com.google.gerrit.extensions.api.plugins,com.google.gerrit.extensions.api.projects"
                                        com.google.gerrit.extensions.auth.oauth;version="3.10.0";uses:="com.google.gerrit.common,com.google.gerrit.extensions.annotations"
                                        com.google.gerrit.extensions.client;version="3.10.0";uses:="com.google.gerrit.common,com.google.gerrit.extensions.common,com.google.gerrit.extensions.restapi"
                                        com.google.gerrit.extensions.common;version="3.10.0";uses:="com.google.gerrit.common,com.google.gerrit.extensions.api.accounts,com.google.gerrit.extensions.api.changes,com.google.gerrit.extensions.client,com.google.gerrit.extensions.restapi,com.google.gerrit.extensions.webui"
                                        com.google.gerrit.extensions.conditions;version="3.10.0"
                                        com.google.gerrit.extensions.config;version="3.10.0";uses:="com.google.common.collect,com.google.gerrit.extensions.annotations,com.google.inject"
                                        com.google.gerrit.extensions.events;version="3.10.0";uses:="com.google.common.collect,com.google.gerrit.common,com.google.gerrit.extensions.annotations,com.google.gerrit.extensions.api.changes,com.google.gerrit.extensions.common"
                                        com.google.gerrit.extensions.registration;version="3.10.0";uses:="com.google.common.collect,com.google.gerrit.common,com.google.gerrit.extensions.events,com.google.inject,com.google.inject.binder,com.google.inject.name"
                                        com.google.gerrit.extensions.restapi;version="3.10.0";uses:="com.google.common.collect,com.google.gerrit.common,com.google.gerrit.extensions.config,com.google.gerrit.extensions.registration,com.google.inject,com.google.inject.binder"
                                        com.google.gerrit.extensions.systemstatus;version="3.10.0"
                                        com.google.gerrit.extensions.validators;version="3.10.0";uses:="com.google.common.collect,com.google.gerrit.extensions.annotations"
                                        com.google.gerrit.extensions.webui;version="3.10.0";uses:="com.google.common.collect,com.google.gerrit.common,com.google.gerrit.extensions.annotations,com.google.gerrit.extensions.client,com.google.gerrit.extensions.common,com.google.gerrit.extensions.conditions,com.google.gerrit.extensions.restapi"
                                        com.google.gerrit.extensions;version="3.10.0"
                                        com.google.inject.assistedinject.internal;version="3.10.0"
                                        com.google.inject.assistedinject;version="3.10.0";uses:="com.google.errorprone.annotations,com.google.inject,com.google.inject.spi"
                                        com.google.inject.binder;version="3.10.0";uses:="com.google.inject,javax.inject"
                                        com.google.inject.internal.aop;version="3.10.0";uses:="com.google.inject.internal"
                                        com.google.inject.internal.asm;version="3.10.0"
                                        com.google.inject.internal.util;version="3.10.0";uses:="com.google.common.base"
                                        com.google.inject.internal;version="3.10.0";uses:="com.google.common.collect,com.google.inject,com.google.inject.binder,com.google.inject.spi,javax.inject"
                                        com.google.inject.matcher;version="3.10.0"
                                        com.google.inject.multibindings;version="3.10.0";uses:="com.google.errorprone.annotations,com.google.inject,com.google.inject.binder,com.google.inject.spi"
                                        com.google.inject.name;version="3.10.0";uses:="com.google.inject"
                                        com.google.inject.servlet;version="3.10.0";uses:="com.google.inject,com.google.inject.spi,javax.inject,javax.servlet,javax.servlet.http"
                                        com.google.inject.spi;version="3.10.0";uses:="com.google.common.collect,com.google.inject,com.google.inject.internal,com.google.inject.matcher,javax.inject,org.aopalliance.intercept"
                                        com.google.inject.util;version="3.10.0";uses:="com.google.errorprone.annotations,com.google.inject,jakarta.inject,javax.inject"
                                        com.google.inject;version="3.10.0";uses:="com.google.errorprone.annotations,com.google.inject.binder,com.google.inject.matcher,com.google.inject.spi,jakarta.inject,javax.inject,org.aopalliance.intercept"
                                        com.google.j2objc.annotations;version="3.10.0"
                                        com.google.thirdparty.publicsuffix;version="3.10.0";uses:="com.google.common.collect"
                                        jakarta.inject;version="3.10.0"
                                        javax.inject;version="3.10.0"
                                        org.aopalliance.aop;version="3.10.0"
                                        org.aopalliance.intercept;version="3.10.0";uses:="org.aopalliance.aop"
Import-Package                          android.os;resolution:=optional
                                        com.google.appengine.api.utils;resolution:=optional
                                        com.google.appengine.api;resolution:=optional
                                        com.google.apphosting.api;resolution:=optional
                                        com.google.errorprone.annotations.concurrent;resolution:=optional
                                        com.google.errorprone.annotations;resolution:=optional
                                        java.io;resolution:=optional
                                        java.lang.annotation;resolution:=optional
                                        java.lang.invoke;resolution:=optional
                                        java.lang.ref;resolution:=optional
                                        java.lang.reflect;resolution:=optional
                                        java.lang;resolution:=optional
                                        java.math;resolution:=optional
                                        java.net;resolution:=optional
                                        java.nio.channels;resolution:=optional
                                        java.nio.charset;resolution:=optional
                                        java.nio.file.attribute;resolution:=optional
                                        java.nio.file;resolution:=optional
                                        java.nio;resolution:=optional
                                        java.security;resolution:=optional
                                        java.sql;resolution:=optional
                                        java.text;resolution:=optional
                                        java.time;resolution:=optional
                                        java.util.concurrent.atomic;resolution:=optional
                                        java.util.concurrent.locks;resolution:=optional
                                        java.util.concurrent;resolution:=optional
                                        java.util.function;resolution:=optional
                                        java.util.jar;resolution:=optional
                                        java.util.logging;resolution:=optional
                                        java.util.regex;resolution:=optional
                                        java.util.stream;resolution:=optional
                                        java.util.zip;resolution:=optional
                                        java.util;resolution:=optional
                                        javax.annotation.meta;resolution:=optional
                                        javax.annotation;resolution:=optional
                                        javax.crypto.spec;resolution:=optional
                                        javax.crypto;resolution:=optional
                                        javax.servlet.http;resolution:=optional
                                        javax.servlet;resolution:=optional
                                        org.checkerframework.checker.nullness.qual;resolution:=optional
                                        sun.misc;resolution:=optional

Are there other alternatives for eliminating dependencies on old unsupported libraries?

BeckerFrank commented 2 weeks ago

in https://github.com/eclipse-mylyn/org.eclipse.mylyn/discussions/511 we were asked whether we support Gerrit. We haven't made any changes for years, so the supported Gerrit version is EOL and we have the old dependencies.

Mylyn Gerrit support won't be as important because Eclipse now use Github and Gitlab.

Maybe we don't have the resources and should ask for help.

merks commented 2 weeks ago

Yes, very few Eclipse projects are using Gerrit. EGit is using it though, but that doesn't produce resource.

Maybe we should remove the gerrit contribution from SimRel? They are not consumed by the EPP products.

merks commented 2 weeks ago

I created this PR to disable the Gerrit-based contributions to SimRel:

https://github.com/eclipse-simrel/simrel.build/pull/445

Please speak up if you have an opinion about this.

gnl42 commented 2 weeks ago

Why don't we move the gerrit connector into it's own repository?

BeckerFrank commented 2 weeks ago

Why don't we move the gerrit connector into it's own repository?

We've been through this before. It was https://github.com/eclipse-mylyn/org.eclipse.mylyn.reviews.

Gerrit is the only supported ReviewsConnector. But is it worth creating ReviewsConnector for Github and Gitlab, since they have pull/merge requests? Same for BuildConnector and Jenkins.

I'm not sure how important ReviewsConnector and BuildConnector are in this day and age. Should we clarify this in a separate discussion?

ruspl-afed commented 2 weeks ago

Feel free to create discussion for topic "How important ReviewsConnector and BuildConnector are in this day and age" @BeckerFrank

As for Gerrit support in particular and its required dependencies, I would just remove then without extracting to a separate repository. These who wants to revive them back to a SimRel grade can always use our latest release as a starting point.