Open merks opened 2 weeks ago
in https://github.com/eclipse-mylyn/org.eclipse.mylyn/discussions/511 we were asked whether we support Gerrit. We haven't made any changes for years, so the supported Gerrit version is EOL and we have the old dependencies.
Mylyn Gerrit support won't be as important because Eclipse now use Github and Gitlab.
Maybe we don't have the resources and should ask for help.
Yes, very few Eclipse projects are using Gerrit. EGit is using it though, but that doesn't produce resource.
Maybe we should remove the gerrit contribution from SimRel? They are not consumed by the EPP products.
I created this PR to disable the Gerrit-based contributions to SimRel:
https://github.com/eclipse-simrel/simrel.build/pull/445
Please speak up if you have an opinion about this.
Why don't we move the gerrit connector into it's own repository?
Why don't we move the gerrit connector into it's own repository?
We've been through this before. It was https://github.com/eclipse-mylyn/org.eclipse.mylyn.reviews.
Gerrit is the only supported ReviewsConnector. But is it worth creating ReviewsConnector for Github and Gitlab, since they have pull/merge requests? Same for BuildConnector and Jenkins.
I'm not sure how important ReviewsConnector and BuildConnector are in this day and age. Should we clarify this in a separate discussion?
Feel free to create discussion for topic "How important ReviewsConnector and BuildConnector are in this day and age" @BeckerFrank
As for Gerrit support in particular and its required dependencies, I would just remove then without extracting to a separate repository. These who wants to revive them back to a SimRel grade can always use our latest release as a starting point.
While investing https://github.com/eclipse-simrel/simrel.build/issues/438 I noticed that these very old dependencies are being pulled into SimRel by Mylyn:
Specifically via these dependencies:
Searching the source, I see these bundles import the packages:
I can find what might be updates/replacements for the packages here:
But I don't know that anything from the above is compatible and some of their jars look like dumping grounds that include dependencies, like this one that looks like a dependency closure:
I'm concerned of the risk of using 13 year old libraries that work with passwords for authentication for which we have essentially no ability to update to newer versions to fix any security problems that may exist or may arise.
I'm fine to help add newer bundles to Orbit, but I'm at a bit of a loss which things are actually need and would provide suitable updated alternatives.
The 3.9.5 version of gerrit-extension-api provides quite a bit and doesn't have so many dependencies, though I've made then all optional here in order to build the jar:
Are there other alternatives for eliminating dependencies on old unsupported libraries?