http used during oomph

[jukzi]

Setting up eclipse installer https://www.eclipse.org/setups/installer/?url=https://raw.githubusercontent.com/eclipse-platform/eclipse.platform.releng.aggregator/master/oomph/PlatformSDKConfiguration.setup&show=true logs this warning:

Using unsafe http transport to retrieve http://zipeditor.sourceforge.net/update, see CVE-2021-41033. Consider using https instead.

eclipse.buildId=4.25.0.I20220828-1800
java.version=17.0.4
java.vendor=Eclipse Adoptium
BootLoader constants: OS=win32, ARCH=x86_64, WS=win32, NL=de_DE
Command-line arguments:  -os win32 -ws win32 -arch x86_64

@merks any idea?

[merks]

It's a little like this one:

https://github.com/eclipse-pde/eclipse.pde/issues/259

I assume you see that in the IDE not in the installer?

I know that p2 keeps a history of all repositories in the profile. I wonder if that site is present in those preferences:

Note how the folder name of the installation is used to determine the file name of the profile folder.

[jukzi]

I assume you see that in the IDE not in the installer?

yes.

it is in *.prefs files:

eclipse-SDK-I20220828-1800-win32-x86_64\eclipse\p2\org.eclipse.equinox.p2.engine\profileRegistry\SDKProfile.profile\.data\.settings\org.eclipse.equinox.p2.metadata.repository.prefs

repositories/http\:__zipeditor.sourceforge.net_update/uri=http\://zipeditor.sourceforge.net/update

[jukzi]

there is also: repositories/http\:__andrei.gmxhome.de_eclipse/uri=http\://andrei.gmxhome.de/eclipse/

i can't "wget" neither this (timeout) or the other (error 403)

So may be it should just be removed? - where?

[jukzi]

@iloveeclipse can that "http://zipeditor" be removed? https://github.com/eclipse-platform/eclipse.platform.ui/blame/50c198705372a3ce4bffb34e8cda443ebf300853/releng/org.eclipse.ui.releng/platformUiTools.p2f#L235

[merks]

Are these also listed in Window -> Preferences -> Install/Update -> Available Update Sites? Probably not...

I have a sense p2 just accumulates such sites but doesn't always surface them to the user. Normally one wouldn't expect any site that isn't listed as available to be used anywhere, but the org.eclipse.equinox.p2.repository.IRepositoryManager.getKnownRepositories(int) method, depending on the flags (e.g., IRepositoryManager.REPOSITORIES_ALL) does return the things you see in these preferences and then could load them but if it doesn't show that the to user via the preferences then it's obviously hard to control...

[jukzi]

i can't see that zipeditor in the preferences dialog but another http:

[merks]

Yes, this sort of matches my vague recollection that there is something odd and strange at play here, i.e., an issue surfaces in a bunch of places, including in PDE where it has this utility in P2TargetUtils:

[iloveeclipse]

@iloveeclipse can that "http://zipeditor" be removed? https://github.com/eclipse-platform/eclipse.platform.ui/blame/50c198705372a3ce4bffb34e8cda443ebf300853/releng/org.eclipse.ui.releng/platformUiTools.p2f#L235

Please let it there. Sourceforge doesn't provide https for some reason, and zip editor is very handy to inspect /modify jar/zip/tar.gz files from Eclipse.

[jukzi]

Sourceforge doesn't provide https for some reason

https://sourceforge.net/p/forge/documentation/Convert%20your%20website%20to%20HTTPS/

[iloveeclipse]

Created https://github.com/uvoigt/zipeditor/issues/1

[laeubi]

Please let it there. Sourceforge doesn't provide https for some reason, and zip editor is very handy to inspect /modify jar/zip/tar.gz files from Eclipse.

Maybe it would be good to adopt the project to the platform itself?

[iloveeclipse]

Maybe it would be good to adopt the project to the platform itself?

@uvoigt, WDYT?

[akurtakov]

Is there smth left to be done here?

[jukzi]

thanks.