Greetings Eclipse GlassFish Committers.
I ran a quick scan on the project build and discovered a few dependencies that I believe must be taken through the IP Due Diligence Process.
Specifically these three "external" libraries (which I believe are otherwise unmodified "OSGi-ified" versions of third-party content):
org.glassfish.external:antlr:jar:2.7.7:compile
org.glassfish.external:dbschema:jar:6.6:compile
org.glassfish.external:derby:zip:10.13.1.1:compile
The first one is problematic. The Eclipse IP Team has rejected all versions of ANTLR before 3.0 due to provenance issues. This particular library needs to be updated. Note that the build scripts reference both the "external" and canonical versions of Antlr 2.7.7 (though, the latter is marked "optional").
We've seen other versions of Derby, but not the one specified. We either need a new CQ for that specific version, or one of the already approved versions used instead.
I'm continuing my investigation; I'll let you know if I find anything else.
Wayne
--
Wayne Beaton
Director of Open Source Projects | Eclipse Foundation, Inc.