Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [glassfish-dev] Potentially missing third party content CQs
On 11/20/18 12:48 PM, Wayne Beaton wrote:
Greetings Eclipse GlassFish Committers.

I ran a quick scan on the project build and discovered a few dependencies that I believe must be taken through the IP Due Diligence Process.

Specifically these three "external" libraries (which I believe are otherwise unmodified "OSGi-ified" versions of third-party content):

org.glassfish.external:antlr:jar:2.7.7:compile
org.glassfish.external:dbschema:jar:6.6:compile
org.glassfish.external:derby:zip:10.13.1.1:compile
The first 2 are indeed OSGi repackaging.
derby.zip is a maven repackaging of http://mirror.olnevhost.net/pub/apache//db/derby/db-derby-10.13.1.1/db-derby-10.13.1.1-bin.zip

The first one is problematic. The Eclipse IP Team has rejected all versions of ANTLR  before 3.0 due to provenance issues. This particular library needs to be updated. Note that the build scripts reference both the "external" and canonical versions of Antlr 2.7.7 (though, the latter is marked "optional").

We've seen other versions of Derby, but not the one specified. We either need a new CQ for that specific version, or one of the already approved versions used instead.

I'm continuing my investigation; I'll let you know if I find anything else.

Wayne

--

Wayne Beaton

Director of Open Source Projects | Eclipse Foundation, Inc.


_______________________________________________
glassfish-dev mailing list
glassfish-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/glassfish-dev

Back to the top