Hi all,
FYI,
Platform has decided to reduce how much it relies on Orbit, at least for test dependencies at the moment. It has been identified for a long time that the current process to update dependencies for Platform is far too expensive as it requires to modify Orbit code, do builds and then update Platform... just to get an update of eg Mockito, while upstream mockito jar on Maven Central is safe to use (from IP perspective and according to Maven Central governance). The only thing that Orbit was providing which upstream jars are missing is jarsigning with Eclipse certificates.
Platform started by
removing the test dependencies from SimRel to get rid of the jarsigning requirement. That was already a success for the project: less things pushed into SimRel is less constraints for Platform. So 1 first lesson is that I would recommend contributing to SimRel the bare mininal stuff that are profitable to get rid of some constraints.
However,
signing is important. That's why Platform/p2/Tycho have enabled for a few versions a strategy that allows to add PGP signatures to p2 metadata and get those signatures verified at installation and users in order to let user decide whether to trust a given signature or not, as a way to decide whether to trust a jar or not (quite similarly to certificate checks).
Maybe this strategy can also be profitable to your project ;)
Cheers