rework 3rd party dependency handling in Eclipse IDE and dependent projects (Eclipse Orbit update)
The Eclipse Orbit project has for a long time provided a common location for managing 3rd party libraries of the Eclipse IDE ecosystem. Over time the technology to handle third-party libraries has changed. For example, consuming third-party content directly from its original publication location (ie. Maven Central) using new features of Target Platform management. Therefore the Orbit project is in need of a complete overhaul. The proper maintenance of update-to-date 3rd party libraries by Orbit is an essential aspect for the effective management of SimRel, and ultimately to enable responsiveness to security threats.
The Orbit project currently maintains roughly 300 recipes that use the Eclipse Bundle Recipe infrastructure (which is now also maintained by the Orbit project) to produce wrapped OSGi bundles. Many of these wrapped libraries are already available as OSGi bundles and should be removed. Other libraries still need wrapping, but there are more modern, well-supported ways to achieve that goal, i.e., using m2e's maven target locations with BND instructions, which is also directly supported by Tycho. A significant number of the recipes are in questionable and/or wrap stale dependencies. Target-location-based infrastructure is anticipated to be significantly more amenable to automated analysis and simplified maintenance as demonstrated by the current proof-of-concept work-in-progress:
https://github.com/eclipse-orbit/orbit-simrel/
Goals and Tasks
- Migrate all recipes to use maven target locations; the assumption is that this is 100% feasible. This would allow Orbit to drop support for EBR.
- Provide tools, infrastructure, and documentation to easily add new libraries; it's a significant challenge to track down dependencies, especially package imports, as well as to author correct BND instructions.
- Fully automate analyzing, updating, and building of dependencies.
- Ensure that the specific and immediate needs of key SimRel projects are fully satisfied despite this churn.