Community
Participate
Working Groups
org.eclipse.wst.server_adapters.feature.feature.group 3.2.600.v201708030026 contains (not requires, but INCLUDES) these two old jetty plugins: <plugin id="org.eclipse.jetty.webapp" version="9.4.5.v20170502" download-size="0" install-size="0" unpack="false"/> <plugin id="org.eclipse.jetty.xml" version="9.4.5.v20170502" download-size="0" install-size="0" unpack="false"/> This should be fixed such that the feature REQUIRES, but does not INCLUDE jetty, so that it can depend on the latest 9.4.7, without having to rebuild this feature every time a new version is shipped.
New Gerrit change created: https://git.eclipse.org/r/112360
New Gerrit change created: https://git.eclipse.org/r/112364
New Gerrit change created: https://git.eclipse.org/r/112365
New Gerrit change created: https://git.eclipse.org/r/112366
New Gerrit change created: https://git.eclipse.org/r/112367
New Gerrit change created: https://git.eclipse.org/r/112369
New Gerrit change created: https://git.eclipse.org/r/112368
Fixes for R3_9_maintenance: https://git.eclipse.org/r/#/c/112367/1/wtp-parent/pom.xml (use Jetty 9.4.7) then https://git.eclipse.org/r/#/c/112366/ Fixes for master: https://git.eclipse.org/r/#/c/112364/1/wtp-parent/pom.xml (use Jetty 9.4.7) then https://git.eclipse.org/r/#/c/112368/ (cherry-picked from R3_9_maintenance) and https://git.eclipse.org/r/#/c/112369/ (bump versions)
Gerrit change https://git.eclipse.org/r/112364 was merged to [master]. Commit: http://git.eclipse.org/c/webtools/webtools.releng.aggregator.git/commit/?id=217ded62b7af94b0e2f3c6047208b097275c8c65
Gerrit change https://git.eclipse.org/r/112366 was merged to [R3_9_maintenance]. Commit: http://git.eclipse.org/c/servertools/webtools.servertools.git/commit/?id=3102f5f1096468d12581f1cb603138299461f2c7
New Gerrit change created: https://git.eclipse.org/r/112583
Gerrit change https://git.eclipse.org/r/112583 was merged to [R3_9_maintenance]. Commit: http://git.eclipse.org/c/servertools/webtools.servertools.git/commit/?id=dc2a4e7c73d468c4f80825c2ab876de936dfe372
Gerrit change https://git.eclipse.org/r/112368 was merged to [master]. Commit: http://git.eclipse.org/c/servertools/webtools.servertools.git/commit/?id=7eb2cca5f46345ab1af13867022d5c540a529d45
Gerrit change https://git.eclipse.org/r/112369 was merged to [master]. Commit: http://git.eclipse.org/c/servertools/webtools.servertools.git/commit/?id=bf37adc35daa1c82d604fb93fb00f64d94f1a430
Gerrit change https://git.eclipse.org/r/112367 was merged to [R3_9_maintenance]. Commit: http://git.eclipse.org/c/webtools/webtools.releng.aggregator.git/commit/?id=994109c3f8bd627de0007a8cacdad4c5e2e4f7cf
New Gerrit change created: https://git.eclipse.org/r/112593
112593 is to reapply the original changes from 112366 on R3_9_maintenance that I merged too prematurely.
Chatted with Victor about this today and he asked me to post some comments on the relative safety of this change in R3_9 branch: * Explain why you believe this is a stop-ship defect. Or, if it is a "hotbug" (requested by an adopter) please document it as such. Not a stop-ship. Could be done in Oxygen.3 if no time to review/approve for Oxygen.2.RC4. Oxygen.2 has moved to Jetty 9.4.7 to fix some CVE issues in 9.4.6 and earlier, but still includes a few Jetty 9.4.5 jars, which will probably disappear in Oxygen.3 http://www.cvedetails.com/cve/CVE-2017-9735/ * Is there a work-around? If so, why do you believe the work-around is insufficient? Workaround: keep using Jetty 9.4.5 despite CVE issues. Insufficient because CVE issues, and because in future Oxygen.3 will probably drop Jetty 9.4.5 entirely. * How has the fix been tested? Patch applied. Build run with Tycho 0.21 and 1.0. No obvious build failures seen. * Is there a test case attached to the bugzilla record? Has a JUnit Test been added? There are no tests for jst.server.preview or jst.server.preview.adapter in webtools.servertools or webtools.servertools.tests. I did not write one because I'm honestly not sure how Jetty is used in these plugins, or how I would write a test for that usage. * Give a brief technical overview. Who has reviewed this fix? Victor has reviewed and said, "I'm +1 on getting rid of ancient jetty and keeping the only one to depend on" Elson has reviewed and pushed the fix in master branch, so the only concern appears to be the fact that we're quickly approaching RC4 and at this point only PMC-approved changes should be done. * What is the risk associated with this fix? Something untested may stop working with Jetty 9.4.7 vs. 9.4.5, but that seems unlikely. See release notes for 9.4.6 and 9.4.7 on this page but clicking the "..." buttons to show the release notes per release: https://github.com/eclipse/jetty.project/releases One major improvement in 9.4.7 is that it adds "JDK 9 build compatibility".
FWIW, I also found two additional files that require o.e.jetty, but I'm not sure we need to change these, unless we wanted to explicitly list MORE required jetty bundles: http://git.eclipse.org/c/servertools/webtools.servertools.git/tree/plugins/org.eclipse.jst.server.preview.adapter/src/org/eclipse/jst/server/preview/adapter/internal/core/PreviewLaunchConfigurationDelegate.java#n45 http://git.eclipse.org/c/servertools/webtools.servertools.git/tree/plugins/org.eclipse.wst.server.preview.adapter/src/org/eclipse/wst/server/preview/adapter/internal/core/PreviewLaunchConfigurationDelegate.java#n48 Comparing the list of required bundles in the manifest.mf [1] to those listed in the above 2 PreviewLaunchConfigurationDelegate.java files, we see that: wst.server.preview.adapter .java files contain: continuation, http, io, (security), server, servlet, util, webapp, (xml) manifest: (continuation), http, io, (security), server, servlet, util, webapp, xml (items in parentheses are missing compared to other files) [1] http://git.eclipse.org/c/servertools/webtools.servertools.git/tree/plugins/org.eclipse.wst.server.preview/META-INF/MANIFEST.MF#n12 So, perhaps we need a modified PR here, which adds jetty.continuation and jetty.security to the manifest, and to the list of REQUIRED_BUNDLE_IDS in the wst.server.preview. Might as well be consistent in all three places, right?
New Gerrit change created: https://git.eclipse.org/r/112657
New Gerrit change created: https://git.eclipse.org/r/112656
New Gerrit change created: https://git.eclipse.org/r/112658
Fix for master: * https://git.eclipse.org/r/112658 Fixes for R3_9_m: * https://git.eclipse.org/r/112657 * https://git.eclipse.org/r/112656 ( which duplicates Elson's resubmit of https://git.eclipse.org/r/112593 )
Verified that the Eclipse Platform will ship with Jetty 9.4.7 - bug 522072 . WTP needs to be in sync.
Gerrit change https://git.eclipse.org/r/112656 was merged to [R3_9_maintenance]. Commit: http://git.eclipse.org/c/servertools/webtools.servertools.git/commit/?id=0df3b3f5a5bf39376f93aad0115d3e58a3068899
Gerrit change https://git.eclipse.org/r/112657 was merged to [R3_9_maintenance]. Commit: http://git.eclipse.org/c/servertools/webtools.servertools.git/commit/?id=e88b05e06a664452fe3e685687fd04d678fec66c
Is there an ETA for a WTP build that includes the changes? I could quickly validate such a build as right now I have a build failure in an Oracle product due to this.
(In reply to Konstantin Komissarchik from comment #27) > Is there an ETA for a WTP build that includes the changes? I could quickly > validate such a build as right now I have a build failure in an Oracle > product due to this. Konstantin, I just kicked off a WTP-R3_9_x_Maintenance build with this change. (And as soon as I get a good build, I will send out a smoke test request for RC4.)
After this change WTP repo no longer contains any Jetty bundles. The problem is that the platform doesn't contain all Jetty bundles. Trying to combine the two without a separate source of complete Jetty of a version that's identical to what's in the platform leads to the following problem: [java] Cannot complete the install because one or more required items could not be found. [java] Software being installed: WST Server Adapters 3.2.601.v201711302104 (org.eclipse.wst.server_adapters.feature.feature.group 3.2.601.v201711302104) [java] Missing requirement: Preview Server Support 1.1.501.v201711302104 (org.eclipse.wst.server.preview 1.1.501.v201711302104) requires 'bundle org.eclipse.jetty.webapp [9.4.7,10.0.0)' but it could not be found [java] Cannot satisfy dependency: [java] From: WST Server Adapters 3.2.601.v201711302104 (org.eclipse.wst.server_adapters.feature.feature.group 3.2.601.v201711302104) [java] To: org.eclipse.wst.server.preview [1.1.501.v201711302104] Perhaps that's ok, but we should document on WTP build page that WTP now requires Jetty that must be separately supplied, like we do for other dependencies. PS: It would be nice if a similar change was made to the platform so that one could have more freedom of which Jetty version to supply into the mix.
Are we suppose to point to the Jetty 9.4.7 repository to get the dependencies installed? I think the WTP-R3_9_x_Maintenance fails to install our server tools features because of dependency issues.
Yes, add this repo: http://download.eclipse.org/jetty/updates/jetty-bundles-9.x/9.4.7.v20170914/
Thanks, that repository fixed the install issue.
Gerrit change https://git.eclipse.org/r/112658 was merged to [master]. Commit: http://git.eclipse.org/c/servertools/webtools.servertools.git/commit/?id=5357f7f2883e02877533557acaa8692d4e68b6ea
All changes have been dropped to master and R3_9_maintanence code streams.
