Update to the latest direct-from-maven dependencies

[merks]

No description provided.

[merks]

See also eclipse-cdt/cdt#894 which similar changes.

[ruspl-afed]

@merks do you think it may be better to switch from direct maven to Orbit dependencies here? What are the latest trends at the moment?

[merks]

The question is a little bit politically loaded so I will tread carefully so as not to offend alternative valid points of view on the subject.

1. On the one hand, projects have the autonomy and the ability to manage their dependencies directly themselves with no central authority with whom to negotiate and hence no gate keeper who might delay adding or updating dependencies.
2. On the other hand, Orbit is now very well-managed and typically updates dependencies within 24 hours of them becoming available.

Neutral points that apply to both cases:

• Adding a dependency involves adding the coordinates to a maven target location in a *.target.
• Each dependency must be PGP signed.

For dependencies that need BND instructions, we have a significant problem if different projects wrap the same artifact in different ways while producing the same bundle symbolic name. Even if different BSNs are produced, we end up with "hidden" duplicates that will presumably export the same Java packages quite likely leading to wiring problems in a composed end result like SimRel. Hence the rule that only direct-from-maven dependencies that are directly available as OSGi bundles are permitted in SimRel.

The significant question is, how best to keep dependencies up-to-date?

1. Tycho is currently fine tuning a dependabot-like mechanism for updating the dependencies in a *.target file. It appears that will work quite well, based on experiments in the Platform.
2. Orbit updates dependencies via generators and provides the service of generating reports for SimRel projects that are managing their own dependencies directly.
   • https://github.com/eclipse-orbit/orbit-simrel/tree/main/report

I will leave it up to projects to decide what is best for them. My personal bias is really not relevant.

[ruspl-afed]

Thank you for such an exhaustive answer @merks
Following you, I would hide my personal preferences and leave it to @jonahgraham and @ghentschke to decide.

[laeubi]

The Tycho Target update can handle both, maven and P2 locations. Beside that, the most important part is how dependencies are referenced so they should

1. not be contained in features directly
2. not be required by strict version ranges

then the actual used version to build is not that important and P2 can simply kick out older versions itself.

[merks]

FYI, in this case category.xml included a dependency bundle with an exact version. I think that wasn't necessary...

[ghentschke]

To be honest, I am not very familiar with the dependency management. Since the cdt-lsp project is very close to cdt, we should discuss this issue with @jonahgraham how to handle that in the future in cdt.

[ghentschke]

LGTM

[ghentschke]

@merks Thank you!