Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Find sources of very, very old dependencies..

Description

While looking at https://shibboleth.atlassian.net/browse/JPAR-190#icft=JPAR-190 I notices that an 11 year old version of googles findbugs was being down loaded.

The first user of this that I found was google-collections (which was end of life'd about 10 years ago).

The users of that package were many fold:

com\google\collections\google-collections\1.0\google-collections-1.0.pom: <artifactId>google-collections</artifactId> com\google\collections\google-collections\1.0\google-collections-1.0.pom: <url>http://code.google.com/p/google-collections/</url> com\google\collections\google-collections\1.0\google-collections-1.0.pom: <url>http://code.google.com/p/google-collections/source/browse/</url> com\google\collections\google-collections\1.0\google-collections-1.0.pom: <connection>scm:svn:http://google-collections.googlecode.com/svn/trunk/</connection> org\codehaus\plexus\plexus-container-default\1.7.1\plexus-container-default-1.7.1.pom: <artifactId>google-collections</artifactId> org\codehaus\plexus\plexus-containers\1.5.4\plexus-containers-1.5.4.pom: <artifactId>google-collections</artifactId> org\codehaus\plexus\plexus-containers\1.5.5\plexus-containers-1.5.5.pom: <artifactId>google-collections</artifactId> org\codehaus\plexus\plexus-containers\1.7.1\plexus-containers-1.7.1.pom: <artifactId>google-collections</artifactId> org\codehaus\plexus\plexus-containers\2.0.0\plexus-containers-2.0.0.pom: <artifactId>google-collections</artifactId> org\sonatype\aether\aether-impl\1.7\aether-impl-1.7.pom: <artifactId>google-collections</artifactId>

At this stage this stops being a quick "I wonder" and becomes a work item.

This case is to track the work

Environment

None

Activity

Rod WiddowsonSeptember 5, 2023 at 1:44 PM

Ian has done a lor of work here. this is very old so I'm resolving it

Rod WiddowsonMarch 15, 2022 at 3:44 PM

Going to leave this open, but I suspect that this will end with a “this whole things sucks - you are bound to get jars in that you just don’t care about”. Right now this isn’t a priority.

Rod WiddowsonOctober 6, 2021 at 9:45 AM

Some more “signed but by “ artifacts

asm/asm 3.3.1 antlr/antlr 2.7.2, 2.7.7 (we know about that) aopalliance/aopalliance 1.0 backport-util-concurrent/backport-util-concurrent 3.1 classworlds/classworlds 1.1 1.1-alpha-2 (I mean, c'mon guys) commons-beanutils/commons-beanutils 1.7.0 commons-chain/commons-chain 1.1 commons-digester/commons-digester 1.8 commons-logging/commons-logging 1.1 dom4j/dom4j 1.1 junit/junit 3.8.1 org.apache.velocity/velocity 1.7 org.beanshell/bsh 2.0b4 org.codehaus.plexus/plexus-container-default 1.0-alpha-9/1.0-alpha-9-stable-1 org.codehaus.plexus/plexus-interpolation 1.11 org.codehaus.plexus/plexus-utils 1.1 oro/oro 2.0.8 sslext/sslext 1.2-0

Rod WiddowsonOctober 4, 2021 at 6:45 PM

Here are some more things to look at

  • plexus-i18n 1.0-beta-10 (unsigned, released Aug-2008)

  • plexus-container-default 1.-0alpha-9 (unsigned, released Dec-2005)

  • plexus-container-default 1.-0alpha-9-stable-1 (signed, released Mar-2007)

  • asm 6.2 (unsigned) released May 2018

  • jsr250-api (unsigned) released May2007

  • javax.inject V1 (unsigned) released Oct13 2009 But this one has not been superceded

Won't Do

Details

Assignee

Reporter

Created October 4, 2021 at 3:57 PM
Updated September 12, 2023 at 1:17 PM
Resolved September 5, 2023 at 1:44 PM