Thomas Neidhart

fyi: there is a OWASP cheatsheet to prevent loading external entities when processing xml files: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java this cheatsheet was also followed by other eclipse projects. If you need to protect...

Here is the link to a commit for the eclipse-leshan project for example: https://github.com/eclipse-leshan/leshan/commit/4d3e63ac271a817f81fba3e3229c519af7a3049c#diff-893a1f216e4d2a91ba87f70464f226742af308cf14cd900926c9a4dd53768781R70

it would be great indeed if this PR gets merged very soon. I am not super familiar with this repo, so its not fully clear to me which xml parser...

I am not sure if disabling etag altogether results in a net-positive effect in the case of GitHub and changing tokens. The downside is that only Last-Modified headers are used,...

yeah, i can take a look and prepare a PR

Could it be that the manifest is amended by some process after signing and thus breaking the digests of the manifest file?

can the signing be disabled again till we figure out what messes with the manifest after signing? it certainly gives a bad impression to release artifacts whose signature is bad.

There is a playground available at https://otterdog.eclipse.org/projects/technology.xfsc/playground for your project. This might be helpful to test configuration before creating a PR.

the otterdog cli tool does support validation. It would have to be slighly adapted to easily support downloading the latest config from the `.eclipsefdn` repo so that you can run...

omg, we use now rich to format text for the console, and by coincidence, rich uses square brackets as markup tags: ``` header = header + f'\\[{key}="[bold]{self.get_key_value()}[/]"' ``` now rich...