bndlib pull OSGI api in as compile instead of provided

[laeubi]

If I look at https://repo1.maven.org/maven2/biz/aQute/bnd/biz.aQute.bndlib/6.3.1/biz.aQute.bndlib-6.3.1.pom

I see

<dependency>
  <groupId>org.osgi</groupId>
  <artifactId>org.osgi.service.log</artifactId>
  <version>1.3.0</version>
  <scope>compile</scope>
</dependency>
<dependency>
  <groupId>org.osgi</groupId>
  <artifactId>org.osgi.service.repository</artifactId>
  <version>1.1.0</version>
  <scope>compile</scope>
</dependency>
 .... and even more ...

this causes issue when bndlib is used e.g. with equinox, as equinox is signed, and bndlib not one gets

java.lang.SecurityException: class "org.osgi.service.log.LogLevel"'s signer information does not match signer information of other classes in the same package

beside this classloading issue, it is good practice to use provided scope for such APIs, and BND already do this for example here:

<dependency>
  <groupId>org.osgi</groupId>
  <artifactId>org.osgi.namespace.service</artifactId>
  <version>1.0.0</version>
  <scope>provided</scope>
</dependency>

[rotty3000]

IIRC this scope change was made specifically to silence un-silenceable compiler warnings where the dependent classes were not found on the classpath.

[laeubi]

Maybe there are better ways to "silence" the compiler (which one?) instead of pulling in everything?

[bjhargrave]

It is compile scope so that when these jars are used in Gradle and Maven by plugins, the transitive dependencies are included on the plugin classpath. With provided, this would not be true and the code would fail.

For OSGi use, the maven scopes are not relevant as OSGi frameworks do not care about maven metadata.