birt icon indicating copy to clipboard operation
birt copied to clipboard
verified publisher icon eclipse

Use newer org.apache.commons.codec

Open lasselindqvist opened this issue 1 year ago • 6 comments

For some reason BIRT bundles commons-codec inside it and uses such an old version it causes issue with other libraries trying to use a newer version.

https://github.com/eclipse-birt/birt/blob/f32bef1d44ecccc4f22aeb682ba35b9cafb84ea4/build/org.eclipse.birt.build/externalRepo.properties#L27C83-L27C107

BIRT could use 1.16.0 for example https://mvnrepository.com/artifact/commons-codec/commons-codec

Alternatively, try not to use commons-codec at all, or if necessary use https://maven.apache.org/plugins/maven-shade-plugin/ to shade the classes there to avoid conflicts with other libraries that try to use newer versions.

lasselindqvist avatar Jan 26 '24 10:01 lasselindqvist

That's what's being used in the release repository:

https://download.eclipse.org/birt/updates/release/4.14.0/plugins/org.apache.commons.commons-codec_1.16.0.jar

There is quite a bit of garbage so I don't think the file you mention is even used. But there are two of those bundles that embed the jar which seems like an abomination!

image

I think that should be cleaned up...

merks avatar Jan 26 '24 10:01 merks

I opened this because I had a conflict with https://mvnrepository.com/artifact/org.opensaml/opensaml-core/4.1.1 which uses commons-codec 1.15. I removed the following folder from the JAR manually

image

and it fixed the issue.

I cannot currently be yet sure which exact version ends up in the inside the runtime JAR, but if I had to guess, I would guess it is commons-codec-1.3.

lasselindqvist avatar Jan 26 '24 11:01 lasselindqvist

The timestamps are quite old. In any case you are looking at the 4.13 release but there is a 4.14 release:

https://download.eclipse.org/birt/updates/release/4.14.0/

But that looks not much different:

image

The build does so many inexplicable things with various ant scripts and maven magic. Some hunting will be required. (But then again, no one funds such work, so self-serve would be the better option.)

merks avatar Jan 26 '24 11:01 merks

I can personally try to update the version for Birt, but while I think shading the dependency would better, the build seems so unorthodox and complicated, I might not know how to shade it.

lasselindqvist avatar Jan 26 '24 11:01 lasselindqvist

The build is horrible. I think maybe that thing is created by this monstrosity:

https://github.com/eclipse-birt/birt/blob/master/build/birt-packages/birt-runtime/build.xml

As launched by this:

https://github.com/eclipse-birt/birt/blob/f32bef1d44ecccc4f22aeb682ba35b9cafb84ea4/build/birt-packages/birt-runtime/pom.xml#L54-L89

That thing tells me next to nothing about where the classes we see in the jar actually come from. Detective work is required... 😱

merks avatar Jan 26 '24 11:01 merks

I guess since the JAR is available at https://download.eclipse.org/birt/updates/release/4.14.0/plugins/org.apache.commons.commons-codec_1.16.0.jar it must be inside the runtime JAR accidentally. Need to investigate a bit, why that happens. It also contains some other 3rd party classes as well.

lasselindqvist avatar Jan 26 '24 18:01 lasselindqvist