Wednesday, January 9, 2013

Unmaintained libraries are a security hole - Call for Help

I was thinking about naming this post "A security hole in Eclipse" but that could be a bit too strong. But the truth is that unmaintained libraries are a big risk to the entire software stack, because there is nobody to look after them and release new versions.

I'm writing about this, because recently my eyes looked at Eclipse and bug 337449 - [transport] Consume httpclient 4 provider from ECF. It looks innocent, but is it indeed?

The HttpClient project website says:
The Commons HttpClient project is now end of life, and is no longer being developed. It has been replaced by the Apache HttpComponents project in its HttpClient and HttpCore modules, which offer better performance and more flexibility.
Now, if you drill down into the aforementioned bug, you will discover that there is a support for HttpClient 4 in ECF, although it looks unfinished. It is unfinished in that sense that it is not fully tested. So Eclipse Platform can't use it. So it remains untested... We really can't afford for waiting any longer.

So I have prepared an Eclipse Platform Build with httpclient4 for all major platforms. Please get it from my fedoraproject page and test it by installing anything from an update site. Especially if you are behind a proxy. And update the bug with results. It's needed to move that bug forward!

Here are direct links to Eclipse Platform with httpclient4:
Happy testing!

BTW. This would not be possible without platform CBI build system making the build process really easy.


  1. Maybe a hint what to test would be helpful. Also maybe an additional Github repo with the changes you did might help people for testing.

    1. Thanks for feedback!
      I don't have a specific test scenario - it is just about installing features via installation manager and forcing platform to actually use the new provider in the wild.

      I uploaded my patches to