During osinfo validation[1] addition a new dependency was added without proper review nor auditing. Pulling a new out of jboss dependency should not be taken lightly. Our options are: 1. drop runtime validation for osinfo, have this only at build time. 2. downgrade antlr usage to 2.7 per what jboss provides. 3. add yet another binary dependency to downstream which is not something that we should do. In anycase, another error was that fedora spec should be modified to pull dependency and symlink jar, but this is going away per (1) or (2) options anyway. I have written a draft per starters, please continue this so we won't need this new external dependency. [1] http://gerrit.ovirt.org/#/c/30782/
what's the reason this dependency is problematic?
(In reply to Roy Golan from comment #1) > what's the reason this dependency is problematic? we do not add dependencies that are out of jboss provide or have eal6 packages without very very very good reason. testing osinfo grammar is not a virtualization feature blocker, and can be done differently with either older version of antlr which is provided by jboss or using other primitive means.
Similarly, option #1 is not what we should do either. As I understood from Roy we need to find out if antlr 2.7 can work. If it is feasible we can do the necessary changes and use it.
(In reply to Michal Skrivanek from comment #3) > Similarly, option #1 is not what we should do either. > > As I understood from Roy we need to find out if antlr 2.7 can work. If it is > feasible we can do the necessary changes and use it. 2.7 won't work. I see that antlr4 is used by at least one brew tag.
Roy, can you find out from the current antlr maintainers what are the plans regarding upgrade to what you need? If it's temporary I would prefer to keep the feature...(since our usage is limited I'm not worried about CVEs or bugs too much)
(In reply to Michal Skrivanek from comment #8) > Roy, can you find out from the current antlr maintainers what are the plans > regarding upgrade to what you need? If it's temporary I would prefer to keep > the feature...(since our usage is limited I'm not worried about CVEs or bugs > too much) it is jboss who decide what modules they redistributing and at what version. not sure if consideration to break policy of packaging and release engineering is yours. current policy is that we do not redistribute 3rd party component unless critical to core business, you can see these at rhevm-dependencies. validating osinfo configuration files does not justify breaking that policy.
Reassign as rgolan is no longer in virt.
alright, no response, but let's proceed. Giving up and removing the feature...
this should probably go into upstream as well, see bug#1170258 or you want to wait for [1] [1] http://gerrit.ovirt.org/#/c/36082/
Moving to verified since jboss is coming up on vt13.4.
RHEV-M 3.5.0 has been released