-2

Is there an automated way to determine or find the end of life (EOL)/end of support (EOS) notices for libraries?

The specific context behind this:

Our software uses about 50+ libraries as well as a few platforms. What I can't seem to find is an automated solution that tells you whether a particular library has reached end of support.

The current solution I came across is Black Duck. My understanding (after using Code Center only) is that Black Duck is more concerned about OSS governance and does not include proprietary software. Black Duck does inform the user about security updates and license conflicts, but from what I can see it does not inform the user of EOL/EOS.

Our current workaround at the moment is to do the following:

Have a list of all the libraries that we use (we do this with Artifactory) Periodically check the library website for any notices Then maintain this in some form (currently a wiki page, which is a nightmare) For terminology purposes:

A library either a jar or npm module

Abhiram Reddy
  • 19
  • 3
  • Does this answer your question? [How to deprecate a library in Eclipse/Maven/Nexus?](https://stackoverflow.com/questions/19998558/how-to-deprecate-a-library-in-eclipse-maven-nexus) – Dai Jan 09 '22 at 05:14

1 Answers1

0

I don't think there is currently a better solution than your workaround.

  • Maven Central / Sonartype does not provide a way to update the POM files for a previously uploaded artifact. So someone who publishes an artifact cannot update it to say that it is deprecated or end-of-life or ... anything else. (There are really good reasons why artifacts are immutable.)

  • Neither Maven Central / Sonartype or any 3rd party maintains a register of deprecated or end-of-life artifacts.

So ... is such a thing possible?

Technically yes. All artifacts uploaded to Maven Central are required to have a PGP signature with a published PGP public key. So a third party site could check that an EOL notice is signed with the same key pair as was used to sign the published artifact. Then they could create a database with a web API for querying the status of an artifact, and a Maven plugin to do the work. (There could be some interesting scaling problems ... but nothing that is beyond solving.)

In practice, one would need to convince enough developers (consumers of artifacts) that automated checks for EOL artifacts was a good idea, and enough vendors (suppliers of artifacts) that publishing EOL notices was a good idea. And someone would need to stump up the money to pay for the infrastructure for the register and the people to build and run it.

Given recent events (e.g. the log4shell and related vulnerabilities), it might actually happen.

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
  • Could you please tell how could we find the eol signature associated with a particular pgp public key – Abhiram Reddy Jan 28 '22 at 06:41
  • That's not what I am talking about. I am talking about EOL >>notices<< that are >>signed<< with PGP keys. (And I only mentioned it as a theoretical possibility. *"Is such a thing technically possible? ....."*) – Stephen C Jan 28 '22 at 06:49
  • The main answer is this: *"I don't think there is currently a better solution than your workaround."*. And https://stackoverflow.com/questions/19998558/how-to-deprecate-a-library-in-eclipse-maven-nexus says the same thing. – Stephen C Jan 28 '22 at 06:50