Multiple dependencies having a "org.osgi.service.log" package

[jmini]

I am aware the issue might be complicated to solve here. It should probably be solved somewhere else

In a project where we are using com.diffplug.gradle:goomph:3.33.2 for the buildproperties and mavencentral plugins we have an other plugin that starts a new instance of the equinox framework.

Something like this:

import org.osgi.framework.Constants;
import org.osgi.framework.launch.FrameworkFactory;
import org.osgi.framework.launch.Framework;
import org.eclipse.osgi.launch.EquinoxFactory;

task runEquinox {
    doLast {
        Map<String, String> config = new HashMap<String, String>();
        config.put("osgi.instance.area", project.file("$buildDir/tmp"));
        config.put(Constants.FRAMEWORK_STORAGE, project.file("$buildDir/tmp2"));
        config.put(Constants.FRAMEWORK_STORAGE_CLEAN, Constants.FRAMEWORK_STORAGE_CLEAN_ONFIRSTINIT);

        FrameworkFactory frameworkFactory = new EquinoxFactory();
        Framework framework = frameworkFactory.newFramework(config);
        
        //...
    }
}

We have the issue:

Caused by: java.lang.SecurityException: class "org.osgi.service.log.LogLevel"'s signer information does not match signer information of other classes in the same package
        at org.eclipse.osgi.internal.log.EquinoxLogServices.<init>(EquinoxLogServices.java:94)
        at org.eclipse.osgi.internal.framework.EquinoxContainer.<init>(EquinoxContainer.java:90)
        at org.eclipse.osgi.launch.Equinox.<init>(Equinox.java:34)
        at org.eclipse.osgi.launch.EquinoxFactory.newFramework(EquinoxFactory.java:28)
        ...

After analyzing the classpath ./gradlew buildEnvironment:

> Task :buildEnvironment

------------------------------------------------------------
Root project
------------------------------------------------------------

classpath
\--- com.diffplug.gradle:goomph:3.33.2
     +--- com.diffplug.durian:durian-core:1.2.0
     +--- com.diffplug.durian:durian-collect:1.2.0
     |    \--- com.diffplug.durian:durian-core:1.2.0
     +--- com.diffplug.durian:durian-io:1.2.0
     |    +--- com.diffplug.durian:durian-core:1.2.0
     |    \--- com.diffplug.durian:durian-collect:1.2.0 (*)
     +--- com.diffplug.durian:durian-swt.os:3.5.0
     +--- commons-io:commons-io:2.6
     +--- com.diffplug.spotless:spotless-lib:1.5.1
     +--- com.squareup.okhttp3:okhttp:4.3.1
     |    +--- com.squareup.okio:okio:2.4.1 -> 2.4.3
     |    |    +--- org.jetbrains.kotlin:kotlin-stdlib:1.3.61
     |    |    |    +--- org.jetbrains.kotlin:kotlin-stdlib-common:1.3.61
     |    |    |    \--- org.jetbrains:annotations:13.0
     |    |    \--- org.jetbrains.kotlin:kotlin-stdlib-common:1.3.61
     |    \--- org.jetbrains.kotlin:kotlin-stdlib:1.3.61 (*)
     +--- com.squareup.okio:okio:2.4.3 (*)
     +--- biz.aQute.bnd:biz.aQute.bndlib:5.3.0
     |    \--- org.slf4j:slf4j-api:1.7.25
     +--- org.eclipse.platform:org.eclipse.osgi:3.15.0
     \--- org.eclipse.platform:org.eclipse.osgi.compatibility.state:1.1.600
          \--- org.eclipse.platform:org.eclipse.osgi:[3.12.0,) -> 3.15.0

It seems that 2 jars holds the org.osgi.service.log package:

• org.eclipse.platform:org.eclipse.osgi:3.15.0
• biz.aQute.bnd:biz.aQute.bndlib:5.3.0

So I can understand the SecurityException, and I am wondering why everybody seems to include the same OSGi code inside its jar.

A similar error was reported here diffplug/spotless#873 (comment). Not sure if this is related.

What is your opinion on this?

[jmini]

Our current workaround is to exclude the bndlib from the goomph dependency:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath ('com.diffplug.gradle:goomph:3.33.2') {
            exclude group: 'biz.aQute.bnd', module: 'biz.aQute.bndlib'
        }
    }
}

[jmini]

this is solved in 3.33.3 with PR #172.