Downgrade Equinox P2 jars to fix FIPS-compliant server startup issues

[arunans23]

Purpose

Downgrade Equinox P2 dependency versions to fix server startup failures in FIPS-compliant mode.

Related Issue

• Fix Server Startup issues in FIPS compliant mode due to not having Bouncy Castle jars carbon-kernel#4570

Approach

Aligned Equinox P2 jar versions in pom.xml with the versions from wso2/carbon-kernel#4570. The newer P2 versions caused server startup issues in FIPS-compliant environments due to incompatible Bouncy Castle jar dependencies.

Summary by CodeRabbit

• Chores
  • Downgraded Equinox P2 component versions in build configuration.

[coderabbitai]

Walkthrough

The PR downgrades a comprehensive set of Equinox P2 dependency versions in pom.xml, reducing versions across 23 distinct P2-related artifacts including metadata, repository, director, engine, and publisher components.

Changes

Cohort / File(s)	Summary
Equinox P2 Core & Metadata Dependencies pom.xml	Downgraded versions for equinox.p2.metadata (2.9.0 → 2.4.0), equinox.p2.core (2.11.0 → 2.8.0), equinox.p2.metadata.repository (1.5.300 → 1.4.0), and equinox.p2.artifact.repository (1.5.300 → 1.4.0).
Equinox P2 Provisioning & Engine pom.xml	Downgraded versions for equinox.p2.director (2.6.300 → 2.5.0), equinox.p2.engine (2.10.0 → 2.7.0), equinox.p2.director.app (1.3.300 → 1.2.0), and equinox.p2.directorywatcher (1.4.300 → 1.3.0).
Equinox P2 Repository & Publishing pom.xml	Downgraded versions for equinox.p2.repository (2.8.100 → 2.5.0), equinox.p2.repository.tools (2.4.300 → 2.3.0), equinox.p2.publisher (1.9.100 → 1.6.0), equinox.p2.publisher.eclipse (1.6.0 → 1.5.0), and equinox.p2.transport.ecf (1.4.600 → 1.2.0).
Equinox P2 Utilities & Services pom.xml	Downgraded versions for equinox.p2.extensionlocation (1.5.300 → 1.4.0), equinox.p2.garbagecollector (1.3.200 → 1.2.0), equinox.p2.jarprocessor (1.3.300 → 1.2.0), equinox.p2.reconciler.dropins (1.5.300 → 1.4.0), equinox.p2.touchpoint.eclipse (2.4.200 → 2.3.0), equinox.p2.touchpoint.natives (1.5.200 → 1.4.0), equinox.p2.updatechecker (1.4.200 → 1.3.0), and equinox.p2.updatesite (1.3.200 → 1.2.0).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Hopping through versions, we downgrade with care,
P2 components lighter, floating through air,
Twenty-three tweaks in one file so neat,
Dependencies lower, dependencies sweet! 🌿

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description covers Purpose with clear context and related issue reference, and Approach with implementation details, but lacks several required template sections like Goals, User stories, Release note, Documentation, Training, Certification, Marketing, Automation tests, Security checks, Samples, Related PRs, Migrations, Test environment, and Learning.	Complete the missing sections from the template: provide Goals, User stories, Release note, Documentation links, Automation tests coverage, Security checks confirmation, Test environment details, and Learning resources.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and accurately describes the main change: downgrading Equinox P2 jars to resolve FIPS-compliant server startup issues.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

pom.xml (2)

2108-2110: Consider a small regression guard for this packaging fix.

This change addresses a runtime startup failure, but nothing in the build will fail if a later P2 upgrade pulls the incompatible crypto jars back into the distribution. Even a lightweight dependency-tree or assembled-lib check in CI would make that regression obvious.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pom.xml` around lines 2108 - 2110, Add a CI regression guard that fails the
build if future P2 upgrades reintroduce the incompatible crypto jars; implement
a lightweight check (e.g., a Maven step running mvn dependency:tree or
assembling the distro and scanning libs) and assert that banned artifact
coordinates or classnames are not present, referencing the P2-related properties
changed in this PR such as version.equinox.p2.publisher.eclipse and
version.equinox.p2.transport.ecf so the check is tied to P2 upgrades; ensure the
job runs on PRs and reports the offending artifact/version when it fails.

---

2087-2104: Add a breadcrumb above this rollback set.

This block fans out into versionless child dependencies such as features/org.wso2.micro.integrator.core.runtime.feature/pom.xml Lines 107-200, so a future partial bump here will silently change the shipped P2 stack. A short note that these properties must move together for the FIPS fix would make drift much easier to catch.

💡 Suggested note

+        <!-- Keep this Equinox p2 version set aligned for the FIPS startup fix. -->
         <version.equinox.p2.artifact.repository>1.4.0</version.equinox.p2.artifact.repository>
         <version.equinox.p2.core>2.8.0</version.equinox.p2.core>
         <version.equinox.p2.director>2.5.0</version.equinox.p2.director>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pom.xml` around lines 2087 - 2104, Summary: Add a breadcrumb comment above
this rollback set warning that these equinox p2 properties must move together.
Insert a short comment immediately above the block of properties (the rollback
set containing version.equinox.p2.artifact.repository, version.equinox.p2.core,
version.equinox.p2.engine, version.equinox.p2.metadata.repository,
version.equinox.p2.repository, etc.) stating that they fan out into versionless
child dependencies and must be changed as a group for the FIPS fix; include a
one-line instruction like "Do not update individually — update all listed
version.equinox.p2.* properties together" and add a [do-not-change-separately]
tag for future reviewers.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pom.xml`:
- Around line 2108-2110: Add a CI regression guard that fails the build if
future P2 upgrades reintroduce the incompatible crypto jars; implement a
lightweight check (e.g., a Maven step running mvn dependency:tree or assembling
the distro and scanning libs) and assert that banned artifact coordinates or
classnames are not present, referencing the P2-related properties changed in
this PR such as version.equinox.p2.publisher.eclipse and
version.equinox.p2.transport.ecf so the check is tied to P2 upgrades; ensure the
job runs on PRs and reports the offending artifact/version when it fails.
- Around line 2087-2104: Summary: Add a breadcrumb comment above this rollback
set warning that these equinox p2 properties must move together. Insert a short
comment immediately above the block of properties (the rollback set containing
version.equinox.p2.artifact.repository, version.equinox.p2.core,
version.equinox.p2.engine, version.equinox.p2.metadata.repository,
version.equinox.p2.repository, etc.) stating that they fan out into versionless
child dependencies and must be changed as a group for the FIPS fix; include a
one-line instruction like "Do not update individually — update all listed
version.equinox.p2.* properties together" and add a [do-not-change-separately]
tag for future reviewers.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b62da2f5-f0de-4d1f-840d-7630b8bce258

📥 Commits

Reviewing files that changed from the base of the PR and between 18a92b7 and 38097e8.

📒 Files selected for processing (1)

• pom.xml