Maven release of shaded icu4j-23.1.2.jar causes issues because of file name about graal HOT 6 OPEN

@woess that should solve the CVE warning, all the tools check the artifact names

from graal.

To me its weird that they do not use group ids as well to identify artefacts. Artefact names seem quite conflict prone.

from graal.

Besides the potential name conflict in 25 years, and the hiding of the real version this triggers CVE checks:

I agree. I do not know why we decided to use the same artefact name here. We shouldn't have.
@woess Any opinion on changing that?

The size difference is probably missing compression. But I'd need to double check that.
@woess does our shading support compression?

from graal.

@chumer happy to change that, if it solves potential name conflicts. Unfortunately, we'll need to change the artifactId for that.

does our shading support compression?

none of our deployed jars are compressed currently, and shaded jars aren't handled differently. But we can change that for icu4j.

from graal.

@d-schmidt if we changed the name of icu4j-23.1.2.jar to e.g. truffle-icu4j-23.1.2.jar, would that solve the issue or still trigger CVEs?

from graal.

I assume some tools check the released production jar or in one case even the docker image where we only have the artifacts. There are no poms anymore.

from graal.