Update Derby to 10.16.1.2

[eschcam]

Derby 10.16.1.1 contains CVE-2022-46337

[gsmet]

Thanks, there's something off in the PR though. Can you fix and squash? Thanks!

[gsmet]

We don't want this change :).

[eschcam]

Would adding the jars locally be an acceptable alternative?

[gsmet]

The jars are not on Maven Central?

[gsmet]

We can't really depend on jars from external repository that are not vetted.

If 10.17.1.0 is safer, it's probably the best option as it's available on Maven Central. But... IIRC, there were issues with it so it might need some additional work.

From what I can see, Derby doesn't look very well maintained.

[gsmet]

Ah I remember the issue now, Derby 10.17 is Java 21+ and we are still supporting Java 17.

I wonder if we should extract this extension to the Quarkiverse and let it live there with its own requirements. Or update to 10.17 and disable build/testing for this extension on Java 17.

[eschcam]

Out of curiosity, why are you using Derby?

What do you mean?

[gsmet]

Well, apparently, it's not really maintained anymore so I was wondering why you chose to use it. We discussed a few times dropping it from the repository so it would help to know why people are still using it.

[eschcam]

I'm not using it for anything specific. I'm just tyring to resolve the CVE

[gsmet]

I started a discussion here: https://groups.google.com/g/quarkus-dev/c/NRSpQYVlz_Y .

[eschcam]

I started a discussion here: https://groups.google.com/g/quarkus-dev/c/NRSpQYVlz_Y .

I'll do my best to keep an eye on it.
Please let me know of any changes you need me to make to this PR

[gastaldi]

Unfortunately using a different repository is a no-go, so I'm closing this one