Hi,
Last time we released a 3.8.9 Maven version,
as we announced in releases [1] it will be the latest version for the
3.8.x line.
I have prepared a documentation update [2] which removes 3.8.x from
the download page [3]
Additionally version 3.8.9 will be also removed from distribution space [4]
it the expectations of the users, e.g.:
>
> * `SECURITY-ONLY`: if a security vulnerability is discovered in Maven
> 3.8.x (NOT in its dependencies), we MAY consider a new release. Note:
> Maven 3.8.x MAY be declared EOL at any time with one month of notice. If
> you rely on Mav
ersion has been released.
>
> Some of the discussion participants in Slack also said that literally we
> only support the last minor version.
> Taking in consideration that we already "struggle" of getting things
> done I would like to start a discussion about the followi
Hi Gary,
On 23.02.2025 22:27, Gary Gregory wrote:
On Sun, Feb 23, 2025, 15:00 Piotr P. Karwasz
wrote:
Regarding Maven dependencies, did you notice that Maven 3.9.x:
* depends on `maven-resolver-tranport-http` version 1.9.x (supported),
* which depends on HttpClient 4.5 (supported),
* which
e expectations of the users, e.g.:
>
> * `SECURITY-ONLY`: if a security vulnerability is discovered in Maven
> 3.8.x (NOT in its dependencies), we MAY consider a new release. Note:
> Maven 3.8.x MAY be declared EOL at any time with one month of notice. If
> you rely on Maven 3.8.x in
ned set of level of support.
Jarek provided an example on `security-discuss@community`[1]. I think
that it is better to provide a larger list of supported versions, but
limit the expectations of the users, e.g.:
* `SECURITY-ONLY`: if a security vulnerability is discovered in Maven
3.8.x (
t; > Reagrds,
> >
> > Hervé
> >
> > Le dimanche 23 février 2025, 09:12:21 CET Anders Hammar a écrit :
> > > I think we should start by declaring maven 3.8.x EOL in preparation for
> > > maven 4.
> > >
> > > /Anders
> > >
>
ssion participants in Slack also said that literally we
> > > only support the last minor version.
> > > Taking in consideration that we already "struggle" of getting things
> > > done I would like to start a discussion about the following two topics:
> > >
5, 09:12:21 CET Anders Hammar a écrit :
> I think we should start by declaring maven 3.8.x EOL in preparation for
> maven 4.
>
> /Anders
>
> On Sat, Feb 22, 2025 at 12:57 PM Matthias Bünger
>
> wrote:
> > Hi,
> > during the last days / weeks the topic of (end
I think we should start by declaring maven 3.8.x EOL in preparation for
maven 4.
/Anders
On Sat, Feb 22, 2025 at 12:57 PM Matthias Bünger
wrote:
> Hi,
> during the last days / weeks the topic of (end of) support of Maven and
> it's plugins came up several times in Slack.
>
ruggle" of getting things
> done I would like to start a discussion about the following two topics:
>
> 1) Declare Maven 3.8.x as EOL, especially as it requires Java 1.7. Last
> release (3.8.8) on 2023-03-08.
> 2) Change our support policy to: "We support only last min
r) after the
> following minor version has been released.
>
> Some of the discussion participants in Slack also said that literally we
> only support the last minor version.
> Taking in consideration that we already "struggle" of getting things
> done I would like to start a d
we already "struggle" of getting things
done I would like to start a discussion about the following two topics:
1) Declare Maven 3.8.x as EOL, especially as it requires Java 1.7. Last
release (3.8.8) on 2023-03-08.
2) Change our support policy to: "We support only last minor version,
Am 2022-01-31 um 14:29 schrieb Christoph Läubrich:
If we could get
https://github.com/apache/maven/pull/668
into 3.8.x this will help us much @tycho
https://github.com/apache/maven/pull/665
Christoph,
create create a new discussion with those issues you'd like to see in
3.8.5 and we'll eva
nted. I want to include a new
version of Wagon (3.5.0) which will remove JSoup due to several issues
which come along with it.
Ok. Could you put 3.8.5 as a fixVersion for the jira issues ?
Yes, will create those this weekend.
I have currently a branch open maven-3.8.x-resolver-1.7.x which
basica
; Maven 3.8.5 should include your fix, granted. I want to include a new
> >> version of Wagon (3.5.0) which will remove JSoup due to several issues
> >> which come along with it.
> >>
> >
> > Ok. Could you put 3.8.5 as a fixVersion for the jira issues ?
>
>
8.5 should include your fix, granted. I want to include a new
version of Wagon (3.5.0) which will remove JSoup due to several issues
which come along with it.
Ok. Could you put 3.8.5 as a fixVersion for the jira issues ?
Yes, will create those this weekend.
I have currently a branch open m
gt; separate repo anyway...)
>
> Several important things to note here:
>
> Maven 3.8.5 should include your fix, granted. I want to include a new
> version of Wagon (3.5.0) which will remove JSoup due to several issues
> which come along with it.
>
Ok. Could you put 3.8.5 as
to several issues
which come along with it.
I have currently a branch open maven-3.8.x-resolver-1.7.x which
basically lifts 3.8.x to Java 8 and adds Resolver 1.7.x
After 3.8.5 has been done I want to rebase my branch onto 3.8.5 and
moved that to 3.9.x, *then* you can start merging your open PRs
:
> I've merged https://github.com/apache/maven/pull/627 in *maven-3.8.x*
> branch (and related https://github.com/apache/maven/pull/628) for master.
> Is there anything before we can cut a 3.8.5 release ?
> If not, I can derive a *maven-3.9.x* branch from the *maven-3.8.x* asap an
I've merged https://github.com/apache/maven/pull/627 in *maven-3.8.x*
branch (and related https://github.com/apache/maven/pull/628) for master.
Is there anything before we can cut a 3.8.5 release ?
If not, I can derive a *maven-3.9.x* branch from the *maven-3.8.x* asap and
start merging #62
Both of those (#622 and #630) look like important changes to merge.
Getting the caching extension used and those interfaces exercised by the
community is only a good thing.
Given there’s only one extension in that area right now, even if the extension
point interfaces had to change to accommod
Yes, one of the two should refer to https://github.com/apache/maven/pull/622
Guillaume
Le lun. 13 déc. 2021 à 12:22, Tamás Cservenák a
écrit :
> Sounds good, but 3.9.x will have merged 630 and 630?
> I think copy+paste tricked you :)
>
> T
>
> On Mon, Dec 13, 2021 at 11:39 AM Guillaume Nodet
>
Sounds good, but 3.9.x will have merged 630 and 630?
I think copy+paste tricked you :)
T
On Mon, Dec 13, 2021 at 11:39 AM Guillaume Nodet wrote:
> In order to progress on a few issues, I'd like to discuss two points.
> * merge https://github.com/apache/maven/pull/628 into the 3.8.x branch
> a
In order to progress on a few issues, I'd like to discuss two points.
* merge https://github.com/apache/maven/pull/628 into the 3.8.x branch
and release 3.8.5 asap. This is a long-standing issue which had a couple
of trial fixes over the past months.
* create a 3.9.x branch to merge https://gi
It is probably easier to do a backport of maven-shared-utils with the
vulnerability fix.
Robert
On 27-6-2021 00:48:00, Michael Osipov wrote:
Folks,
I have now back ported a lot of issues to maven-3.8.x which aren't
related to resume, producer/consumer, etc. Many are just an output of
Res
Folks,
I have now back ported a lot of issues to maven-3.8.x which aren't
related to resume, producer/consumer, etc. Many are just an output of
Resolver update, no code changes in Maven itself.
The following are open now:
1. MNG-7034: waiting for a backport from gnodet@ since my humbl
Am 2021-06-25 um 00:40 schrieb Michael Osipov:
Am 2021-06-25 um 00:26 schrieb Falko Modler:
Hi,
I'd like to suggest an update of maven-shared-utils to at least 3.3.3
due to security issue https://issues.apache.org/jira/browse/MSHARED-297.
Quarkus is using parts of Maven that bring in maven-shar
ok, I'm now fully convinced: thanks Robert
Le mercredi 23 juin 2021, 19:40:14 CEST Robert Scholte a écrit :
> MNG-5669 contains lambda and IIRC there was a follow up improvement by
> Guillaume.
>
> MNG-6824 contains method references.
>
> I think both are more improvements than bugs.
> Before MN
Am 2021-06-25 um 00:26 schrieb Falko Modler:
Hi,
I'd like to suggest an update of maven-shared-utils to at least 3.3.3
due to security issue https://issues.apache.org/jira/browse/MSHARED-297.
Quarkus is using parts of Maven that bring in maven-shared-utils 3.2.1
and we received complaints by use
Hi,
I'd like to suggest an update of maven-shared-utils to at least 3.3.3
due to security issue https://issues.apache.org/jira/browse/MSHARED-297.
Quarkus is using parts of Maven that bring in maven-shared-utils 3.2.1
and we received complaints by users:
https://github.com/quarkusio/quarkus/issue
MNG-5669 contains lambda and IIRC there was a follow up improvement by
Guillaume.
MNG-6824 contains method references.
I think both are more improvements than bugs.
Before MNG-5669 Maven read a dependency that was also part of the reactor
again. Result was the same, just spilling time.
Before
IIUC, DefaultModelBuilder fundamental change was done on June 22 2020:
https://github.com/apache/maven/commit/bdec668de9c600165bb69c95b6ea0625d9f74fb0
before that point in time, there is no issue, isn't it?
then I imagine MNG-5669 and MNG-6824 are safe to cherry pick?
Regards,
Hervé
Le mercredi
I would avoid cherrypicking any commit related to the DefaultModelBuilder, this
is just not the same class anymore.
Also don't try to add fixes that has been done with Java 8 features.
To make your life easier I would focus on regressions only.
So I would at least NOT try to include:
- MNG-5669
I don't have any objections with backporting those bugfixes, but I'm not
sure whether MNG-6160 will work without MNG-4660. See Maarten's analysis in
the comments [1]. We'll have to re-check that bug when preparing the 3.8.x
release.
[1] https://issues.apache.org/jira/browse/MNG-6160
Op wo 23 jun.
Folks,
I'd like to proceed with 3.8.x since there are a few issues which users
would like to see addressed.
I went through the issues in 4.0.0-alpha-1 and would like to evaluate
the following to be back ported to 3.8.x branch:
https://issues.apache.org/jira/browse/MNG-5669
https://issues.apac
36 matches
Mail list logo
