Hi Tony,
I answered your question at Jira.
The release Vote will start asap.
Cheers
Tibor
On Mon, Jun 10, 2019 at 8:27 PM Homer, Tony wrote:
> Tibor completed the work of removing dom4j library and reverted the change
> that moves maven-archetype to Java 8 [1].
> This change mitigates the vuln
Tibor completed the work of removing dom4j library and reverted the change that
moves maven-archetype to Java 8 [1].
This change mitigates the vulnerability to CVE-2018-1000632 while retaining
Java 7 compatibility.
In the JIRA I asked about when this can be released and Tibor suggested that I
as
I am working on a removal of dom4j library and use of Java XML API.
Sytwester, connect to the Slack pls.
On Wed, Jun 5, 2019 at 8:28 AM Robert Scholte wrote:
> > What stops us developing on Java 8?
> > Maven project stops us.
>
> I think this deserves some clearance, because I have a different o
> What stops us developing on Java 8?
> Maven project stops us.
I think this deserves some clearance, because I have a different opinion on
this.
It is quite natural that plugins start picking up and requiring a more recent
version of Java before Maven does.
If there's a good reason to move forw
What stops us developing on Java 8?
Maven project stops us.
We wanted to use Java 7 and not higher. Therefore reworking the little code
with removed dom4j keeps javac still on java7 and we would not have a
problem when dom4j moves to java9+ because of non-applicable CVEs. We can
use Java XML Api in
Mkay...
but in general, the (any) plugin dependency would load at "build time"
(java8) to produce code that would run at "runtime" (java7).
Or why would you need to load a plugin dependency in runtime/target JVM?
T
On Tue, Jun 4, 2019 at 7:17 PM Elliotte Rusty Harold
wrote:
> Java 8 uses a dif
Java 8 uses a different major version number in the .class file than
Java 7. Generally a Java 8 .class file can't be loaded into a Java 7
VM. In this case, I think dom4j would have to compile for Java 7 for
the dom4j.jar to load into Java 7.
On Tue, Jun 4, 2019 at 12:32 PM Tamás Cservenák wrote:
Just wondering: what stops you developing on more modern java, and
targeting older java? Or in other words, why is using target java a must on
development? Just curious.
Ps: sry for jumping the thread
On Mon, Jun 3, 2019, 16:48 Elliotte Rusty Harold wrote:
> I know there are plenty of places at
FYI, I took a look at the code and found it is already using both
dom4j AND JDOM, even in the same class:
https://github.com/apache/maven-archetype/blob/0fd806f773354ec62c8eb40f624d78a218815506/archetype-common/src/main/java/org/apache/maven/archetype/common/DefaultPomManager.java
This is depend
Yep
I going to merge the upgrade patch as soon as I am back from vacation
https://github.com/apache/maven-archetype/pull/28
Enrico
Il mar 4 giu 2019, 11:49 Tibor Digana ha scritto:
> Sylwester, removing dom4j and substituting by Java XML API would be the
> best choice.
> Pls then inform the gu
Sylwester, removing dom4j and substituting by Java XML API would be the
best choice.
Pls then inform the guys in
https://github.com/apache/maven-archetype/pull/28 because I think they are
handling it in parallel with you.
Cheers
Tibor
On Tue, Jun 4, 2019 at 8:46 AM Sylwester Lachiewicz
wrote:
>
On Monday, June 3, 2019, Tibor Digana wrote:
>
> We are the maintainers.
Beware this kind of statements hurt the project and its community.
> Do you inherit from this project and you need dom4j as transitive
> dependency?
More or less yes. M2E embeds maven-archiver and transitive dependencie
Hi,
if dom4j is problematic I can try to remove that old dependency. We use it
internally in 2 placea (in fact almost only one simple method) - to manage
element in pom.xml
Sylwester
W dniu wt., 4.06.2019 o 09:36 Homer, Tony napisał(a):
> >>But there is one thing I do not understand why such u
>>But there is one thing I do not understand why such upgrade is so important
>>for the users even if overriding the dependency in user's POM is so simple.
>>Do you inherit from this project and you need dom4j as transitive dependency?
I suppose you did not ask me, but I thought I'd share the bac
>>Who's the maintainer?
https://github.com/FilipJirsak
>> Sometimes a friendly ping through back channels can work wonders.
I don't know him but I sent him an email and cc:ed you (Rusty).
On 6/3/19 , 10:12 AM, "Elliotte Rusty Harold" wrote:
Who's the maintainer? Sometimes a friendly ping t
@Mickael Istria
@Eric Lilja
@Elliotte Rusty Harold
We are the maintainers.
But there is one thing I do not understand why such upgrade is so important
for the users even if overriding the dependency in user's POM is so simple.
Do you inherit from this project and you need dom4j as transitive
de
+1, people on old versions of Java can remain on the old version of the
plugin. No one who is in a project where an old version of Java is still in
use (< 8) expect to have everything else in their eco-system (3PPs, maven
plugins etc) at bleeding edge versions. I guess many such projects are many
v
People who don't want to update are the ones who have to pay the effort,
not the project that tries to ship a security fix.
The simplest past forward is the one provided by Tony. Customers who don't
want to use it can remain on previous version of the archetype plugins.
Other proposals to fix it ar
Who's the maintainer? Sometimes a friendly ping through back channels
can work wonders.
On Mon, Jun 3, 2019 at 12:46 PM Homer, Tony wrote:
>
> >>Perhaps ask the dom4j developers first to see if a 2.0.3 release can be
> >>scheduled.
> FWIW, there was an issue logged asking for that on 6 December
>>Perhaps ask the dom4j developers first to see if a 2.0.3 release can be
>>scheduled.
FWIW, there was an issue logged asking for that on 6 December 2018 [1].
I noted this in the PR as well [2] as an explanation for the bump to 2.1.1 and
Java 8.
Just making sure this information is part of the di
First of all, this PR was create because of vulnerability CVE-2018-1000632.
Vulner or non-vulnerability, the version of javac for dom4j:1.6.1 is not an
argument for me.
If some code was broken in that version, it would be an argument. But it is
not an argument to infinitely grow versions only becau
I know there are plenty of places at Java 8+. There are also many who
haven't gotten that far. Some of my day job involves Java 7+ clients,
and I know of others even further back than that.
On Mon, Jun 3, 2019 at 10:38 AM Gary Gregory wrote:
>
> FWIW, we are talking at work about Java 8 and 11 on
FWIW, we are talking at work about Java 8 and 11 only these days. Java 7 is
in the distant past. Most people can't even get Java 7 updates since it is
EOL unless you pay.
Gary
On Mon, Jun 3, 2019 at 10:35 AM Elliotte Rusty Harold
wrote:
> I agree that this should be fixed. I'm not yet convinced
I agree that this should be fixed. I'm not yet convinced that
requiring Java 8 and upgrading to dom4j 2.1 is the bets fix.
On Mon, Jun 3, 2019 at 10:24 AM Enrico Olivelli wrote:
>
> Elliotte,
>
> Il giorno lun 3 giu 2019 alle ore 15:59 Elliotte Rusty Harold <
> elh...@ibiblio.org> ha scritto:
>
>
Elliotte,
Il giorno lun 3 giu 2019 alle ore 15:59 Elliotte Rusty Harold <
elh...@ibiblio.org> ha scritto:
> Perhaps ask the dom4j developers first to see if a 2.0.3 release can
> be scheduled.
>
> And if that doesn't work, how much effort is it to switch off of dom4j
> completely?
>
> maven-arche
Perhaps ask the dom4j developers first to see if a 2.0.3 release can
be scheduled.
And if that doesn't work, how much effort is it to switch off of dom4j
completely?
maven-archetype strikes me as too important to drop Java 7
compatibility this soon.
On Fri, May 31, 2019 at 3:02 PM Homer, Tony
We are working hard to get this done.
I will commit as soon as CI is green (blue...)
Enrico
Il sab 1 giu 2019, 10:02 Enrico Olivelli ha scritto:
> If there is any complaint I will commit the change.
> We are already moving to java8 other plugins that are not part of the core
> lifecycle (Maven
If there is any complaint I will commit the change.
We are already moving to java8 other plugins that are not part of the core
lifecycle (Maven 3 supports java7)
Enrico
Il ven 31 mag 2019, 21:43 Enrico Olivelli ha scritto:
> +1
> Enrico
>
> Il ven 31 mag 2019, 21:02 Homer, Tony ha scritto:
>
+1
Enrico
Il ven 31 mag 2019, 21:02 Homer, Tony ha scritto:
> Currently maven-archetype depends on dom4j 1.6.1 which is vulnerable to
> CVE-2018-1000632 [1].
> I filed ARCHETYPE-567 [2] to track this.
> In order to mitigate this vulnerability, an update to dom4j 2.1.1 is
> needed.
> dom4j 2.1.x
Currently maven-archetype depends on dom4j 1.6.1 which is vulnerable to
CVE-2018-1000632 [1].
I filed ARCHETYPE-567 [2] to track this.
In order to mitigate this vulnerability, an update to dom4j 2.1.1 is needed.
dom4j 2.1.x requires Java 8+ [3].
dom4j 2.0.x would retain compatibility with Java 7 (
30 matches
Mail list logo
