Re: [VOTE] Release Maven Resolver 2.0.6

2025-02-07 Thread Tamás Cservenák
+1 On Wed, Feb 5, 2025 at 10:52 AM Tamás Cservenák wrote: > > Howdy, > > This Resolver 2.0.6 release is a bugfix release with some > improvements as well. > > Maven 4.x is picking up Resolver 2.x, while Maven 3.x remains at > Resolver 1.x lineage. The two major versions, as far as client code > g

Re: Supply Chain Attacks and Insider Threats

2025-02-07 Thread Matthias Bünger
This is already required. Otherwise Boxer does not link the GH account Am 07.02.2025 um 14:51 schrieb Elliotte Rusty Harold: Fourth, we should require all committer Github accounts to turn on two factor authentication. We might already be doing this.

Re: [VOTE] Release Maven Resolver 2.0.6

2025-02-07 Thread Guillaume Nodet
+1 Guillaume Nodet Le mer. 5 févr. 2025 à 10:53, Tamás Cservenák a écrit : > Howdy, > > This Resolver 2.0.6 release is a bugfix release with some > improvements as well. > > Maven 4.x is picking up Resolver 2.x, while Maven 3.x remains at > Resolver 1.x lineage. The t

Re: [VOTE] Release Maven Resolver 2.0.6

2025-02-07 Thread Slawomir Jaranowski
+1 śr., 5 lut 2025, 10:54 użytkownik Tamás Cservenák napisał: > Howdy, > > This Resolver 2.0.6 release is a bugfix release with some > improvements as well. > > Maven 4.x is picking up Resolver 2.x, while Maven 3.x remains at > Resolver 1.x lineage. The two major versions, as far as client code

Re: Documentation for 4.x/3.x plugins and components

2025-02-07 Thread Hervé Boutemy
BTW I hope we won't end up with 3 vs 4 components, isn't it? all plugins is already a huge added maintenance Le vendredi 7 février 2025, 07:44:12 CET Hervé Boutemy a écrit : > site plugin has a big history of parallel 3 vs 4: it's probably a good > location to look at for learning > > need to add

Re: Documentation for 4.x/3.x plugins and components

2025-02-07 Thread Sylwester Lachiewicz
Yes, it looks like most of the components will also be affected as for example we should switch to new Maven dependencies or get rid off Plexus/Inject pt., 7 lut 2025, 09:23 użytkownik Hervé Boutemy napisał: > BTW I hope we won't end up with 3 vs 4 components, isn't it? > all plugins is already

Re: Documentation for 4.x/3.x plugins and components

2025-02-07 Thread Romain Manni-Bucau
how couldnt we generate v3 from v4 api and get it for free with a compat layer for a few years - and keep a single bundle? Romain Manni-Bucau @rmannibucau | .NET Blog | Blog | Old Blog

Re: Documentation for 4.x/3.x plugins and components

2025-02-07 Thread Slawomir Jaranowski
On Fri, 7 Feb 2025 at 07:44, Hervé Boutemy wrote: > > site plugin has a big history of parallel 3 vs 4: it's probably a good > location to look at for learning As I remember we didn't talk about documentation publishing for both versions. > > need to add new columns to https://maven.apache.org/p

Re: Documentation for 4.x/3.x plugins and components

2025-02-07 Thread Slawomir Jaranowski
On Fri, 7 Feb 2025 at 09:23, Hervé Boutemy wrote: > > BTW I hope we won't end up with 3 vs 4 components, isn't it? > all plugins is already a huge added maintenance I would like to maintain both versions only for some of the core plugins - in order to test / check the new API from Maven 4. As Ma

Re: Discussion: Commit / review (/merge) "policy"

2025-02-07 Thread Elliotte Rusty Harold
Thanks for posting. I was thinking about posting something myself. With respect to number of approvals specifically, the answer is 1. This is what's been used in every project and company I've ever worked with that does code reviews. As long as there's a PR and a history, we don't gain a lot by us

Re: Documentation for 4.x/3.x plugins and components

2025-02-07 Thread Elliotte Rusty Harold
On Fri, Feb 7, 2025 at 8:50 AM Slawomir Jaranowski wrote: > I would like to maintain both versions only for some of the core > plugins - in order to test / check the new API from Maven 4. > > As Maven 4 still supports plugins for Maven 3 - we can switch the rest > of plugins after the release fin

Supply Chain Attacks and Insider Threats

2025-02-07 Thread Elliotte Rusty Harold
This is an early draft of something I plan to publish for more open source projects, but I wanted to send this out here first since I'm more directly involved. Open source projects, especially widely used ones like Maven, need to be aware of and protect against the growing risk of threat actors ac

Re: New committer: Matthias Bünger

2025-02-07 Thread Matthias Bünger
Hi everyone, I still feel very honored to be a committer now (love) For the next weeks I plan to continue my work on documentation as well to triage old issues (esp. bugs) to get more knowledge, cleanup (anyone said GH issues?) and provide improvements. Happy weekend to everyone Matthias Am 0

Re: Discussion: Commit / review (/merge) "policy"

2025-02-07 Thread Matthias Bünger
>> We're already struggling at maintaining full Maven scope, for the few of us who try. I seriously fear adding more constraints will make our life even harder than it is now. Knowing that the number is very low, I totally understand this. For me personally as a new one, written policies (how str

Re: Discussion: Commit / review (/merge) "policy"

2025-02-07 Thread Julien Plissonneau Duquène
Hi, Le 2025-02-07 13:13, Elliotte Rusty Harold a écrit : As long as there's a PR and a history, we don't gain a lot by using more than one. There can be more than one if more people want to review, but it's not required. Also if the reviewer thinks a second (or third...) review or advice w