cayenne-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Kienenberger <mkien...@gmail.com>
Subject Re: javadoc security flaw
Date Tue, 09 Jul 2013 13:20:24 GMT
LUCENE's issue stated in the comments that the Oracle tool shouldn't
be used (apparently it can be integrated with maven).   It also stated
that there was a simple way to duplicate the functionality using
maven, but I didn't immediately see what that was:

Here's the thread it had on that:

https://jira.codehaus.org/browse/MJAVADOC-370?focusedCommentId=327185&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-327185

This seems to point to https://issues.apache.org/jira/browse/MPOM-46
as one solution later on in the comments

Which seems to be a matter of updating the maven-javadoc-plugin
version from 2.9 to 2.9.1.   Maybe that's all we need as well?   If
not, I'm guessing you could diff the changes between versions 2.9 to
2.9.1 and find the solution in a maven environment?

http://svn.apache.org/viewvc/maven/pom/trunk/asf/pom.xml?r1=1497692&r2=1497691&pathrev=1497692

--- maven/pom/trunk/asf/pom.xml 2013/06/28 09:11:27 1497691
+++ maven/pom/trunk/asf/pom.xml 2013/06/28 09:14:58 1497692
@@ -184,7 +184,7 @@
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-javadoc-plugin</artifactId>
-          <version>2.9</version>
+          <version>2.9.1</version>
         </plugin>

On Tue, Jul 9, 2013 at 9:12 AM, Mike Kienenberger <mkienenb@gmail.com> wrote:
>> On Jul 9, 2013, at 2:57 AM, Aristedes Maniatis <ari@maniatis.org> wrote:
>>> Did we change the javadoc build process to avoid the javadoc security flaw recently
discovered? I patched the website javadocs, but I'm not sure if we also have to change something
in our maven build process or upgrade some plugin.
>
> On Tue, Jul 9, 2013 at 2:12 AM, Andrus Adamchik <andrus@objectstyle.org> wrote:
>> Me neither. Probably some research is in order. Should we take this to a separate
thread?
>
> Maybe you can copy what some other project has done.
>
> I saw a notice about it for tomcat but I believe it is built with ant.
>
> https://issues.apache.org/bugzilla/show_bug.cgi?id=55119
>
> That notice pointed to Lucene, but it says it was built with ivy.
>
> https://issues.apache.org/jira/browse/LUCENE-5072
>
> So I didn't find a pointer to a maven-based fix.

Mime
View raw message