maven-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Elliotte Rusty Harold <elh...@ibiblio.org>
Subject Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
Date Mon, 03 Jun 2019 17:12:18 GMT
Who's the maintainer? Sometimes a friendly ping through back channels
can work wonders.

On Mon, Jun 3, 2019 at 12:46 PM Homer, Tony <tony.homer@intel.com> wrote:
>
> >>Perhaps ask the dom4j developers first to see if a 2.0.3 release can be scheduled.
> FWIW, there was an issue logged asking for that on 6 December 2018 [1].
> I noted this in the PR as well [2] as an explanation for the bump to 2.1.1 and Java 8.
> Just making sure this information is part of the discussion. (
>
> [1] https://github.com/dom4j/dom4j/issues/55
> [2] https://github.com/apache/maven-archetype/pull/28
>
>
> ´╗┐On 6/3/19 , 7:59 AM, "Tibor Digana" <tibordigana@apache.org> wrote:
>
>     First of all, this PR was create because of vulnerability CVE-2018-1000632.
>     Vulner or non-vulnerability, the version of javac for dom4j:1.6.1 is not an
>     argument for me.
>     If some code was broken in that version, it would be an argument. But it is
>     not an argument to infinitely grow versions only because somebody in CVE
>     wants to. This really is pushing hard to sell technologies and not a common
>     sense.
>
>     T
>
>     On Mon, Jun 3, 2019 at 4:48 PM Elliotte Rusty Harold <elharo@ibiblio.org>
>     wrote:
>
>     > I know there are plenty of places at Java 8+. There are also many who
>     > haven't gotten that far. Some of my day job involves Java 7+ clients,
>     > and I know of others even further back than that.
>     >
>     > On Mon, Jun 3, 2019 at 10:38 AM Gary Gregory <garydgregory@gmail.com>
>     > wrote:
>     > >
>     > > FWIW, we are talking at work about Java 8 and 11 only these days. Java
7
>     > is
>     > > in the distant past. Most people can't even get Java 7 updates since it
>     > is
>     > > EOL unless you pay.
>     > >
>     > > Gary
>     > >
>     > > On Mon, Jun 3, 2019 at 10:35 AM Elliotte Rusty Harold <
>     > elharo@ibiblio.org>
>     > > wrote:
>     > >
>     > > > I agree that this should be fixed. I'm not yet convinced that
>     > > > requiring Java 8 and upgrading to dom4j 2.1 is the bets fix.
>     > > >
>     > > > On Mon, Jun 3, 2019 at 10:24 AM Enrico Olivelli <eolivelli@gmail.com>
>     > > > wrote:
>     > > > >
>     > > > > Elliotte,
>     > > > >
>     > > > > Il giorno lun 3 giu 2019 alle ore 15:59 Elliotte Rusty Harold
<
>     > > > > elharo@ibiblio.org> ha scritto:
>     > > > >
>     > > > > > Perhaps ask the dom4j developers first to see if a 2.0.3
release
>     > can
>     > > > > > be scheduled.
>     > > > > >
>     > > > > > And if that doesn't work, how much effort is it to switch
off of
>     > dom4j
>     > > > > > completely?
>     > > > > >
>     > > > > > maven-archetype strikes me as too important to drop Java
7
>     > > > > > compatibility this soon.
>     > > > > >
>     > > > >
>     > > > > Are you -1 with this change ?
>     > > > > If an user wan't to use java 7 he can use current version of
the
>     > plugin.
>     > > > >
>     > > > > Enrico
>     > > > >
>     > > > >
>     > > > >
>     > > > >
>     > > > >
>     > > > > >
>     > > > > >
>     > > > > > On Fri, May 31, 2019 at 3:02 PM Homer, Tony <tony.homer@intel.com>
>     > > > wrote:
>     > > > > > >
>     > > > > > > Currently maven-archetype depends on dom4j 1.6.1 which
is
>     > vulnerable
>     > > > to
>     > > > > > CVE-2018-1000632 [1].
>     > > > > > > I filed ARCHETYPE-567 [2] to track this.
>     > > > > > > In order to mitigate this vulnerability, an update
to dom4j
>     > 2.1.1 is
>     > > > > > needed.
>     > > > > > > dom4j 2.1.x requires Java 8+ [3].
>     > > > > > > dom4j 2.0.x would retain compatibility with Java 7
(Java 5+) but
>     > the
>     > > > > > latest release (2.0.2) is vulnerable to CVE-2018-1000632.
>     > > > > > > The current dev version (2.0.3) seems to contain a
fix for
>     > > > > > CVE-2018-1000632 but has been pending release for ~1 year.
>     > > > > > >
>     > > > > > > I opened PR #28 [4] to make these changes.
>     > > > > > > What else I should do to advance this proposal?
>     > > > > > >
>     > > > > > > Thanks!
>     > > > > > > Tony Homer
>     > > > > > >
>     > > > > > > [1] https://nvd.nist.gov/vuln/detail/CVE-2018-1000632
>     > > > > > > [2] https://issues.apache.org/jira/browse/ARCHETYPE-567
>     > > > > > > [3] https://dom4j.github.io
>     > > > > > > [4] https://github.com/apache/maven-archetype/pull/28
>     > > > > > >
>     > > > > >
>     > > > > >
>     > > > > > --
>     > > > > > Elliotte Rusty Harold
>     > > > > > elharo@ibiblio.org
>     > > > > >
>     > > > > >
>     > ---------------------------------------------------------------------
>     > > > > > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
>     > > > > > For additional commands, e-mail: dev-help@maven.apache.org
>     > > > > >
>     > > > > >
>     > > >
>     > > >
>     > > >
>     > > > --
>     > > > Elliotte Rusty Harold
>     > > > elharo@ibiblio.org
>     > > >
>     > > > ---------------------------------------------------------------------
>     > > > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
>     > > > For additional commands, e-mail: dev-help@maven.apache.org
>     > > >
>     > > >
>     >
>     >
>     >
>     > --
>     > Elliotte Rusty Harold
>     > elharo@ibiblio.org
>     >
>     > ---------------------------------------------------------------------
>     > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
>     > For additional commands, e-mail: dev-help@maven.apache.org
>     >
>     >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org



-- 
Elliotte Rusty Harold
elharo@ibiblio.org

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
For additional commands, e-mail: dev-help@maven.apache.org


Mime
View raw message