maven-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tibor Digana <tibordig...@apache.org>
Subject Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
Date Wed, 05 Jun 2019 12:52:48 GMT
I am working on a removal of dom4j library and use of Java XML API.
Sytwester, connect to the Slack pls.

On Wed, Jun 5, 2019 at 8:28 AM Robert Scholte <rfscholte@apache.org> wrote:

> > What stops us developing on Java 8?
> > Maven project stops us.
>
> I think this deserves some clearance, because I have a different opinion
> on this.
> It is quite natural that plugins start picking up and requiring a more
> recent version of Java before Maven does.
> If there's a good reason to move forward (in this case to Java 8), I don't
> mind doing that.
> With our plugin system, if they can't use this because they run Maven on
> an older version of Java, they can lock the plugin version to the last
> compatible one.
> Right now most environments are already running on Java 8 and won't notice
> such upgrade.
> Also keep in mind there's a difference between Java for Maven runtime and
> JDK for the compiler, these can be separated.
> I would love to hear from somebody that thinks he or she would be blocked
> by such change, it shouldn't be an issue but maybe I'm missing a detail.
>
> So if we can stay Java 7 compatible, that's fine but is not a blocking
> requirement (especially since this plugin is not a lifecycle plugin).
>
> Robert
> On 4-6-2019 22:05:33, Tibor Digana <tibordigana@apache.org> wrote:
> What stops us developing on Java 8?
> Maven project stops us.
> We wanted to use Java 7 and not higher. Therefore reworking the little code
> with removed dom4j keeps javac still on java7 and we would not have a
> problem when dom4j moves to java9+ because of non-applicable CVEs. We can
> use Java XML Api instead of dom4j.
>
> On Tue, Jun 4, 2019 at 6:32 PM Tamás Cservenák wrote:
>
> > Just wondering: what stops you developing on more modern java, and
> > targeting older java? Or in other words, why is using target java a must
> on
> > development? Just curious.
> >
> > Ps: sry for jumping the thread
> >
> > On Mon, Jun 3, 2019, 16:48 Elliotte Rusty Harold
> > wrote:
> >
> > > I know there are plenty of places at Java 8+. There are also many who
> > > haven't gotten that far. Some of my day job involves Java 7+ clients,
> > > and I know of others even further back than that.
> > >
> > > On Mon, Jun 3, 2019 at 10:38 AM Gary Gregory
> > > wrote:
> > > >
> > > > FWIW, we are talking at work about Java 8 and 11 only these days.
> Java
> > 7
> > > is
> > > > in the distant past. Most people can't even get Java 7 updates since
> it
> > > is
> > > > EOL unless you pay.
> > > >
> > > > Gary
> > > >
> > > > On Mon, Jun 3, 2019 at 10:35 AM Elliotte Rusty Harold
> > > elharo@ibiblio.org>
> > > > wrote:
> > > >
> > > > > I agree that this should be fixed. I'm not yet convinced that
> > > > > requiring Java 8 and upgrading to dom4j 2.1 is the bets fix.
> > > > >
> > > > > On Mon, Jun 3, 2019 at 10:24 AM Enrico Olivelli
> > >
> > > > > wrote:
> > > > > >
> > > > > > Elliotte,
> > > > > >
> > > > > > Il giorno lun 3 giu 2019 alle ore 15:59 Elliotte Rusty Harold
> > > > > > elharo@ibiblio.org> ha scritto:
> > > > > >
> > > > > > > Perhaps ask the dom4j developers first to see if a 2.0.3
> release
> > > can
> > > > > > > be scheduled.
> > > > > > >
> > > > > > > And if that doesn't work, how much effort is it to switch
off
> of
> > > dom4j
> > > > > > > completely?
> > > > > > >
> > > > > > > maven-archetype strikes me as too important to drop Java
7
> > > > > > > compatibility this soon.
> > > > > > >
> > > > > >
> > > > > > Are you -1 with this change ?
> > > > > > If an user wan't to use java 7 he can use current version of
the
> > > plugin.
> > > > > >
> > > > > > Enrico
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On Fri, May 31, 2019 at 3:02 PM Homer, Tony
> > tony.homer@intel.com>
> > > > > wrote:
> > > > > > > >
> > > > > > > > Currently maven-archetype depends on dom4j 1.6.1 which
is
> > > vulnerable
> > > > > to
> > > > > > > CVE-2018-1000632 [1].
> > > > > > > > I filed ARCHETYPE-567 [2] to track this.
> > > > > > > > In order to mitigate this vulnerability, an update
to dom4j
> > > 2.1.1 is
> > > > > > > needed.
> > > > > > > > dom4j 2.1.x requires Java 8+ [3].
> > > > > > > > dom4j 2.0.x would retain compatibility with Java 7
(Java 5+)
> > but
> > > the
> > > > > > > latest release (2.0.2) is vulnerable to CVE-2018-1000632.
> > > > > > > > The current dev version (2.0.3) seems to contain a
fix for
> > > > > > > CVE-2018-1000632 but has been pending release for ~1 year.
> > > > > > > >
> > > > > > > > I opened PR #28 [4] to make these changes.
> > > > > > > > What else I should do to advance this proposal?
> > > > > > > >
> > > > > > > > Thanks!
> > > > > > > > Tony Homer
> > > > > > > >
> > > > > > > > [1] https://nvd.nist.gov/vuln/detail/CVE-2018-1000632
> > > > > > > > [2] https://issues.apache.org/jira/browse/ARCHETYPE-567
> > > > > > > > [3] https://dom4j.github.io
> > > > > > > > [4] https://github.com/apache/maven-archetype/pull/28
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Elliotte Rusty Harold
> > > > > > > elharo@ibiblio.org
> > > > > > >
> > > > > > >
> > > ---------------------------------------------------------------------
> > > > > > > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> > > > > > > For additional commands, e-mail: dev-help@maven.apache.org
> > > > > > >
> > > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Elliotte Rusty Harold
> > > > > elharo@ibiblio.org
> > > > >
> > > > >
> ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> > > > > For additional commands, e-mail: dev-help@maven.apache.org
> > > > >
> > > > >
> > >
> > >
> > >
> > > --
> > > Elliotte Rusty Harold
> > > elharo@ibiblio.org
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> > > For additional commands, e-mail: dev-help@maven.apache.org
> > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message