maven-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tamás Cservenák <ta...@cservenak.net>
Subject Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
Date Tue, 04 Jun 2019 17:34:30 GMT
Mkay...
but in general, the (any) plugin dependency would load at "build time"
(java8) to produce code that would run at "runtime" (java7).
Or why would you need to load a plugin dependency in runtime/target JVM?

T


On Tue, Jun 4, 2019 at 7:17 PM Elliotte Rusty Harold <elharo@ibiblio.org>
wrote:

> Java 8 uses a different major version number in the .class file than
> Java 7. Generally a Java 8 .class file can't be loaded into a Java 7
> VM. In this case, I think dom4j would have to compile for Java 7 for
> the dom4j.jar to load into Java 7.
>
> On Tue, Jun 4, 2019 at 12:32 PM Tamás Cservenák <tamas@cservenak.net>
> wrote:
> >
> > Just wondering: what stops you developing on more modern java, and
> > targeting older java? Or in other words, why is using target java a must
> on
> > development? Just curious.
> >
> > Ps: sry for jumping the thread
> >
> > On Mon, Jun 3, 2019, 16:48 Elliotte Rusty Harold <elharo@ibiblio.org>
> wrote:
> >
> > > I know there are plenty of places at Java 8+. There are also many who
> > > haven't gotten that far. Some of my day job involves Java 7+ clients,
> > > and I know of others even further back than that.
> > >
> > > On Mon, Jun 3, 2019 at 10:38 AM Gary Gregory <garydgregory@gmail.com>
> > > wrote:
> > > >
> > > > FWIW, we are talking at work about Java 8 and 11 only these days.
> Java 7
> > > is
> > > > in the distant past. Most people can't even get Java 7 updates since
> it
> > > is
> > > > EOL unless you pay.
> > > >
> > > > Gary
> > > >
> > > > On Mon, Jun 3, 2019 at 10:35 AM Elliotte Rusty Harold <
> > > elharo@ibiblio.org>
> > > > wrote:
> > > >
> > > > > I agree that this should be fixed. I'm not yet convinced that
> > > > > requiring Java 8 and upgrading to dom4j 2.1 is the bets fix.
> > > > >
> > > > > On Mon, Jun 3, 2019 at 10:24 AM Enrico Olivelli <
> eolivelli@gmail.com>
> > > > > wrote:
> > > > > >
> > > > > > Elliotte,
> > > > > >
> > > > > > Il giorno lun 3 giu 2019 alle ore 15:59 Elliotte Rusty Harold
<
> > > > > > elharo@ibiblio.org> ha scritto:
> > > > > >
> > > > > > > Perhaps ask the dom4j developers first to see if a 2.0.3
> release
> > > can
> > > > > > > be scheduled.
> > > > > > >
> > > > > > > And if that doesn't work, how much effort is it to switch
off
> of
> > > dom4j
> > > > > > > completely?
> > > > > > >
> > > > > > > maven-archetype strikes me as too important to drop Java
7
> > > > > > > compatibility this soon.
> > > > > > >
> > > > > >
> > > > > > Are you -1 with this change ?
> > > > > > If an user wan't to use java 7 he can use current version of
the
> > > plugin.
> > > > > >
> > > > > > Enrico
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On Fri, May 31, 2019 at 3:02 PM Homer, Tony <
> tony.homer@intel.com>
> > > > > wrote:
> > > > > > > >
> > > > > > > > Currently maven-archetype depends on dom4j 1.6.1 which
is
> > > vulnerable
> > > > > to
> > > > > > > CVE-2018-1000632 [1].
> > > > > > > > I filed ARCHETYPE-567 [2] to track this.
> > > > > > > > In order to mitigate this vulnerability, an update
to dom4j
> > > 2.1.1 is
> > > > > > > needed.
> > > > > > > > dom4j 2.1.x requires Java 8+ [3].
> > > > > > > > dom4j 2.0.x would retain compatibility with Java 7
(Java 5+)
> but
> > > the
> > > > > > > latest release (2.0.2) is vulnerable to CVE-2018-1000632.
> > > > > > > > The current dev version (2.0.3) seems to contain a
fix for
> > > > > > > CVE-2018-1000632 but has been pending release for ~1 year.
> > > > > > > >
> > > > > > > > I opened PR #28 [4] to make these changes.
> > > > > > > > What else I should do to advance this proposal?
> > > > > > > >
> > > > > > > > Thanks!
> > > > > > > > Tony Homer
> > > > > > > >
> > > > > > > > [1] https://nvd.nist.gov/vuln/detail/CVE-2018-1000632
> > > > > > > > [2] https://issues.apache.org/jira/browse/ARCHETYPE-567
> > > > > > > > [3] https://dom4j.github.io
> > > > > > > > [4] https://github.com/apache/maven-archetype/pull/28
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Elliotte Rusty Harold
> > > > > > > elharo@ibiblio.org
> > > > > > >
> > > > > > >
> > > ---------------------------------------------------------------------
> > > > > > > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> > > > > > > For additional commands, e-mail: dev-help@maven.apache.org
> > > > > > >
> > > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Elliotte Rusty Harold
> > > > > elharo@ibiblio.org
> > > > >
> > > > >
> ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> > > > > For additional commands, e-mail: dev-help@maven.apache.org
> > > > >
> > > > >
> > >
> > >
> > >
> > > --
> > > Elliotte Rusty Harold
> > > elharo@ibiblio.org
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> > > For additional commands, e-mail: dev-help@maven.apache.org
> > >
> > >
>
>
>
> --
> Elliotte Rusty Harold
> elharo@ibiblio.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org
> For additional commands, e-mail: dev-help@maven.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message