From dev-return-128347-archive-asf-public=cust-asf.ponee.io@maven.apache.org Mon Jun 3 14:59:37 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id EA36A180763 for ; Mon, 3 Jun 2019 16:59:36 +0200 (CEST) Received: (qmail 31924 invoked by uid 500); 3 Jun 2019 14:59:36 -0000 Mailing-List: contact dev-help@maven.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Maven Developers List" Reply-To: "Maven Developers List" Delivered-To: mailing list dev@maven.apache.org Received: (qmail 31908 invoked by uid 99); 3 Jun 2019 14:59:35 -0000 Received: from Unknown (HELO mailrelay2-lw-us.apache.org) (10.10.3.159) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 03 Jun 2019 14:59:35 +0000 Received: from mail-yb1-f169.google.com (mail-yb1-f169.google.com [209.85.219.169]) by mailrelay2-lw-us.apache.org (ASF Mail Server at mailrelay2-lw-us.apache.org) with ESMTPSA id 515723D0D for ; Mon, 3 Jun 2019 14:59:35 +0000 (UTC) Received: by mail-yb1-f169.google.com with SMTP id x32so4151395ybh.1 for ; Mon, 03 Jun 2019 07:59:34 -0700 (PDT) X-Gm-Message-State: APjAAAUDbLFGpgc27eUSCTgDoMP+RpbF1YO9uNTmMHr+BB3N9qgu+6mp fMGQR/Y90gGy3OXS2u4RsXYQNKH1I/lOezKq2+Y= X-Google-Smtp-Source: APXvYqxf2+y+aVoxQNwEATWfA21XF5H8/I08A8rN7Fvx0UZGSdmE6FmujyzsO5MpPbBzQ+/ncpCRs507j/8O6EHbqsc= X-Received: by 2002:a05:6902:504:: with SMTP id x4mr12954685ybs.100.1559573974266; Mon, 03 Jun 2019 07:59:34 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Tibor Digana Date: Mon, 3 Jun 2019 16:59:22 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8) To: Maven Developers List Content-Type: multipart/alternative; boundary="000000000000bcba1c058a6c9c26" --000000000000bcba1c058a6c9c26 Content-Type: text/plain; charset="UTF-8" First of all, this PR was create because of vulnerability CVE-2018-1000632. Vulner or non-vulnerability, the version of javac for dom4j:1.6.1 is not an argument for me. If some code was broken in that version, it would be an argument. But it is not an argument to infinitely grow versions only because somebody in CVE wants to. This really is pushing hard to sell technologies and not a common sense. T On Mon, Jun 3, 2019 at 4:48 PM Elliotte Rusty Harold wrote: > I know there are plenty of places at Java 8+. There are also many who > haven't gotten that far. Some of my day job involves Java 7+ clients, > and I know of others even further back than that. > > On Mon, Jun 3, 2019 at 10:38 AM Gary Gregory > wrote: > > > > FWIW, we are talking at work about Java 8 and 11 only these days. Java 7 > is > > in the distant past. Most people can't even get Java 7 updates since it > is > > EOL unless you pay. > > > > Gary > > > > On Mon, Jun 3, 2019 at 10:35 AM Elliotte Rusty Harold < > elharo@ibiblio.org> > > wrote: > > > > > I agree that this should be fixed. I'm not yet convinced that > > > requiring Java 8 and upgrading to dom4j 2.1 is the bets fix. > > > > > > On Mon, Jun 3, 2019 at 10:24 AM Enrico Olivelli > > > wrote: > > > > > > > > Elliotte, > > > > > > > > Il giorno lun 3 giu 2019 alle ore 15:59 Elliotte Rusty Harold < > > > > elharo@ibiblio.org> ha scritto: > > > > > > > > > Perhaps ask the dom4j developers first to see if a 2.0.3 release > can > > > > > be scheduled. > > > > > > > > > > And if that doesn't work, how much effort is it to switch off of > dom4j > > > > > completely? > > > > > > > > > > maven-archetype strikes me as too important to drop Java 7 > > > > > compatibility this soon. > > > > > > > > > > > > > Are you -1 with this change ? > > > > If an user wan't to use java 7 he can use current version of the > plugin. > > > > > > > > Enrico > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Fri, May 31, 2019 at 3:02 PM Homer, Tony > > > wrote: > > > > > > > > > > > > Currently maven-archetype depends on dom4j 1.6.1 which is > vulnerable > > > to > > > > > CVE-2018-1000632 [1]. > > > > > > I filed ARCHETYPE-567 [2] to track this. > > > > > > In order to mitigate this vulnerability, an update to dom4j > 2.1.1 is > > > > > needed. > > > > > > dom4j 2.1.x requires Java 8+ [3]. > > > > > > dom4j 2.0.x would retain compatibility with Java 7 (Java 5+) but > the > > > > > latest release (2.0.2) is vulnerable to CVE-2018-1000632. > > > > > > The current dev version (2.0.3) seems to contain a fix for > > > > > CVE-2018-1000632 but has been pending release for ~1 year. > > > > > > > > > > > > I opened PR #28 [4] to make these changes. > > > > > > What else I should do to advance this proposal? > > > > > > > > > > > > Thanks! > > > > > > Tony Homer > > > > > > > > > > > > [1] https://nvd.nist.gov/vuln/detail/CVE-2018-1000632 > > > > > > [2] https://issues.apache.org/jira/browse/ARCHETYPE-567 > > > > > > [3] https://dom4j.github.io > > > > > > [4] https://github.com/apache/maven-archetype/pull/28 > > > > > > > > > > > > > > > > > > > > > -- > > > > > Elliotte Rusty Harold > > > > > elharo@ibiblio.org > > > > > > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org > > > > > For additional commands, e-mail: dev-help@maven.apache.org > > > > > > > > > > > > > > > > > > > > > > -- > > > Elliotte Rusty Harold > > > elharo@ibiblio.org > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org > > > For additional commands, e-mail: dev-help@maven.apache.org > > > > > > > > > > -- > Elliotte Rusty Harold > elharo@ibiblio.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscribe@maven.apache.org > For additional commands, e-mail: dev-help@maven.apache.org > > --000000000000bcba1c058a6c9c26--