I would say if they are using M2e 1.4 and other older stuff they are fine to stick with older versions of Maven and Maven plugins as well.
If they really want latest features and bug fixes they can either pay consultants to upgrade their environment or Maven committers to backport stuff for them. Or a mixture.. I very much think that using old stuff should be painful as a motivation to not use it ;-) manfred Anders Hammar wrote on 13.10.2014 12:03: >> >> this is the only change for 3.0.5: http://maven.apache.org/security.html >> bottom line: certificates are not checked. >> It's a serious security issue and for that reason I'd prefer 3.0.5 over >> 3.0.4 > > > Security issue or not, there are commercial IDEs out there (used by larger > companies) that include m2e 1.4.x or earlier, which is based on Maven > 3.0.4. Do we really want to disqualify those users? > > /Anders > > >> >> thanks, >> Robert >> >> Op Mon, 13 Oct 2014 07:48:11 +0200 schreef Anders Hammar < >> and...@hammar.net>: >> >> Personally I have a problem with a Maven 3.0.5 requirement. The reason is >>> that there are IDEs out there that is based on Maven 3.0.4. Also, IIRC >>> there was just a very minor (code wise) difference between Maven 3.0.5 and >>> 3.0.4, so requiring 3.0.5 (instead of 3.0.4) wouldn't give us much. >>> Having said that, I'm in favor of moving to a Maven 3.0 requirement. And >>> making that a 3.0.4 requirement is fine with me. >>> >>> /Anders >>> >>> On Sun, Oct 12, 2014 at 3:25 PM, Karl Heinz Marbaise <khmarba...@gmx.de> >>> wrote: >>> >>> Hi Robert, >>>> >>>> from my point of view minimum to 3.0.5 ...nothing below...afterwards >>>> 3.1.1.....and then 3.2.1...the latest releases from the appropriate >>>> release >>>> lines 3.0.X, 3.1.X, 3.2.X,.... >>>> >>>> I wouldn't go to 3.1.0 at the moment cause that could be >>>> confusing....from >>>> user point of view...than there is a gap... >>>> >>>> 2.2.1 >>>> 3.1.1 >>>> >>>> From my side... >>>> >>>> Kind regards >>>> Karl Heinz Marbaise >>>> >>>> > Hi, >>>> >>>> >>>>> Right now we change the Maven prerequisite to 2.2.1 and I noticed some >>>>> new issues which already want to move it forward to 3.0.4. I wonder why >>>>> to move to this version. >>>>> >>>>> Most (API-)changes have been introduced with the 3.0 alpha and beta >>>>> releases. I don't think that the other 3.0.x releases provide that much >>>>> more changes. >>>>> So I would say that changing the required Maven version would be 3.0. >>>>> *If* we want to force users not to use 3.0.4 due to the CVE-2013-0253, >>>>> we should say that 3.0.5 is the next required version of Maven. >>>>> And I could go one step further: if we want to get rid of the >>>>> compatibility overhead for Aether (Sonatype versus Eclipse) we should >>>>> change it to 3.1.0 >>>>> >>>>> So I'd prefer to move forward to 3.0, maybe even to 3.1.0, but not to >>>>> 3.0.4 unless there are better reasons then I mentioned above. >>>>> >>>>> Any other opinions? >>>>> >>>>> thanks, >>>>> Robert >>>>> >>>>> >>>> Kind regards >>>> Karl Heinz Marbaise >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >>>> For additional commands, e-mail: dev-h...@maven.apache.org >>>> >>>> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org >> For additional commands, e-mail: dev-h...@maven.apache.org >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
