Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package jackson-bom for openSUSE:Factory checked in at 2023-08-23 14:57:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/jackson-bom (Old) and /work/SRC/openSUSE:Factory/.jackson-bom.new.1766 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "jackson-bom" Wed Aug 23 14:57:06 2023 rev:8 rq:1105098 version:2.15.2 Changes: -------- --- /work/SRC/openSUSE:Factory/jackson-bom/jackson-bom.changes 2022-06-19 21:11:01.470140448 +0200 +++ /work/SRC/openSUSE:Factory/.jackson-bom.new.1766/jackson-bom.changes 2023-08-23 14:57:48.426010838 +0200 @@ -1,0 +2,19 @@ +Mon Aug 21 13:29:12 UTC 2023 - Fridrich Strba <[email protected]> + +- Update to version 2.15.2 + * 2.15.2 (30-May-2023) + + No changes since 2.15.1 + * 2.15.1 (16-May-2023) + + #63: Update 'de.jjohannes:gradle-module-metadata-maven-plugin' + to 0.4.0 + + Add override for 'version.plugin.moditect' to be '1.0.0.Final' + until upgraded in 'oss-parent'/51 + * 2.15.0 (23-Apr-2023) + + #56: Change defaults for Felix OSGi Bundle plug-in to fix + timestamps for Reproducible Builds + + Add version for 'jackson-datatype-hibernate6' + + Add version for 'jackson-module-jsonSchema-jakarta' + * 2.14.0 (05-Nov-2022) + + #52: Gradle reports incorrect jackson-bom dependency version + +------------------------------------------------------------------- Old: ---- jackson-bom-2.13.3.tar.gz New: ---- jackson-bom-2.15.2.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ jackson-bom.spec ++++++ --- /var/tmp/diff_new_pack.aEXlTv/_old 2023-08-23 14:57:49.046011946 +0200 +++ /var/tmp/diff_new_pack.aEXlTv/_new 2023-08-23 14:57:49.054011960 +0200 @@ -1,7 +1,7 @@ # # spec file for package jackson-bom # -# Copyright (c) 2022 SUSE LLC +# Copyright (c) 2023 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: jackson-bom -Version: 2.13.3 +Version: 2.15.2 Release: 0 Summary: Bill of materials POM for Jackson projects License: Apache-2.0 ++++++ jackson-bom-2.13.3.tar.gz -> jackson-bom-2.15.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jackson-bom-jackson-bom-2.13.3/.github/workflows/main.yml new/jackson-bom-jackson-bom-2.15.2/.github/workflows/main.yml --- old/jackson-bom-jackson-bom-2.13.3/.github/workflows/main.yml 2022-05-14 16:24:21.000000000 +0200 +++ new/jackson-bom-jackson-bom-2.15.2/.github/workflows/main.yml 2023-05-30 22:28:38.000000000 +0200 @@ -4,41 +4,46 @@ branches: - master - "3.0" - - "2.13" + - "2.15" paths-ignore: - "README.md" + - "release-notes/*" +permissions: + contents: read + jobs: build: runs-on: ${{ matrix.os }} strategy: fail-fast: false matrix: - java_version: ['8', '14'] + java_version: ['8', '11', '17'] os: ['ubuntu-20.04'] env: JAVA_OPTS: "-XX:+TieredCompilation -XX:TieredStopAtLevel=1" steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - name: Set up JDK - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: - distribution: "adopt" + distribution: 'temurin' java-version: ${{ matrix.java_version }} + cache: 'maven' server-id: sonatype-nexus-snapshots server-username: CI_DEPLOY_USERNAME server-password: CI_DEPLOY_PASSWORD - - uses: actions/[email protected] - with: - path: ~/.m2/repository - key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} - restore-keys: | - ${{ runner.os }}-maven- + # See https://github.com/actions/setup-java/blob/v2/docs/advanced-usage.md#Publishing-using-Apache-Maven + # gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} # Value of the GPG private key to import + # gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase - name: Build - run: ./mvnw -V -B -ff -ntp verify + run: ./mvnw -B -q -ff -ntp verify + - name: Extract project Maven version + id: projectVersion + run: echo "version=$(./mvnw org.apache.maven.plugins:maven-help-plugin:3.3.0:evaluate -DforceStdout -Dexpression=project.version -q)" >> $GITHUB_OUTPUT - name: Deploy snapshot - if: github.event_name != 'pull_request' && matrix.java_version == '8' + if: github.event_name != 'pull_request' && matrix.java_version == '8' && endsWith(steps.projectVersion.outputs.version, '-SNAPSHOT') env: CI_DEPLOY_USERNAME: ${{ secrets.CI_DEPLOY_USERNAME }} CI_DEPLOY_PASSWORD: ${{ secrets.CI_DEPLOY_PASSWORD }} # MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }} - run: ./mvnw -V -B -ff -DskipTests -ntp source:jar deploy + run: ./mvnw -B -q -ff -DskipTests -ntp source:jar deploy diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jackson-bom-jackson-bom-2.13.3/README.md new/jackson-bom-jackson-bom-2.15.2/README.md --- old/jackson-bom-jackson-bom-2.13.3/README.md 2022-05-14 16:24:21.000000000 +0200 +++ new/jackson-bom-jackson-bom-2.15.2/README.md 2023-05-30 22:28:38.000000000 +0200 @@ -1,10 +1,19 @@ -# jackson-bom +# Jackson BOM -A "bill of materials" POM for Jackson dependencies. +This project contains "bill of materials" POM for Jackson dependencies. +For more on concept of BOMs, see: -Since Jackson 2.9.2 also contains `jackson-base` internal parent for actual Jackson -components: this should not be relied by components other than standard Jackson -component maintained by development team. It is bundled here for convenience. +* [The Bill of Materials in Maven](https://dzone.com/articles/the-bill-of-materials-in-maven) +* [Using Mavenâs Bill of Materials (BOM)](https://reflectoring.io/maven-bom/) + +But the basic idea is that instead of specifying version explicitly for every Jackson +component, as part of dependency definition, one can use a BOM to get a full, complete +set of consistent versions to use. + +## Status + +[](https://travis-ci.org/FasterXML/jackson-bom) +[](https://tidelift.com/subscription/pkg/maven-com-fasterxml-jackson-jackson-bom?utm_source=maven-com-fasterxml-jackson-jackson-bom&utm_medium=referral&utm_campaign=readme) ## Usage @@ -14,23 +23,25 @@ <parent> <groupId>com.fasterxml.jackson</groupId> <artifactId>jackson-bom</artifactId> - <version>2.13.2</version> + <version>2.14.2</version> </parent> ``` -or by importing just the dependencies: +or by importing the BOM to get versions via so-called "managed dependencies" +(NOTE: BOM can NOT be used as an explicit dependency; it MUST be either parent pom +or imported in `<dependencyManagement>` section) ```xml <dependencyManagement> - <dependencies> - <dependency> - <groupId>com.fasterxml.jackson</groupId> - <artifactId>jackson-bom</artifactId> - <version>2.13.2</version> - <scope>import</scope> - <type>pom</type> - </dependency> - </dependencies> + <dependencies> + <dependency> + <groupId>com.fasterxml.jackson</groupId> + <artifactId>jackson-bom</artifactId> + <version>2.14.2</version> + <scope>import</scope> + <type>pom</type> + </dependency> + </dependencies> </dependencyManagement> ``` @@ -38,10 +49,49 @@ former includes many other settings. Usually latter is preferable, unless component is very closely coupled with core Jackson components. -## Secondary +## Jackson Versioning + +### Semantic Versioning + +Jackson tries to follow [Semantic Versioning](https://en.wikipedia.org/wiki/Software_versioning#Semantic_versioning) (aka "SemVer") +for its Public API; public methods of types like `ObjectMapper` and `JsonFactory` that calling applications need. +This means that code written against Jackson 2.0.0 that only uses Public API should still work with no changes with Jackson 2.14.0. + +Semantic versioning is, however, NOT guaranteed for types considered internal, and in particular customizations by sub-classing is not covered by same guarantees. +In case of Internal API (extension points meant for Jackson core components) Jackson will still try to guarantee compatibility with "adjacent" minor versions: that is, code written against Jackson 2.9.0 should still work against Jackson 2.10.x (and in many cases further, but at least with the "next version"). +Deprecation markers are added for internal methods and types where necessary so that if no deprecation warnings are encountered, code should work for next two minor versions. + +It is understood that the distinction between "Public" and "Internal" APIs is not always easy to distinguish; Javadocs are used in places to try to make distinction clear. + +Having said all that, for most users and most usage Semantic Versioning is maintained. + +### "Normal" minor version releases + +Most of the time all Jackson components are released using 3-digit version, like `2.14.0`. +If so, there will be, for this version: + +1. A full set of all core Jackson components under `FasterXML` Github organization +2. Matching `jackson-bom` + +But occasionally there is a need for a "hot fix" -- usually a fix to a security issue (aka "CVE") -- +either in-between "full minor releases" or after specific branch has been closed for active +development. In such cases a version of only component affected (most often `jackson-databind`) +is released and there is no full set of components. +Version number will, in such cases, consist of 4 digits like [jackson-databind-2.12.6.1](https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.12.6.1). +Note: the reason for NOT releasing a full set in such cases is both due to effort needed (full set takes multiple hours to release in the optimal case) and to avoid having multiple full sets with very few changes. + +Because there is no full set of `2.12.6.1` components -- and there may be 1 or more components with `2.12.6.1` (or we may have `2.12.6.2` and so on), it is not practical to release BOM with that version (both since there may be various numbers of micro-patches over time, and since assumption by users could be there IS a full set), a different version convention is used for these case: use of datestamp version. + +As the specific example, `jackson-databind` `2.12.6.1` was released on March 26, 2022, and so the matching bom is [jackson-bom-2.12.6.20220326](https://mvnrepository.com/artifact/com.fasterxml.jackson/jackson-bom/2.12.6.20220326). Some users dislike this longer notation, but it has some specific benefits: + +* Version numbers will sort appropriately: `2.12.6.20220326` comes after both `2.12.6` and hypothetical `2.12.6.1` +* Version number gives an idea of release date, wrt time of hot fix(es) included + +## Secondary: "base" sub-project Note that this repo ALSO contains `jackson-base` (see under dir `base/`), which is the intended -parent pom for Jackson core components. It extends `jackson-bom`, augmenting with settings that +parent pom for Jackson core components. +It extends `jackson-bom`, augmenting with settings that are only/mostly relevant for Jackson components, but not to things that depend on Jackson in general. Use of `jackson-base` is not recommended for libraries that are not meant to be coupled with Jackson release cycle and settings. @@ -56,10 +106,9 @@ ### Enterprise support -Available as part of the Tidelift Subscription. +Available as part of the [Tidelift](https://tidelift.com/subscription/pkg/maven-com-fasterxml-jackson-jackson-bom) Subscription. The maintainers of `jackson-bom` and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source dependencies you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact dependencies you use. -[Learn more.](https://tidelift.com/subscription/pkg/maven-com-fasterxml-jackson-jackson-bom?utm_source=maven-com-fasterxml-jackson-jackson-bom&utm_medium=referral&utm_campaign=enterprise&utm_term=repo) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jackson-bom-jackson-bom-2.13.3/SECURITY.md new/jackson-bom-jackson-bom-2.15.2/SECURITY.md --- old/jackson-bom-jackson-bom-2.13.3/SECURITY.md 2022-05-14 16:24:21.000000000 +0200 +++ new/jackson-bom-jackson-bom-2.15.2/SECURITY.md 2023-05-30 22:28:38.000000000 +0200 @@ -1,6 +1,6 @@ # Security Policy -Last Updated: 2020-03-21 +Last Updated: 2022-09-20 ## Reporting a Vulnerability @@ -12,3 +12,13 @@ Tidelift will route all reports via their system to maintainers of relevant package(s), and start the process that will evaluate concern and issue possible fixes, send update notices and so on. Note that you do not need to be a Tidelift subscriber to file a security contact. + +## Verifying Artifact signatures + +(for more in-depth explanation, see [Apache Release Signing](https://infra.apache.org/release-signing#keys-policy) document) + +To verify that any given Jackson artifact has been signed with a valid key, have a look at `KEYS` file of the main Jackson repo: + +https://github.com/FasterXML/jackson/blob/master/KEYS + +which lists all known valid keys in use. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jackson-bom-jackson-bom-2.13.3/base/pom.xml new/jackson-bom-jackson-bom-2.15.2/base/pom.xml --- old/jackson-bom-jackson-bom-2.13.3/base/pom.xml 2022-05-14 16:24:21.000000000 +0200 +++ new/jackson-bom-jackson-bom-2.15.2/base/pom.xml 2023-05-30 22:28:38.000000000 +0200 @@ -4,7 +4,7 @@ <parent> <groupId>com.fasterxml.jackson</groupId> <artifactId>jackson-bom</artifactId> - <version>2.13.3</version> + <version>2.15.2</version> </parent> <artifactId>jackson-base</artifactId> <name>Jackson Base</name> @@ -22,9 +22,20 @@ </licenses> <properties> + <!-- 06-May-2023, tatu: uUntil upgraded in oss-parent/51 need override here: --> + <version.plugin.moditect>1.0.0.Final</version.plugin.moditect> + <moditect.sourceGroup>${project.groupId}</moditect.sourceGroup> <moditect.sourceArtifact>${project.artifactId}</moditect.sourceArtifact> <moditect.sourceVersion>${project.version}</moditect.sourceVersion> + + <!-- To fix [jackson-bom#52] need to first use better default version for + parent pom, and then also allow override as need be + --> + <jackson-bom.version>${project.parent.version}</jackson-bom.version> + + <!-- for Reproducible Builds --> + <project.build.outputTimestamp>2023-05-30T20:28:33Z</project.build.outputTimestamp> </properties> <dependencies> @@ -171,7 +182,7 @@ <plugin> <groupId>de.jjohannes</groupId> <artifactId>gradle-module-metadata-maven-plugin</artifactId> - <version>0.2.0</version> + <version>0.4.0</version> <executions> <execution> <goals> @@ -184,7 +195,7 @@ <dependency> <groupId>com.fasterxml.jackson</groupId> <artifactId>jackson-bom</artifactId> - <version>${project.version}</version> + <version>${jackson-bom.version}</version> </dependency> </platformDependencies> </configuration> @@ -215,6 +226,33 @@ </execution> </executions> </plugin> + <!-- 27-Nov-2022, tatu: [bom#56] Configure Felix-bundle and maven-jar plugins to + use fixed Timestamp correctly for included class files (needed for Reproducible + Builds) + --> + <plugin> + <groupId>org.apache.felix</groupId> + <artifactId>maven-bundle-plugin</artifactId> + <executions> + <execution> + <id>bundle-manifest</id> + <phase>process-classes</phase> + <goals> + <goal>manifest</goal> + </goals> + </execution> + </executions> + </plugin> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-jar-plugin</artifactId> + <configuration> + <archive> + <manifestFile>${project.build.outputDirectory}/META-INF/MANIFEST.MF</manifestFile> + </archive> + </configuration> + </plugin> + </plugins> </pluginManagement> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jackson-bom-jackson-bom-2.13.3/pom.xml new/jackson-bom-jackson-bom-2.15.2/pom.xml --- old/jackson-bom-jackson-bom-2.13.3/pom.xml 2022-05-14 16:24:21.000000000 +0200 +++ new/jackson-bom-jackson-bom-2.15.2/pom.xml 2023-05-30 22:28:38.000000000 +0200 @@ -6,7 +6,7 @@ <groupId>com.fasterxml.jackson</groupId> <artifactId>jackson-parent</artifactId> <!-- note: does NOT change for every version of bom --> - <version>2.13</version> + <version>2.15</version> </parent> <artifactId>jackson-bom</artifactId> @@ -14,7 +14,7 @@ <description>Bill of Materials pom for getting full, complete set of compatible versions of Jackson components maintained by FasterXML.com </description> - <version>2.13.3</version> + <version>2.15.2</version> <packaging>pom</packaging> <modules> @@ -45,11 +45,11 @@ <connection>scm:git:[email protected]:FasterXML/jackson-bom.git</connection> <developerConnection>scm:git:[email protected]:FasterXML/jackson-bom.git</developerConnection> <url>https://github.com/FasterXML/jackson-bom</url> - <tag>jackson-bom-2.13.3</tag> + <tag>jackson-bom-2.15.2</tag> </scm> <properties> - <jackson.version>2.13.3</jackson.version> + <jackson.version>2.15.2</jackson.version> <!-- 25-Sep-2019, tatu: With Jackson 2.x we will release full patch-level versions of annotations BUT they are all identical, content-wise. @@ -71,6 +71,9 @@ <jackson.version.module.scala>${jackson.version.module}</jackson.version.module.scala> <!-- JPMS Library Updates--> <javax.activation.version>1.2.0</javax.activation.version> + + <!-- for Reproducible Builds --> + <project.build.outputTimestamp>2023-05-30T20:28:33Z</project.build.outputTimestamp> </properties> <dependencyManagement> @@ -170,7 +173,7 @@ <groupId>com.fasterxml.jackson.datatype</groupId> <artifactId>jackson-datatype-hibernate4</artifactId> <version>${jackson.version.datatype}</version> - </dependency> + </dependency> <dependency> <groupId>com.fasterxml.jackson.datatype</groupId> <artifactId>jackson-datatype-hibernate5</artifactId> @@ -181,6 +184,11 @@ <artifactId>jackson-datatype-hibernate5-jakarta</artifactId> <version>${jackson.version.datatype}</version> </dependency> + <dependency> <!-- Added in 2.15 --> + <groupId>com.fasterxml.jackson.datatype</groupId> + <artifactId>jackson-datatype-hibernate6</artifactId> + <version>${jackson.version.datatype}</version> + </dependency> <dependency> <groupId>com.fasterxml.jackson.datatype</groupId> <artifactId>jackson-datatype-hppc</artifactId> @@ -356,6 +364,11 @@ <artifactId>jackson-module-jsonSchema</artifactId> <version>${jackson.version.module}</version> </dependency> + <dependency> <!-- 2.15+ Jakarta variant as well [jsonSchema#151] --> + <groupId>com.fasterxml.jackson.module</groupId> + <artifactId>jackson-module-jsonSchema-jakarta</artifactId> + <version>${jackson.version.module}</version> + </dependency> <dependency> <groupId>com.fasterxml.jackson.module</groupId> <artifactId>jackson-module-kotlin</artifactId> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/jackson-bom-jackson-bom-2.13.3/release-notes/VERSION-2.x new/jackson-bom-jackson-bom-2.15.2/release-notes/VERSION-2.x --- old/jackson-bom-jackson-bom-2.13.3/release-notes/VERSION-2.x 2022-05-14 16:24:21.000000000 +0200 +++ new/jackson-bom-jackson-bom-2.15.2/release-notes/VERSION-2.x 2023-05-30 22:28:38.000000000 +0200 @@ -1,6 +1,6 @@ Project: jackson-bom / jackson-base -Contains "Bill-of-Materials" for all Jackson components for main component +Contains "Bill of Materials" for all Jackson components for main component ("jackson-bom"), as well as parent pom ("jackson-base") for Jackson components themselves. Only former should be extended by anything other than official Jackson components (core, modules) @@ -9,6 +9,33 @@ === Releases (note: only includes patches with actual changes) ------------------------------------------------------------------------ +2.15.2 (30-May-2023) + +No changes since 2.15.1 + +2.15.1 (16-May-2023) + +#63: Update `de.jjohannes:gradle-module-metadata-maven-plugin` to 0.4.0 +- Add override for `version.plugin.moditect` to be `1.0.0.Final` until + upgraded in `oss-parent`/51 + +2.15.0 (23-Apr-2023) + +#56: Change defaults for Felix OSGi Bundle plug-in to fix timestamps + for Reproducible Builds + (suggested by Hervé B (@hboutemy)) +- Add version for `jackson-datatype-hibernate6` +- Add version for `jackson-module-jsonSchema-jakarta` + +2.14.2 (28-Jan-2023) + +No changes since 2.14.0 + +2.14.0 (05-Nov-2022) + +#52: Gradle reports incorrect jackson-bom dependency version + +2.13.4 (03-Sep-2022) 2.13.3 (14-May-2022) No changes since 2.13.2
