aldettinger commented on issue #8027: URL: https://github.com/apache/camel-quarkus/issues/8027#issuecomment-3606649513
> It's probably unlikely to happen. In any case for CVEs, this tooling is internal to our project. It's not exposed to users. It might be hard to predict. The tooling is internal for sure, yet published on maven central and probably in the scope of some security scanners, sbom and whatnot. Having this in the same machine producing released artifacts might be delicate to explain. However, I also tend to think that a true exploit is low probability, yet not zero. And sure, it's good to remind that the tooling is not designed for production use. The JDK 21 option is worst to be part of the vote. We only lose detection of performance regression that would occur in JDK 17 only. At this stage, we have never faced such a situation. The tool could print a message when run on JDK 17. We could then defer the removal until hyperfoil moves to JDK 24. With a bit of chance, the sliding windows will match. Reading the comments again, we have 3 different options: 1) Remain on hyperfoil-maven-plugin 0.27.0 as long as camel-quarkus supports JDK 17 2) Remove the perf-regression 3) Upgrade hyperfoil-maven-plugin and keep regression testing capability on JDK 21 only. From there, are we ready to open a vote or do we have more questions to answer ? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
