Hi Phil, On 13.11.2025 23:12, Phil Steitz wrote: > I agree with the sentiment here, but I also understand Vladmir's position. > We should formally EOL lang2 (and *many* other n-k versions of Commons > components) unless we are willing to backport security fixes.
+1 on declaring Commons Lang 2.x EOL. We should have done this a long time ago. Without an *explicit* declaration, user expectations vary: some assume any version not binary-compatible with the latest is unsupported, while others expect a 14-year-old release to still be maintained. Since `commons-logging` remained “supported” despite 9 years without a release, those expectations aren’t unfounded. Personally, I prefer to ask the maintainers [1] rather than make assumptions. In the near future, Apache Trusted Releases will let us use the upcoming Common Lifecycle Enumeration ECMA standard (see [1] and [2]), but for now we need a vote and an *explicit* website update. A brief ECMA note: the standard developed by TC54-TG4 (OSS Sustainability) will define “support” levels [4] for projects and releases. It urgently needs experienced contributors, including a “co-convenor.” Since the ASF has been an ECMA member since June, volunteers can contact me at [email protected] (or just join the OWASP CycloneDX Slack). > While the one dependency trace he posted may not be "real" and 99% > of others may "miss" the CVE, it is not practical for users to > validate these things and build tools are going to kick them out. We now have a new set of tools [5] that automate the kind of analysis Emmanuel showed in this thread, pre-computing call graphs of all dependencies. I will start running this for Solr 9.10.0’s dependencies today, and I can also do it for gradle-nexus-staging-plugin so Vladimir can dismiss that false positive. > I will start another thread on the general topic, but I think we > should provide a backport patch for this. I have not pushed a > release in a while, but I will rely on Gary's kind help to get this > done assuming others are amenable. This is a slippery slope and we need *clear* rules. Some users have already asked Commons to release `commons-lang3` 3.17.1 [6] because their policy doesn’t allow upgrading to a new *minor* version. Piotr [1] https://lists.apache.org/thread/t940gc5b5g7k176ry47okzhlv29y03k1 [2] https://github.com/apache/tooling-trusted-releases/issues/183 [3] https://github.com/apache/tooling-trusted-releases/issues/222 [4] https://docs.google.com/document/d/1IZnHEwzz1N7LbChVkZTE_dfo3I2np8rULssq5I2wchM/ [5] https://github.com/vex-generation-toolset [6] https://github.com/spring-projects/spring-boot/issues/46437 --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
