Hi all, I have created a branch: "security-updates" ... here I updated most of the libraries to get rid of vulnerable artifacts. All of the tomcat modules, I had to comment out as there's no invulnerable tomcat version up to 7. I also commented out the JMS related stuff as there's no active-mq version without vulnerabilities. And especially I commented out the spring-boot-starter, as it relies on the spring-flex-core library which is discontinued on the spring side and greatly out of date. Also did I try updating to the latest Spring version, it seems there was not a single pre 6.0 version that wasn't reporting a lot of CVEs.
One thing that needs changing before releasing a new version of BlazeDS, would be to update from: commons-httpclient: commons-httpclient to org.apache.httpcomponents:httpclient ... however this was not just a small update of the dependencies. Here the code would require some refactoring. I updated the build to the latest Apache parent pom, updated the plugins, had to update the compiler to Java 1.8 as base-line version as 1.6 I can no longer build. I added the rat-plugin as some files were missing Apache headers, I added the owasp plugin to scan for vulnerabilities and to fail the build if something above a score of 4.0 is found. Given my history with Flex and Roayle, I don't feel the desire to put any more effort into this. You should now be on a good track to being able to release a new version of BlazeDS. I don't care if this is in Apache Flex or in Apache Royale. Chris -----Original Message----- From: Rich Bowen <rbo...@apache.org> Sent: Mittwoch, 15. Juni 2022 20:10 To: dev@flex.apache.org Subject: Project retiring and board discussion I wanted to follow up on today's discussion on the board of directors call, but first I have read a little bit of your mailing list archive, and that has changed what I was going to say. Over the past year, the project has reported, in almost every board report, that the project is inactive and planning to retire. But then I read the last few months of email to this list, and it appears that the actual project community has no such desire. Mostly I want to commend you for having that conversation and putting the user community first. To be clear, there is no obligation to produce releases in order to continue to operate a user-centric project. If you have users that rely on you, and you have an active community (where "active" is defined as 3+ PMC members able to respond in the case of a CVE, and folks who are available to answer user questions) then you still have an "active" project. That said, it's worth noting Chris Dutz's comment on your board report, regarding the BlazeDS sub-project and its Log4J dependencies. He suggests possibly investigating passing that sub-project over to Royale, if there are not sufficient people here to address that concern. Anyways, please do reach out if you have any questions. But know that "active" has many different possible definitions, and that projects are not obligated to meet every bar in order to be serving their user community. --Rich, for the Board of Directors.
