Hey Joe, Not releasing any more 2.0.x was one of the possible choices that I was leaning toward too. The only thing that kept it from being my first recommendation was that I was sad that so much work on the 2.0 branch would never get its day in the sun (at least not as 2.0).
But, as far as stumbling blocks to moving up...I don't think there should be any large ones. I have been keeping current so I don't remember what (if anything) I had to do to move up to 2.1. Actually, that is not entirely true. There were a number of jar files that used to be included in Geronimo that were removed. I have since had to add them back to the repository whenever I reinstall. I think that we already handle deployment descriptors for older versions automatically (at least back to 2.0), so those should not be a problem. So, I think that if we put together a table of libraries that are no longer supplied and/or whose versions are not backwards compatible - that might be enough to handle at least the majority of conversion issues. But, if we do not release 2.0.3 then I think that we need to get rather vocal about the security issues and the -urgent- need to upgrade to 2.1+. Jay Joe Bohn wrote: > > I apologize for not raising this question on the earlier thread. > > I'm wondering if it is a good idea to release a 2.0.3 at this point in > time. We've had several releases of 2.1.x (four) and we'll hopefully > release 2.2 in the not too distant future. I'm a little concerned that > releasing a 2.0.3 now will just encourage people to continue on the > 2.0.* base rather than taking the plunge and moving up to 2.1.*. It's > been a year since we released 2.0.2 and in addition to the security > fixes there have been a lot of other fixes/enhancements in the 2.1 branch. > > What are the big stumbling blocks that prevent a user from moving from > 2.0.2 to 2.1.3 to resolve the security concerns? > > Rather than releasing 2.0.3, should we maybe consider a greater focus on > ensuring there is a smooth migration path from 2.0.2 to 2.1.3? Once we > have clearly identified any issues and ensured that we have adequate > directions we could notify the user community that there will be no > further 2.0.* releases and encourage them to move to 2.1.3. It might > actually be easier for us to release 2.0.3 in the short term, but sooner > or later users will have to address the migration issues ... so I'm just > wondering if it might be a better use of our time to address those > migration issues now. > > Joe > > Jay D. McHugh wrote: >> The 2.0.x brach got sidelined by an intermittent >> ConcurrentModificationException during stress testing. But, recently >> there were a number of security issues found that apply to 2.0.2. >> >> So, I think it's time to start the discussion for a Geronimo 2.0.3 >> release (It actually already was started). >> >> Server fixes/enhancements are listed on the Release Status page (work in >> progress)- >> http://cwiki.apache.org/GMOxPMGT/geronimo-203-release-status.html >> >> Details on included security fixes in dependent components are listed on >> the Security page - >> http://geronimo.apache.org/20x-security-report.html >> >> I have already begun moving issues into 2.0.4 - Does anyone have >> additional fixes they would like to include in 2.0.3 before we cut the >> branch and start the release process? >> >> If I have moved an issue that you want to work on (And you have time to >> work on it right away) move it back onto a 2.0.3 fix and assign it to >> yourself. >> >> >> Jay >> >
