Hey, I am interested in legacy/vintage core enterprise systems deep inside large enterprises and governments, where source code changes are out of the question, that have lit up yellow in security/compliance dashboards due to the old CVE against log4j 1.2 for years, that now light up as orange due to all the increased attention to log4j.
There’s some Java 6 installs. Rule of thumb: when I know of java 6 installs then a poor guy somewhere is maintaining a system like that on JDK 1.4. Practically, securing these systems is not hard. But, having dashboards go green “the easy way” needs an official upstream (or accepted redistributor) mitigation that is then runbooked and ideally automated. On the PRs I made you can use -P no-toolchain to build with any modern JDK that maven+plugins are happy with. Already proven with a working GitHub actions maven build. What’s so hard? Could you check if the -P no-toolchain setup works for you on Mac out of the box? It might also be good to add a patch to switch which build is default for convenience of the average Mac user. Cheers, Leo On Thu, 23 Dec 2021 at 13:33, Vladimir Sitnikov <sitnikov.vladi...@gmail.com> wrote: > >using maven toolchain feature > > Are toolchains really needed, especially, 1.6 and 1.7? > I believe Java "target=1.4" + Java 1.8 would be good enough. > If there are javadoc "warnings or errors", we could just suppress it. > At the end of the day, making the build 100 times harder by requesting Java > 1.6 > looks like an overkill. > > I think there's no way to install Java 1.6 on modern macOS. > > Vladimir >
