If you're speaking on behalf of others, please let those people explain their situation. So far I've only heard you, that's not enough for me to support a backport.
Robert On 2-4-2021 11:01:12, Romain Manni-Bucau <rmannibu...@gmail.com> wrote: Le ven. 2 avr. 2021 à 10:44, Robert Scholte a écrit : > I think there are a couple of issues here: > - To me this shouldn't be done with a PR, but as a set of cherry-picks to > keep to original commit history and references. > Was the way it was created, PR is just to share it there. > - Branch 3.6.x contains commits that are unrelated to the 3.8.x branch > Not sure what you have in mind behind that except that if so 3.8 can need to be updated - but not sure I got it right. > - I still don't see the need for this backport. I really doubt that people > would pick the possible 3.6.4 over 3.8.1 if they want to protect themselves > and do the configuration themselves. As you keep pushing for such a > release, please let the community comment (including why they need it and > why using 3.8.1 is not an option) on MNG-7134[1] first. > I don't doubt about it, I have some contacts needing to stick to 3.6 + be CVE free at the same time for at least the coming 2 years, just trying to make these users happy. I already explained in previous posts why it was saner to do it on maven side (to avoid forks mainly which can lead to different "fixes" and behaviors - already saw it by the past + keep the common maven tooling as sdkman and ides plain support). > > Robert > > [1] https://issues.apache.org/jira/browse/MNG-7134 > On 2-4-2021 09:21:04, Romain Manni-Bucau wrote: > Hi all, > > As explained in another thread, I created > https://github.com/apache/maven/pull/462 to backport the security fix on > 3.8 in 3.6.x. > Anyone able to review it? > Only change is that the default configuration is not there but it can be > enabled - idea is to document it instead of breaking by default. > > Romain Manni-Bucau > @rmannibucau | Blog > | Old Blog > | Github | > LinkedIn | Book > >
