Hi Romain, Jody, Kevin, thanks a lot for your feedback.
The concerns we have are that the last update of Serp dates back to October 2014 and that we tried to contact the email which is on the sourceforge site and got a rejected mail delivery message. But we are not hosting the Serp source and have not checked for security issues on it. @Kevin: Do I understand you right that Serp OpenJPA developers are checking Serp for security issues? And that you would or already did - in case of need - deliver a bug fixed Serp version together with OpenJPA? Best regards, Anneliese Several OpenJPA developers have the ability to update the Serp repository. And, as Jody pointed out, we have had to do that from time to time for Java class file format updates. I would expect that Java 9 would need some similar updates. Serp has needed very little maintenance over the years. So I am not understanding the concern.... Kevin On Mar 20, 2017 11:19, "Jody Grassel" <[email protected]> wrote: > Hello. SERP is more or less a third party library hosted on SourceForge > that is in maintenance mode. The last activity with SERP were updates to > support Java 8 JVM instruction set additions and constant pool types, and > it is likely that there will be updates to support such new additions to > Java 9 once the Virtual Machine Specification has been finalized and > released. > > You speak of security concerns, have you found a security/integrity bug in > the SERP code that needs to be reported and corrected? > > On Mon, Mar 20, 2017 at 12:31 PM, Romain Manni-Bucau < > [email protected]> > wrote: > > > Hi Anneliese, > > > > last time we asked and got upgrades in serp when we needed but plan is to > > use ASM instead of serp for these parts. > > > > > > Romain Manni-Bucau > > @rmannibucau <https://twitter.com/rmannibucau> | Blog > > <https://blog-rmannibucau.rhcloud.com> | Old Blog > > <http://rmannibucau.wordpress.com> | Github > > <https://github.com/rmannibucau> | LinkedIn > > <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory > > <https://javaeefactory-rmannibucau.rhcloud.com> > > > > 2017-03-20 10:06 GMT+01:00 Anneliese Leipold < > [email protected] > > >: > > > >> Hi, > >> > >> we are using OpenJPA in our product. Checking for security we found that > >> Serp which is a 3rd party component of OpenJPA is no longer supported. > >> This represents a security risk. So how do you address this issue? Do > you > >> take over ownership for it? Otherwise - probably not only we - would be > >> forced to replace OpenJPA. > >> > >> Looking forward to your answer > >> > >> Best regards, > >> > >> Anneliese > >> > >> > >> > >> [image: Oracle] <http://www.oracle.com/> > >> ANNELIESE LEIPOLD | Software Development Manager > >> Phone: ++467216291509 > >> Oracle Agile A9 > >> > >> ORACLE Deutschland B.V. & Co. KG > >> > >> ORACLE Deutschland B.V. & Co. KG > >> Hauptverwaltung: Riesstr. 25, D-80992 München > >> Registergericht: Amtsgericht München, HRA 95603 > >> > >> Komplementärin: ORACLE Deutschland Verwaltung B.V. > >> Hertogswetering 163/167, 3543 AS Utrecht, Niederlande > >> Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697 > >> Geschäftsführer: Alexander van der Ven, Jan Schultheiss, Val Maher > >> > >> [image: Green Oracle] <http://www.oracle.com/commitment> > >> > >> Oracle is committed to developing practices and products that help > >> protect the environment > >> > >> From: Anneliese Leipold Sent: Monday, March 20, 2017 10:06 AM To: [email protected] Subject: OpenJPA 3rd party Serp no longer supported > security risk Hi, we are using OpenJPA in our product. Checking for security we found that Serp which is a 3rd party component of OpenJPA is no longer supported. This represents a security risk. So how do you address this issue? Do you take over ownership for it? Otherwise - probably not only we - would be forced to replace OpenJPA. Looking forward to your answer Best regards, Anneliese HYPERLINK "http://www.oracle.com/"Oracle ANNELIESE LEIPOLD | Software Development Manager Phone: HYPERLINK "tel:++467216291509"++467216291509 Oracle Agile A9 ORACLE Deutschland B.V. & Co. KG ORACLE Deutschland B.V. & Co. KG Hauptverwaltung: Riesstr. 25, D-80992 München Registergericht: Amtsgericht München, HRA 95603 Komplementärin: ORACLE Deutschland Verwaltung B.V. Hertogswetering 163/167, 3543 AS Utrecht, Niederlande Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697 Geschäftsführer: Alexander van der Ven, Jan Schultheiss, Val Maher HYPERLINK "http://www.oracle.com/commitment"Green Oracle Oracle is committed to developing practices and products that help protect the environment
