> On Jan 8, 2025, at 11:13 AM, Tim Allison <talli...@apache.org> wrote:
>
> Thank you, all. I'm sorry for the noise.
>
> As you all point out, these are not a POI or even XMLBeans issue, and
> provided should be, ahem, provided.
>
> We added convergence checks in Tika after an irate downstream user
> complained.
Just curious if the irate user complaint was based on SBOMs? If so, were they
using CycloneDS generated by a Maven build, or SPDX from GitHub’s Dependency
graph Insights?
> On Tika, we "fix" the convergence problems by specifying the
> most recent version in the dependencyManagement section of our parent pom.
> This relies on the hope of backward compatibility for the more recent
> version for a conflict, and it also relies on unit tests and large scale
> regression testing (along the lines of what PJ (or was it Dominik?)
> suggested).
>
> Again, many thanks!
Best,
Dave
>
> Cheers,
>
> Tim
>
> On Wed, Jan 8, 2025 at 12:41 PM Dominik Stadler
> <dominik.stad...@gmx.at.invalid> wrote:
>
>> Hi,
>>
>> To be honest, I also don't see too much value in applying such checks.
>> There will always be failures as soon as larger dependencies are added to a
>> project and it is nearly impossible to avoid it while at the same time
>> keeping dependencies up-to-date for fixing security issues.
>>
>> Dominik.
>>
>>
>> On Wed, Jan 8, 2025 at 4:09 PM PJ Fanning <fannin...@apache.org> wrote:
>>
>>> We won't be changing this for the release.
>>> I, personally, do not understand the use of strict dependency convergence
>>> checks. If you have a few dependencies and those dependencies have common
>>> transitive dependencies - you are almost guaranteed to have a convergence
>>> issue.
>>> Why should these tools not be intelligent enough to spot that log4j
>> 2.24.2
>>> and 2.24.3 differ only at the patch level (semantic versioning)?
>>> For me, strict dependency convergence checks are a very poor substitute
>>> for users running acceptance tests when they want to change the versions
>> of
>>> their dependencies.
>>> You should also strongly consider adding more dependencies in your builds
>>> so that you control the version of the jars explicitly instead of relying
>>> on the versions in your transitive dependencies. This would also make
>> your
>>> dependency convergence checks happy.
>>>
>>>
>>>
>>> On 2025/01/08 14:47:10 Joep Weijers wrote:
>>>> Hi all,
>>>> Great to hear that 5.4.0 is almost released! I tested the version out
>>> and did notice the following dependency convergence issue on
>>> org.apache.logging.log4j:log4j-api:
>>>> (Small Maven quickstart archetype pom with a dependency on poi-ooxml
>>> 5.4.0, running `mvn dependency:tree -Dverbose
>>> -Dincludes=org.apache.logging.log4j:log4j-api`)
>>>> [INFO] --- dependency:3.6.1:tree (default-cli) @ test-poi-ooxml ---
>>>> [INFO] com.topdesk.test:test-poi-ooxml:jar:1.0-SNAPSHOT
>>>> [INFO] \- org.apache.poi:poi-ooxml:jar:5.4.0:compile
>>>> [INFO] +- org.apache.poi:poi:jar:5.4.0:compile
>>>> [INFO] | \- (org.apache.logging.log4j:log4j-api:jar:2.24.3:compile
>> -
>>> omitted for duplicate)
>>>> [INFO] +- org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
>>>> [INFO] | \- (org.apache.logging.log4j:log4j-api:jar:2.24.2:compile
>> -
>>> omitted for conflict with 2.24.3)
>>>> [INFO] \- org.apache.logging.log4j:log4j-api:jar:2.24.3:compile
>>>> Not sure if you’d like to address this before release, but this would
>>> make our build with the dependencyConvergence rule enabled in the Maven
>>> enforcer plugin unhappy. For now I have fixed it by excluding the
>> log4j-api
>>> dependency from poi-ooxml.
>>>> Kind regards,
>>>> Joep Weijers
>>>>
>>>> On 2025/01/07 19:27:58 Tim Allison wrote:
>>>>> +1
>>>>>
>>>>> Apologies for my delay. Looks good.
>>>>>
>>>>> Confirmed src.tgz digest
>>>>> Built locally and ran tests
>>>>> Integrated with Tika's main branch.
>>>>>
>>>>> Thank you PJ, Dominik and team!
>>>>>
>>>>> P.S. I did notice some convergence issues. I don't think these are a
>>>>> showstopper...not clear if we should fix these in XMLBeans or let
>>>>> downstream users fix them in the next release.
>>>>>
>>>>> [ERROR] Dependency convergence error for
>>>>> org.codehaus.plexus:plexus-utils:jar:3.5.1 paths to dependency are:
>>>>> [ERROR]
>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT
>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile
>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime
>>>>> [ERROR] +-org.apache.maven:maven-settings:jar:3.9.9:runtime
>>>>> [ERROR]
>> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime
>>>>> [ERROR] and
>>>>> [ERROR]
>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT
>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile
>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime
>>>>> [ERROR]
>>> +-org.apache.maven:maven-settings-builder:jar:3.9.9:runtime
>>>>> [ERROR]
>> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime
>>>>> [ERROR] and
>>>>> [ERROR]
>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT
>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile
>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime
>>>>> [ERROR]
>>> +-org.apache.maven:maven-settings-builder:jar:3.9.9:runtime
>>>>> [ERROR]
>>>>> +-org.codehaus.plexus:plexus-sec-dispatcher:jar:2.0:runtime
>>>>> [ERROR]
>>> +-org.codehaus.plexus:plexus-utils:jar:3.4.1:runtime
>>>>> [ERROR] and
>>>>> [ERROR]
>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT
>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile
>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime
>>>>> [ERROR]
>>>>> +-org.apache.maven:maven-repository-metadata:jar:3.9.9:runtime
>>>>> [ERROR]
>> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime
>>>>> [ERROR] and
>>>>> [ERROR]
>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT
>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile
>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime
>>>>> [ERROR] +-org.apache.maven:maven-artifact:jar:3.9.9:runtime
>>>>> [ERROR]
>> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime
>>>>> [ERROR] and
>>>>> [ERROR]
>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT
>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile
>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime
>>>>> [ERROR]
>>> +-org.apache.maven:maven-resolver-provider:jar:3.9.9:runtime
>>>>> [ERROR]
>> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime
>>>>> [ERROR] and
>>>>> [ERROR]
>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT
>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile
>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime
>>>>> [ERROR]
>>>>> +-org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.9.0.M3:runtime
>>>>> [ERROR]
>> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime
>>>>> [ERROR] and
>>>>> [ERROR]
>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT
>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile
>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime
>>>>> [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime
>>>>> [ERROR] and
>>>>> [ERROR]
>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT
>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile
>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
>>>>> [ERROR] +-org.apache.maven:maven-model:jar:3.9.9:runtime
>>>>> [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime
>>>>> [ERROR] and
>>>>> [ERROR]
>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT
>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile
>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
>>>>> [ERROR] +-org.apache.maven:maven-plugin-api:jar:3.9.9:runtime
>>>>> [ERROR] +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime
>>>>> [ERROR]
>>>>> [ERROR]
>>>>> [ERROR] Dependency convergence error for
>>>>> org.codehaus.plexus:plexus-classworlds:jar:2.6.0 paths to dependency
>>> are:
>>>>> [ERROR]
>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT
>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile
>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime
>>>>> [ERROR]
>>>>> +-org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.9.0.M3:runtime
>>>>> [ERROR]
>>> +-org.codehaus.plexus:plexus-classworlds:jar:2.6.0:runtime
>>>>> [ERROR] and
>>>>> [ERROR]
>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT
>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile
>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
>>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime
>>>>> [ERROR]
>>> +-org.codehaus.plexus:plexus-classworlds:jar:2.8.0:runtime
>>>>> [ERROR] and
>>>>> [ERROR]
>>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT
>>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile
>>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile
>>>>> [ERROR] +-org.apache.maven:maven-plugin-api:jar:3.9.9:runtime
>>>>> [ERROR]
>>> +-org.codehaus.plexus:plexus-classworlds:jar:2.8.0:runtime
>>>>>
>>>>>
>>>>> On Mon, Jan 6, 2025 at 4:56 PM PJ Fanning <fa...@apache.org> wrote:
>>>>>
>>>>>> We need at least 1 more review from a POI PMC member before we can
>>>>>> proceed. If anyone has time, it would be much appreciated.
>>>>>>
>>>>>>
>>>>>> On 2025/01/02 13:29:43 Dominik Stadler wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I tested the staged binaries with various projects and reviewed
>>> contents
>>>>>> of
>>>>>>> the source-distribution. Also compilation from source did work.
>> So
>>>>>>> everything fine as far as I see.
>>>>>>>
>>>>>>> I vote +1 for release!
>>>>>>>
>>>>>>> Thanks PJ for preparing the release! Dominik.
>>>>>>>
>>>>>>> On Sun, Dec 29, 2024 at 8:19 PM PJ Fanning
>> <fa...@yahoo.com.invalid
>>>>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hello POI Community,
>>>>>>>>
>>>>>>>> This is a call for a vote to release Apache POI version 5.4.0
>>> (RC2).
>>>>>>>>
>>>>>>>> The discussion thread:
>>>>>>>>
>> https://lists.apache.org/thread/4sd7p5z2cxp0l9wb2orw4n0gc9w348gw
>>>>>>>>
>>>>>>>> The release candidate:
>>>>>>>> https://dist.apache.org/repos/dist/dev/poi/5.4.0-RC2/
>>>>>>>>
>>>>>>>>
>>>>>>>> This release has been signed with a PGP key available here:
>>>>>>>> https://downloads.apache.org/poi/KEYS
>>>>>>>>
>>>>>>>> Release Notes:
>>>>>>>>
>>> https://dist.apache.org/repos/dist/dev/poi/RELEASE-NOTES-5.4.0.txt
>>>>>>>>
>>>>>>>> I will add the svn tag REL_5_4_0 if the vote passes.
>>>>>>>>
>>>>>>>> Svn commit ID:
>>> https://svn.apache.org/repos/asf/poi/trunk@1922754
>>>>>>>>
>>>>>>>> Please download, verify, and test.
>>>>>>>>
>>>>>>>>
>>>>>>>> We have also staged jars in the Apache Nexus Repository.
>>>>>>>> These were built with the same code as appears in this Source
>>> Release
>>>>>>>> Candidate.
>>>>>>>> We would appreciate if users could test with these too.
>>>>>>>>
>>>>>>>> If anyone finds any serious problems with these jars, please
>> also
>>>>>> notify
>>>>>>>> us on this thread.
>>>>>>>>
>>>>>>>>
>>> https://repository.apache.org/content/groups/staging/org/apache/poi/
>>>>>>>>
>>>>>>>> In gradle, you can add this repository.
>>>>>>>>
>>>>>>>> maven {
>>>>>>>> url "https://repository.apache.org/content/groups/staging/
>> "
>>>>>>>> }
>>>>>>>>
>>>>>>>>
>>>>>>>> The VOTE will pass if we have more positive votes than negative
>>> votes
>>>>>>>> and there must be a minimum of 3 approvals from POI PMC
>> members.
>>>>>>>>
>>>>>>>> I will leave the vote open for at least a week.
>>>>>>>>
>>>>>>>> [ ] +1 approve
>>>>>>>> [ ] +0 no opinion
>>>>>>>> [ ] -1 disapprove with the reason
>>>>>>>>
>>>>>>>> To learn more about Apache POI, please see
>>> https://poi.apache.org/
>>>>>>>>
>>>>>>>>
>>>>>>>> Checklist for reference:
>>>>>>>> [ ] Download links are valid.
>>>>>>>> [ ] Checksums and signatures.
>>>>>>>> [ ] LICENSE/NOTICE files exist
>>>>>>>> [ ] No unexpected binary files
>>>>>>>> [ ] Source files have ASF headers
>>>>>>>> [ ] Can compile from source
>>>>>>>>
>>>>>>>> To compile from the source, please refer to:
>>>>>>>> https://poi.apache.org/devel/index.html
>>>>>>>>
>>>>>>>> Some notes about verifying downloads can be found at:
>>>>>>>> https://poi.apache.org/download.html
>>>>>>>>
>>>>>>>> Here is my +1 (binding).
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> PJ Fanning (Apache POI PMC member)
>>>>>>>>
>>>>>>>>
>>> ---------------------------------------------------------------------
>>>>>>>> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
>>>>>>>> For additional commands, e-mail: dev-h...@poi.apache.org
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
>>>>>> For additional commands, e-mail: dev-h...@poi.apache.org
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
>>> For additional commands, e-mail: dev-h...@poi.apache.org
>>>
>>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org
