Y. Exactly. On Wed, Jan 8, 2025 at 3:20 PM PJ Fanning <fannin...@gmail.com> wrote:
> The logs look like they come from Maven Enforcer and are based on the > poms published to Maven Central. > > https://maven.apache.org/enforcer/enforcer-rules/dependencyConvergence.html > > On Wed, 8 Jan 2025 at 21:16, Dave Fisher <w...@apache.org> wrote: > > > > > > > > > On Jan 8, 2025, at 11:13 AM, Tim Allison <talli...@apache.org> wrote: > > > > > > Thank you, all. I'm sorry for the noise. > > > > > > As you all point out, these are not a POI or even XMLBeans issue, and > > > provided should be, ahem, provided. > > > > > > We added convergence checks in Tika after an irate downstream user > > > complained. > > > > Just curious if the irate user complaint was based on SBOMs? If so, were > they using CycloneDS generated by a Maven build, or SPDX from GitHub’s > Dependency graph Insights? > > > > > On Tika, we "fix" the convergence problems by specifying the > > > most recent version in the dependencyManagement section of our parent > pom. > > > This relies on the hope of backward compatibility for the more recent > > > version for a conflict, and it also relies on unit tests and large > scale > > > regression testing (along the lines of what PJ (or was it Dominik?) > > > suggested). > > > > > > Again, many thanks! > > > > Best, > > Dave > > > > > > Cheers, > > > > > > Tim > > > > > > On Wed, Jan 8, 2025 at 12:41 PM Dominik Stadler > > > <dominik.stad...@gmx.at.invalid> wrote: > > > > > >> Hi, > > >> > > >> To be honest, I also don't see too much value in applying such checks. > > >> There will always be failures as soon as larger dependencies are > added to a > > >> project and it is nearly impossible to avoid it while at the same time > > >> keeping dependencies up-to-date for fixing security issues. > > >> > > >> Dominik. > > >> > > >> > > >> On Wed, Jan 8, 2025 at 4:09 PM PJ Fanning <fannin...@apache.org> > wrote: > > >> > > >>> We won't be changing this for the release. > > >>> I, personally, do not understand the use of strict dependency > convergence > > >>> checks. If you have a few dependencies and those dependencies have > common > > >>> transitive dependencies - you are almost guaranteed to have a > convergence > > >>> issue. > > >>> Why should these tools not be intelligent enough to spot that log4j > > >> 2.24.2 > > >>> and 2.24.3 differ only at the patch level (semantic versioning)? > > >>> For me, strict dependency convergence checks are a very poor > substitute > > >>> for users running acceptance tests when they want to change the > versions > > >> of > > >>> their dependencies. > > >>> You should also strongly consider adding more dependencies in your > builds > > >>> so that you control the version of the jars explicitly instead of > relying > > >>> on the versions in your transitive dependencies. This would also make > > >> your > > >>> dependency convergence checks happy. > > >>> > > >>> > > >>> > > >>> On 2025/01/08 14:47:10 Joep Weijers wrote: > > >>>> Hi all, > > >>>> Great to hear that 5.4.0 is almost released! I tested the version > out > > >>> and did notice the following dependency convergence issue on > > >>> org.apache.logging.log4j:log4j-api: > > >>>> (Small Maven quickstart archetype pom with a dependency on poi-ooxml > > >>> 5.4.0, running `mvn dependency:tree -Dverbose > > >>> -Dincludes=org.apache.logging.log4j:log4j-api`) > > >>>> [INFO] --- dependency:3.6.1:tree (default-cli) @ test-poi-ooxml --- > > >>>> [INFO] com.topdesk.test:test-poi-ooxml:jar:1.0-SNAPSHOT > > >>>> [INFO] \- org.apache.poi:poi-ooxml:jar:5.4.0:compile > > >>>> [INFO] +- org.apache.poi:poi:jar:5.4.0:compile > > >>>> [INFO] | \- > (org.apache.logging.log4j:log4j-api:jar:2.24.3:compile > > >> - > > >>> omitted for duplicate) > > >>>> [INFO] +- org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > >>>> [INFO] | \- > (org.apache.logging.log4j:log4j-api:jar:2.24.2:compile > > >> - > > >>> omitted for conflict with 2.24.3) > > >>>> [INFO] \- org.apache.logging.log4j:log4j-api:jar:2.24.3:compile > > >>>> Not sure if you’d like to address this before release, but this > would > > >>> make our build with the dependencyConvergence rule enabled in the > Maven > > >>> enforcer plugin unhappy. For now I have fixed it by excluding the > > >> log4j-api > > >>> dependency from poi-ooxml. > > >>>> Kind regards, > > >>>> Joep Weijers > > >>>> > > >>>> On 2025/01/07 19:27:58 Tim Allison wrote: > > >>>>> +1 > > >>>>> > > >>>>> Apologies for my delay. Looks good. > > >>>>> > > >>>>> Confirmed src.tgz digest > > >>>>> Built locally and ran tests > > >>>>> Integrated with Tika's main branch. > > >>>>> > > >>>>> Thank you PJ, Dominik and team! > > >>>>> > > >>>>> P.S. I did notice some convergence issues. I don't think these are > a > > >>>>> showstopper...not clear if we should fix these in XMLBeans or let > > >>>>> downstream users fix them in the next release. > > >>>>> > > >>>>> [ERROR] Dependency convergence error for > > >>>>> org.codehaus.plexus:plexus-utils:jar:3.5.1 paths to dependency are: > > >>>>> [ERROR] > > >>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > >>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > >>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > >>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > >>>>> [ERROR] +-org.apache.maven:maven-settings:jar:3.9.9:runtime > > >>>>> [ERROR] > > >> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > > >>>>> [ERROR] and > > >>>>> [ERROR] > > >>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > >>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > >>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > >>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > >>>>> [ERROR] > > >>> +-org.apache.maven:maven-settings-builder:jar:3.9.9:runtime > > >>>>> [ERROR] > > >> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > > >>>>> [ERROR] and > > >>>>> [ERROR] > > >>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > >>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > >>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > >>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > >>>>> [ERROR] > > >>> +-org.apache.maven:maven-settings-builder:jar:3.9.9:runtime > > >>>>> [ERROR] > > >>>>> +-org.codehaus.plexus:plexus-sec-dispatcher:jar:2.0:runtime > > >>>>> [ERROR] > > >>> +-org.codehaus.plexus:plexus-utils:jar:3.4.1:runtime > > >>>>> [ERROR] and > > >>>>> [ERROR] > > >>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > >>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > >>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > >>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > >>>>> [ERROR] > > >>>>> +-org.apache.maven:maven-repository-metadata:jar:3.9.9:runtime > > >>>>> [ERROR] > > >> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > > >>>>> [ERROR] and > > >>>>> [ERROR] > > >>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > >>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > >>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > >>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > >>>>> [ERROR] +-org.apache.maven:maven-artifact:jar:3.9.9:runtime > > >>>>> [ERROR] > > >> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > > >>>>> [ERROR] and > > >>>>> [ERROR] > > >>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > >>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > >>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > >>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > >>>>> [ERROR] > > >>> +-org.apache.maven:maven-resolver-provider:jar:3.9.9:runtime > > >>>>> [ERROR] > > >> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > > >>>>> [ERROR] and > > >>>>> [ERROR] > > >>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > >>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > >>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > >>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > >>>>> [ERROR] > > >>>>> +-org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.9.0.M3:runtime > > >>>>> [ERROR] > > >> +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > > >>>>> [ERROR] and > > >>>>> [ERROR] > > >>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > >>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > >>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > >>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > >>>>> [ERROR] > +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > > >>>>> [ERROR] and > > >>>>> [ERROR] > > >>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > >>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > >>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > >>>>> [ERROR] +-org.apache.maven:maven-model:jar:3.9.9:runtime > > >>>>> [ERROR] > +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > > >>>>> [ERROR] and > > >>>>> [ERROR] > > >>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > >>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > >>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > >>>>> [ERROR] +-org.apache.maven:maven-plugin-api:jar:3.9.9:runtime > > >>>>> [ERROR] > +-org.codehaus.plexus:plexus-utils:jar:3.5.1:runtime > > >>>>> [ERROR] > > >>>>> [ERROR] > > >>>>> [ERROR] Dependency convergence error for > > >>>>> org.codehaus.plexus:plexus-classworlds:jar:2.6.0 paths to > dependency > > >>> are: > > >>>>> [ERROR] > > >>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > >>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > >>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > >>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > >>>>> [ERROR] > > >>>>> +-org.eclipse.sisu:org.eclipse.sisu.plexus:jar:0.9.0.M3:runtime > > >>>>> [ERROR] > > >>> +-org.codehaus.plexus:plexus-classworlds:jar:2.6.0:runtime > > >>>>> [ERROR] and > > >>>>> [ERROR] > > >>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > >>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > >>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > >>>>> [ERROR] +-org.apache.maven:maven-core:jar:3.9.9:runtime > > >>>>> [ERROR] > > >>> +-org.codehaus.plexus:plexus-classworlds:jar:2.8.0:runtime > > >>>>> [ERROR] and > > >>>>> [ERROR] > > >>> +-org.apache.tika:tika-parser-microsoft-module:jar:4.0.0-SNAPSHOT > > >>>>> [ERROR] +-org.apache.poi:poi-ooxml:jar:5.4.0:compile > > >>>>> [ERROR] +-org.apache.xmlbeans:xmlbeans:jar:5.3.0:compile > > >>>>> [ERROR] +-org.apache.maven:maven-plugin-api:jar:3.9.9:runtime > > >>>>> [ERROR] > > >>> +-org.codehaus.plexus:plexus-classworlds:jar:2.8.0:runtime > > >>>>> > > >>>>> > > >>>>> On Mon, Jan 6, 2025 at 4:56 PM PJ Fanning <fa...@apache.org> > wrote: > > >>>>> > > >>>>>> We need at least 1 more review from a POI PMC member before we can > > >>>>>> proceed. If anyone has time, it would be much appreciated. > > >>>>>> > > >>>>>> > > >>>>>> On 2025/01/02 13:29:43 Dominik Stadler wrote: > > >>>>>>> Hi, > > >>>>>>> > > >>>>>>> I tested the staged binaries with various projects and reviewed > > >>> contents > > >>>>>> of > > >>>>>>> the source-distribution. Also compilation from source did work. > > >> So > > >>>>>>> everything fine as far as I see. > > >>>>>>> > > >>>>>>> I vote +1 for release! > > >>>>>>> > > >>>>>>> Thanks PJ for preparing the release! Dominik. > > >>>>>>> > > >>>>>>> On Sun, Dec 29, 2024 at 8:19 PM PJ Fanning > > >> <fa...@yahoo.com.invalid > > >>>> > > >>>>>>> wrote: > > >>>>>>> > > >>>>>>>> Hello POI Community, > > >>>>>>>> > > >>>>>>>> This is a call for a vote to release Apache POI version 5.4.0 > > >>> (RC2). > > >>>>>>>> > > >>>>>>>> The discussion thread: > > >>>>>>>> > > >> https://lists.apache.org/thread/4sd7p5z2cxp0l9wb2orw4n0gc9w348gw > > >>>>>>>> > > >>>>>>>> The release candidate: > > >>>>>>>> https://dist.apache.org/repos/dist/dev/poi/5.4.0-RC2/ > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> This release has been signed with a PGP key available here: > > >>>>>>>> https://downloads.apache.org/poi/KEYS > > >>>>>>>> > > >>>>>>>> Release Notes: > > >>>>>>>> > > >>> https://dist.apache.org/repos/dist/dev/poi/RELEASE-NOTES-5.4.0.txt > > >>>>>>>> > > >>>>>>>> I will add the svn tag REL_5_4_0 if the vote passes. > > >>>>>>>> > > >>>>>>>> Svn commit ID: > > >>> https://svn.apache.org/repos/asf/poi/trunk@1922754 > > >>>>>>>> > > >>>>>>>> Please download, verify, and test. > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> We have also staged jars in the Apache Nexus Repository. > > >>>>>>>> These were built with the same code as appears in this Source > > >>> Release > > >>>>>>>> Candidate. > > >>>>>>>> We would appreciate if users could test with these too. > > >>>>>>>> > > >>>>>>>> If anyone finds any serious problems with these jars, please > > >> also > > >>>>>> notify > > >>>>>>>> us on this thread. > > >>>>>>>> > > >>>>>>>> > > >>> https://repository.apache.org/content/groups/staging/org/apache/poi/ > > >>>>>>>> > > >>>>>>>> In gradle, you can add this repository. > > >>>>>>>> > > >>>>>>>> maven { > > >>>>>>>> url "https://repository.apache.org/content/groups/staging/ > > >> " > > >>>>>>>> } > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> The VOTE will pass if we have more positive votes than negative > > >>> votes > > >>>>>>>> and there must be a minimum of 3 approvals from POI PMC > > >> members. > > >>>>>>>> > > >>>>>>>> I will leave the vote open for at least a week. > > >>>>>>>> > > >>>>>>>> [ ] +1 approve > > >>>>>>>> [ ] +0 no opinion > > >>>>>>>> [ ] -1 disapprove with the reason > > >>>>>>>> > > >>>>>>>> To learn more about Apache POI, please see > > >>> https://poi.apache.org/ > > >>>>>>>> > > >>>>>>>> > > >>>>>>>> Checklist for reference: > > >>>>>>>> [ ] Download links are valid. > > >>>>>>>> [ ] Checksums and signatures. > > >>>>>>>> [ ] LICENSE/NOTICE files exist > > >>>>>>>> [ ] No unexpected binary files > > >>>>>>>> [ ] Source files have ASF headers > > >>>>>>>> [ ] Can compile from source > > >>>>>>>> > > >>>>>>>> To compile from the source, please refer to: > > >>>>>>>> https://poi.apache.org/devel/index.html > > >>>>>>>> > > >>>>>>>> Some notes about verifying downloads can be found at: > > >>>>>>>> https://poi.apache.org/download.html > > >>>>>>>> > > >>>>>>>> Here is my +1 (binding). > > >>>>>>>> > > >>>>>>>> Thanks, > > >>>>>>>> PJ Fanning (Apache POI PMC member) > > >>>>>>>> > > >>>>>>>> > > >>> --------------------------------------------------------------------- > > >>>>>>>> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > > >>>>>>>> For additional commands, e-mail: dev-h...@poi.apache.org > > >>>>>>>> > > >>>>>>>> > > >>>>>>> > > >>>>>> > > >>>>>> > > >> --------------------------------------------------------------------- > > >>>>>> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > > >>>>>> For additional commands, e-mail: dev-h...@poi.apache.org > > >>>>>> > > >>>>>> > > >>>>> > > >>>> > > >>> > > >>> --------------------------------------------------------------------- > > >>> To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > > >>> For additional commands, e-mail: dev-h...@poi.apache.org > > >>> > > >>> > > >> > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > > For additional commands, e-mail: dev-h...@poi.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org > For additional commands, e-mail: dev-h...@poi.apache.org > >
