Can we do this without creating a new git repo? Creating a separate new
repo gives a different message than what we intend it to be.
It would be great if we could do this directly in SVN :)
Regards
Carsten
On 28.02.2024 10:52, Robert Munteanu wrote:
Hi Jörg
On Tue, 2024-02-27 at 11:06 +0100, Jörg Hoh wrote:
Hi Robert,
makes sense.
To clarify: We just provide this final version of commons.json as a
convenience for all users who are still depending on commons.json;
but
there is no intention to continue development of commons.json or to
re-introducing this dependency again into other areas of Sling.
There is no intention to use this again in any other modules, add it to
the Starter, etc. We will keep the code deprecated. At the same time,
we may choose to apply fixes for the reported CVEs, if those are
already available upstream, and cut a new release.
Thanks,
Robert
Correct?
Jörg
Am Mo., 26. Feb. 2024 um 16:30 Uhr schrieb Robert Munteanu <
romb...@apache.org>:
Hi,
A long time ago we retired the commons.json module for legal
reasons
[1], leaving it only in the SVN attic [2].
After some time a CVE was reported against this module [3] which we
could not fix as we could not release new versions.
In the meantime, the JSON library we have been using has changed
its
license to 'Public domain', which makes it acceptable for use at
the
ASF. [4]
I would like to create a GitHub repository for this module and
include
the current state from the attic. This opens up the way for
creating a
final service release, allowing consumers of this bundle that have
not
cleaned up their usages to use non-vulnerable versions.
I will leave this thread open for comments for 72 hours.
Thanks,
Robert
[1]:
https://lists.apache.org/thread/p9rmd9dvgk04h36dtm6vn0bj6dkx0hkk
[2]: https://svn.apache.org/repos/asf/sling/attic/commons.json/
[3]: https://www.cve.org/CVERecord?id=CVE-2022-47937
[4]: https://issues.apache.org/jira/browse/LEGAL-666
--
Carsten Ziegeler
Adobe
cziege...@apache.org
