+1 to NOT have a hard xalan and xerces dependency. Usually we don't need it but use the version which is packaged within the JRE. It should really remain optional pretty please.
LieGrue, strub > Am 31.08.2017 um 16:25 schrieb Romain Manni-Bucau <rmannibu...@gmail.com>: > > Hmm, shout if wrong but think you misunderstood the "optional" in my > sentence. I meant we patch trunk to remove the adherence to xalan. > > > Romain Manni-Bucau > @rmannibucau <https://twitter.com/rmannibucau> | Blog > <https://blog-rmannibucau.rhcloud.com> | Old Blog > <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory > <https://javaeefactory-rmannibucau.rhcloud.com> > > 2017-08-31 15:41 GMT+02:00 Jonathan Gallimore <jonathan.gallim...@gmail.com> > : > >> Thanks Romain. That is definitely the simplest path - xalan is already >> marked as an optional dependency, so we wouldn't need to do anything. From >> a compliance perspective, where would this leave us? Wouldn't we need this >> to work out of the box without adding libraries to be compliant? If it >> doesn't affect us in that respect, then I think we're probably good to go. >> >> Jon >> >> On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau <rmannibu...@gmail.com >>> >> wrote: >> >>> Hi Jon >>> >>> there is another thread on it (probably on user@) >>> >>> I think we should just make xalan optional in the lib and upgrade. >>> >>> >>> Romain Manni-Bucau >>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>> <https://blog-rmannibucau.rhcloud.com> | Old Blog >>> <http://rmannibucau.wordpress.com> | Github <https://github.com/ >>> rmannibucau> | >>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory >>> <https://javaeefactory-rmannibucau.rhcloud.com> >>> >>> 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore < >>> jonathan.gallim...@gmail.com> >>> : >>> >>>> Correction - that should be: "CDDL or GPL with classpath exception". >>>> >>>> On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore < >>>> jonathan.gallim...@gmail.com> wrote: >>>> >>>>> Great question. CDDL _or_ GPL, by the look of it. >>>>> https://github.com/javaee/jstl-api/blob/master/LICENSE - same as >> JAXB >>> I >>>>> believe. >>>>> >>>>> Jon >>>>> >>>>> >>>>> >>>>> On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro < >>>>> jlmonte...@tomitribe.com> wrote: >>>>> >>>>>> What is the licence for GlassFish one? >>>>>> >>>>>> Le 31 août 2017 12:38, "Jonathan Gallimore" < >>>> jonathan.gallim...@gmail.com >>>>>>> >>>>>> a écrit : >>>>>> >>>>>>> Hi >>>>>>> >>>>>>> On master we shifted from openejb-jstl to >> taglibs-standard-jstlel. I >>>>>> have >>>>>>> done the same on the 1.7.x branch, specifically to move on from >> the >>>> old >>>>>>> openejb-jstl (looking at >>>>>>> https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The >>>>>>> taglibs-standard-jstlel >>>>>>> library does seem to depend on xalan, which we currently do not >>>> include >>>>>> in >>>>>>> TomEE. >>>>>>> >>>>>>> The impact is that some XML functions in JSP code does not work, >> for >>>>>>> example: >>>>>>> >>>>>>> <%@ taglib prefix="x" uri="http://java.sun.com/jstl/xml"; %> >>>>>>> >>>>>>> <x:parse var="movies"> >>>>>>> <movies> >>>>>>> <movie id="1" name="Wedding Crashers" director="David >> Dobkin" >>>>>>> genre="Comedy" rating="7" year="2005" /> >>>>>>> <movie id="2" name="Starsky & Hutch" director="Todd >>>> Phillips" >>>>>>> genre="Action" rating="6" year="2004" /> >>>>>>> <movie id="3" name="Shanghai Knights" director="David >> Dobkin" >>>>>>> genre="Action" rating="6" year="2003" /> >>>>>>> <movie id="4" name="I-Spy" director="Betty Thomas" >>>>>> genre="Adventure" >>>>>>> rating="5" year="2002" /> >>>>>>> <movie id="5" name="The Royal Tenenbaums" director="Wes >>>> Anderson" >>>>>>> genre="Comedy" rating="8" year="2001" /> >>>>>>> <movie id="6" name="Zoolander" director="Ben Stiller" >>>>>> genre="Comedy" >>>>>>> rating="6" year="2001" /> >>>>>>> <movie id="7" name="Shanghai Noon" director="Tom Dey" >>>>>> genre="Comedy" >>>>>>> rating="7" year="2000" /> >>>>>>> </movies> >>>>>>> </x:parse> >>>>>>> >>>>>>> Movie 1 Genre: <x:out select="$movies//movie[@id='1']/@genre" >> /><br >>>> /> >>>>>>> >>>>>>> fails with java.lang.NoClassDefFoundError: org/apache/xpath/XPath >>>>>> (this on >>>>>>> both 1.7.x and master) >>>>>>> >>>>>>> Including Xalan does fix this, but its a 3MB dependency. >>>>>>> >>>>>>> The alternative is to use org.glassfish.web:javax. >> servlet.jsp.jstl >>>>>>> instead, >>>>>>> which I have tested and seems to work. Anyone have any thoughts? >>>>>>> >>>>>>> Jon >>>>>>> >>>>>> >>>>> >>>>> >>>> >>> >> .
