I believe its only xalan required, and not xerces as well. What's the rationale for the -1?
We'd like to release 7.0.4, and the community appears to want a release based on feedback we have seen on the users list. Changing the jstlel library appears to be not-entirely-trivial (unless someone better than me wants to give some pointers). I'd like to try it, but I don't want it to drag on for ages and hold up a release. We already established that we'd like this to work out the box without requiring the user to add anything earlier in this thread. So, how do we want to proceed? The other option appears to be picking up an updated version of the glassfish library we had before. Jon On 14 Sep 2017 13:26, "Mark Struberg" <strub...@yahoo.de.invalid> wrote: > +1 to NOT have a hard xalan and xerces dependency. > Usually we don't need it but use the version which is packaged within the > JRE. > It should really remain optional pretty please. > > LieGrue, > strub > > > > Am 31.08.2017 um 16:25 schrieb Romain Manni-Bucau <rmannibu...@gmail.com > >: > > > > Hmm, shout if wrong but think you misunderstood the "optional" in my > > sentence. I meant we patch trunk to remove the adherence to xalan. > > > > > > Romain Manni-Bucau > > @rmannibucau <https://twitter.com/rmannibucau> | Blog > > <https://blog-rmannibucau.rhcloud.com> | Old Blog > > <http://rmannibucau.wordpress.com> | Github <https://github.com/ > rmannibucau> | > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory > > <https://javaeefactory-rmannibucau.rhcloud.com> > > > > 2017-08-31 15:41 GMT+02:00 Jonathan Gallimore < > jonathan.gallim...@gmail.com> > > : > > > >> Thanks Romain. That is definitely the simplest path - xalan is already > >> marked as an optional dependency, so we wouldn't need to do anything. > From > >> a compliance perspective, where would this leave us? Wouldn't we need > this > >> to work out of the box without adding libraries to be compliant? If it > >> doesn't affect us in that respect, then I think we're probably good to > go. > >> > >> Jon > >> > >> On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau < > rmannibu...@gmail.com > >>> > >> wrote: > >> > >>> Hi Jon > >>> > >>> there is another thread on it (probably on user@) > >>> > >>> I think we should just make xalan optional in the lib and upgrade. > >>> > >>> > >>> Romain Manni-Bucau > >>> @rmannibucau <https://twitter.com/rmannibucau> | Blog > >>> <https://blog-rmannibucau.rhcloud.com> | Old Blog > >>> <http://rmannibucau.wordpress.com> | Github <https://github.com/ > >>> rmannibucau> | > >>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory > >>> <https://javaeefactory-rmannibucau.rhcloud.com> > >>> > >>> 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore < > >>> jonathan.gallim...@gmail.com> > >>> : > >>> > >>>> Correction - that should be: "CDDL or GPL with classpath exception". > >>>> > >>>> On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore < > >>>> jonathan.gallim...@gmail.com> wrote: > >>>> > >>>>> Great question. CDDL _or_ GPL, by the look of it. > >>>>> https://github.com/javaee/jstl-api/blob/master/LICENSE - same as > >> JAXB > >>> I > >>>>> believe. > >>>>> > >>>>> Jon > >>>>> > >>>>> > >>>>> > >>>>> On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro < > >>>>> jlmonte...@tomitribe.com> wrote: > >>>>> > >>>>>> What is the licence for GlassFish one? > >>>>>> > >>>>>> Le 31 août 2017 12:38, "Jonathan Gallimore" < > >>>> jonathan.gallim...@gmail.com > >>>>>>> > >>>>>> a écrit : > >>>>>> > >>>>>>> Hi > >>>>>>> > >>>>>>> On master we shifted from openejb-jstl to > >> taglibs-standard-jstlel. I > >>>>>> have > >>>>>>> done the same on the 1.7.x branch, specifically to move on from > >> the > >>>> old > >>>>>>> openejb-jstl (looking at > >>>>>>> https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The > >>>>>>> taglibs-standard-jstlel > >>>>>>> library does seem to depend on xalan, which we currently do not > >>>> include > >>>>>> in > >>>>>>> TomEE. > >>>>>>> > >>>>>>> The impact is that some XML functions in JSP code does not work, > >> for > >>>>>>> example: > >>>>>>> > >>>>>>> <%@ taglib prefix="x" uri="http://java.sun.com/jstl/xml"; %> > >>>>>>> > >>>>>>> <x:parse var="movies"> > >>>>>>> <movies> > >>>>>>> <movie id="1" name="Wedding Crashers" director="David > >> Dobkin" > >>>>>>> genre="Comedy" rating="7" year="2005" /> > >>>>>>> <movie id="2" name="Starsky & Hutch" director="Todd > >>>> Phillips" > >>>>>>> genre="Action" rating="6" year="2004" /> > >>>>>>> <movie id="3" name="Shanghai Knights" director="David > >> Dobkin" > >>>>>>> genre="Action" rating="6" year="2003" /> > >>>>>>> <movie id="4" name="I-Spy" director="Betty Thomas" > >>>>>> genre="Adventure" > >>>>>>> rating="5" year="2002" /> > >>>>>>> <movie id="5" name="The Royal Tenenbaums" director="Wes > >>>> Anderson" > >>>>>>> genre="Comedy" rating="8" year="2001" /> > >>>>>>> <movie id="6" name="Zoolander" director="Ben Stiller" > >>>>>> genre="Comedy" > >>>>>>> rating="6" year="2001" /> > >>>>>>> <movie id="7" name="Shanghai Noon" director="Tom Dey" > >>>>>> genre="Comedy" > >>>>>>> rating="7" year="2000" /> > >>>>>>> </movies> > >>>>>>> </x:parse> > >>>>>>> > >>>>>>> Movie 1 Genre: <x:out select="$movies//movie[@id='1']/@genre" > >> /><br > >>>> /> > >>>>>>> > >>>>>>> fails with java.lang.NoClassDefFoundError: org/apache/xpath/XPath > >>>>>> (this on > >>>>>>> both 1.7.x and master) > >>>>>>> > >>>>>>> Including Xalan does fix this, but its a 3MB dependency. > >>>>>>> > >>>>>>> The alternative is to use org.glassfish.web:javax. > >> servlet.jsp.jstl > >>>>>>> instead, > >>>>>>> which I have tested and seems to work. Anyone have any thoughts? > >>>>>>> > >>>>>>> Jon > >>>>>>> > >>>>>> > >>>>> > >>>>> > >>>> > >>> > >> > > > . >
