I don't think we really do or we ever did. -- Jean-Louis Monteiro http://twitter.com/jlouismonteiro http://www.tomitribe.com
On Mon, Jul 9, 2018 at 11:39 AM, Romain Manni-Bucau <[email protected]> wrote: > I trust you Jon that it was broken in 7.0.4, but it is not OK to keep it. > This particular dep can just be drop (so easy fix). > > The java-support issue is more impacting and was completely missed in last > release cycles (guess we dont test saml?) > > Romain Manni-Bucau > @rmannibucau <https://twitter.com/rmannibucau> | Blog > <https://rmannibucau.metawerx.net/> | Old Blog > <http://rmannibucau.wordpress.com> | Github <https://github.com/ > rmannibucau> | > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book > <https://www.packtpub.com/application-development/java- > ee-8-high-performance> > > > Le lun. 9 juil. 2018 à 11:35, Jonathan Gallimore < > [email protected]> a écrit : > > > I will note that I am of course happy to either: > > > > a) track down why that is now included, and remove it if appropriate > > b) modify the license/notice files as appropriate > > > > and re-roll. > > > > A note on dependencies - there a is legal report in the original post > which > > should contain all the details for review. The following dependencies > have > > been upgraded since 7.0.4: > > > > Tomcat => 8.5.30 > > CXF => 3.1.15 > > Johnzon => 1.0.1 > > OWB => 1.7.5 > > XBean => 4.9 > > XmlSchema core => 2.2.3 > > > > No other libraries have changed, but I do suggest you verify for yourself > > (I have the zips for both 7.0.4 and 7.0.5 in a diff viewer here). > > > > Jon > > > > On Mon, Jul 9, 2018 at 10:27 AM, Jonathan Gallimore < > > [email protected]> wrote: > > > > > That library was also present in 7.0.4 Plus. > > > > > > Jon > > > > > > On Mon, Jul 9, 2018 at 10:01 AM, Romain Manni-Bucau < > > [email protected] > > > > wrote: > > > > > >> Hi, > > >> > > >> It seems we bundle javax.xml.soap-api-1.3.5.jar now in plus flavor > > (guess > > >> it is a "leak" due to some dep upgrade), its license is CDDL+GPL1.1. I > > >> didn't see the notice/license work done. Was it intended or as I'm > > >> thinking > > >> a silent transitive issue? > > >> > > >> Romain Manni-Bucau > > >> @rmannibucau <https://twitter.com/rmannibucau> | Blog > > >> <https://rmannibucau.metawerx.net/> | Old Blog > > >> <http://rmannibucau.wordpress.com> | Github < > > >> https://github.com/rmannibucau> | > > >> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book > > >> <https://www.packtpub.com/application-development/java-ee-8- > > >> high-performance> > > >> > > >> > > >> Le lun. 9 juil. 2018 à 10:55, Jean-Louis Monteiro < > > >> [email protected]> > > >> a écrit : > > >> > > >> > +1 > > >> > > > >> > Build ok > > >> > Small demo and test applications running. > > >> > > > >> > -- > > >> > Jean-Louis Monteiro > > >> > http://twitter.com/jlouismonteiro > > >> > http://www.tomitribe.com > > >> > > > >> > On Mon, Jul 9, 2018 at 9:57 AM, Alex The Rocker < > [email protected] > > > > > >> > wrote: > > >> > > > >> > > Hello, > > >> > > > > >> > > +1 (non binding) > > >> > > > > >> > > Used this 7.0.5 release candidate to deploy 15+ different web apps > > >> > > (including one on Windows, all others on Linux) using very > different > > >> > > aspects of Java EE. > > >> > > All running with ORACLE Server JRE 8 update 172. > > >> > > And got no regression as far as we're checking tests results. > > >> > > > > >> > > But if there's another 7.0.5 build + vote cycle, then upgrading > > Tomcat > > >> > > dependency to Tomcat 8.5.32 (instead of Tomcat 8.5.30 part of this > > >> > > vote cycle) would be nice to include this security fix: > > >> > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014 > > >> > > > > >> > > Kind regards, > > >> > > Alexandre > > >> > > > > >> > > > > >> > > 2018-07-04 10:33 GMT+02:00 Jonathan Gallimore < > > >> > > [email protected]>: > > >> > > > Hi Everyone, > > >> > > > > > >> > > > Here is the initial roll of TomEE 7.0.5. Please can you take a > > look > > >> and > > >> > > > vote? Everyone, committer or not, is encouraged to test and > vote. > > >> > > > > > >> > > > Staging repo: > > >> > > > https://repository.apache.org/content/repositories/orgapache > > >> tomee-1113 > > >> > > > > > >> > > > Source zip: > > >> > > > /org/apache/tomee/tomee-project/7.0.5/tomee-project-7. > > >> > > 0.5-source-release.zip > > >> > > > <https://repository.apache.org/service/local/ > > >> > > repositories/orgapachetomee-1113/content/org/apache/tomee/ > > >> > > tomee-project/7.0.5/tomee-project-7.0.5-source-release.zip> > > >> > > > > > >> > > > Dist area: > > >> > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1113/ > > >> > > > > > >> > > > Legal: > > >> > > > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1113/legal.zip > > >> > > > > > >> > > > Keys: > > >> > > > https://dist.apache.org/repos/dist/release/tomee/KEYS > > >> > > > > > >> > > > Changelog: > > >> > > > https://issues.apache.org/jira/browse/TOMEE-2175?jql= > > >> > > > project%20%3D%20TOMEE%20AND%20(status%20%3D%20Resolved% > > >> > > > 20OR%20status%20%3D%20CLOSED)%20AND%20fixVersion%20%3D%207. > > >> > > > 0.5%20ORDER%20BY%20priority%20DESC%2C%20updated%20DESC > > >> > > > > > >> > > > (If anyone knows a better way to get that list, let me know ;-) > ) > > >> > > > > > >> > > > Please vote: > > >> > > > +1: Release > > >> > > > -1 Do not release because ... > > >> > > > > > >> > > > The vote will be open for 3 days or the consensus is binding (At > > >> least > > >> > 3 > > >> > > > binding votes). > > >> > > > > > >> > > > Many thanks > > >> > > > > > >> > > > Jon > > >> > > > > >> > > > >> > > > > > > > > >
