Le lun. 9 juil. 2018 à 11:44, Jonathan Gallimore < [email protected]> a écrit :
> I'm happy to re-roll without that library. > > I don't know what the CXF/SAML issue is - I am happy to have a go at fixing > it if there is some detail somewhere (pointers appreciated). > IIRC java-support.jar is used by cxf to impl saml support but depends on guava and we dont want to provide it so we excluded it but then it can be used :(. > > Is this a regression, or are we looking to improve something? > Was reported against the 7.0.4 but 7.0.5 has the same issue. > > If my opinion counts for anything, I'd suggest we re-roll without > the javax.xml.soap-api-1.3.5.jar dependency, as that should be > straightforward, and I'll happily volunteer to be fix the CXF/SAML issue > and roll a 7.0.6 to deliver it to the community when done (along with any > other fixes). I'd like to see a speedup in our releases and am happy to > work on getting us there. > Works for me. Thanks a lot Jon. > > Jon > > > On Mon, Jul 9, 2018 at 10:39 AM, Romain Manni-Bucau <[email protected] > > > wrote: > > > I trust you Jon that it was broken in 7.0.4, but it is not OK to keep it. > > This particular dep can just be drop (so easy fix). > > > > The java-support issue is more impacting and was completely missed in > last > > release cycles (guess we dont test saml?) > > > > Romain Manni-Bucau > > @rmannibucau <https://twitter.com/rmannibucau> | Blog > > <https://rmannibucau.metawerx.net/> | Old Blog > > <http://rmannibucau.wordpress.com> | Github <https://github.com/ > > rmannibucau> | > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book > > <https://www.packtpub.com/application-development/java- > > ee-8-high-performance> > > > > > > Le lun. 9 juil. 2018 à 11:35, Jonathan Gallimore < > > [email protected]> a écrit : > > > > > I will note that I am of course happy to either: > > > > > > a) track down why that is now included, and remove it if appropriate > > > b) modify the license/notice files as appropriate > > > > > > and re-roll. > > > > > > A note on dependencies - there a is legal report in the original post > > which > > > should contain all the details for review. The following dependencies > > have > > > been upgraded since 7.0.4: > > > > > > Tomcat => 8.5.30 > > > CXF => 3.1.15 > > > Johnzon => 1.0.1 > > > OWB => 1.7.5 > > > XBean => 4.9 > > > XmlSchema core => 2.2.3 > > > > > > No other libraries have changed, but I do suggest you verify for > yourself > > > (I have the zips for both 7.0.4 and 7.0.5 in a diff viewer here). > > > > > > Jon > > > > > > On Mon, Jul 9, 2018 at 10:27 AM, Jonathan Gallimore < > > > [email protected]> wrote: > > > > > > > That library was also present in 7.0.4 Plus. > > > > > > > > Jon > > > > > > > > On Mon, Jul 9, 2018 at 10:01 AM, Romain Manni-Bucau < > > > [email protected] > > > > > wrote: > > > > > > > >> Hi, > > > >> > > > >> It seems we bundle javax.xml.soap-api-1.3.5.jar now in plus flavor > > > (guess > > > >> it is a "leak" due to some dep upgrade), its license is > CDDL+GPL1.1. I > > > >> didn't see the notice/license work done. Was it intended or as I'm > > > >> thinking > > > >> a silent transitive issue? > > > >> > > > >> Romain Manni-Bucau > > > >> @rmannibucau <https://twitter.com/rmannibucau> | Blog > > > >> <https://rmannibucau.metawerx.net/> | Old Blog > > > >> <http://rmannibucau.wordpress.com> | Github < > > > >> https://github.com/rmannibucau> | > > > >> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book > > > >> <https://www.packtpub.com/application-development/java-ee-8- > > > >> high-performance> > > > >> > > > >> > > > >> Le lun. 9 juil. 2018 à 10:55, Jean-Louis Monteiro < > > > >> [email protected]> > > > >> a écrit : > > > >> > > > >> > +1 > > > >> > > > > >> > Build ok > > > >> > Small demo and test applications running. > > > >> > > > > >> > -- > > > >> > Jean-Louis Monteiro > > > >> > http://twitter.com/jlouismonteiro > > > >> > http://www.tomitribe.com > > > >> > > > > >> > On Mon, Jul 9, 2018 at 9:57 AM, Alex The Rocker < > > [email protected] > > > > > > > >> > wrote: > > > >> > > > > >> > > Hello, > > > >> > > > > > >> > > +1 (non binding) > > > >> > > > > > >> > > Used this 7.0.5 release candidate to deploy 15+ different web > apps > > > >> > > (including one on Windows, all others on Linux) using very > > different > > > >> > > aspects of Java EE. > > > >> > > All running with ORACLE Server JRE 8 update 172. > > > >> > > And got no regression as far as we're checking tests results. > > > >> > > > > > >> > > But if there's another 7.0.5 build + vote cycle, then upgrading > > > Tomcat > > > >> > > dependency to Tomcat 8.5.32 (instead of Tomcat 8.5.30 part of > this > > > >> > > vote cycle) would be nice to include this security fix: > > > >> > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014 > > > >> > > > > > >> > > Kind regards, > > > >> > > Alexandre > > > >> > > > > > >> > > > > > >> > > 2018-07-04 10:33 GMT+02:00 Jonathan Gallimore < > > > >> > > [email protected]>: > > > >> > > > Hi Everyone, > > > >> > > > > > > >> > > > Here is the initial roll of TomEE 7.0.5. Please can you take a > > > look > > > >> and > > > >> > > > vote? Everyone, committer or not, is encouraged to test and > > vote. > > > >> > > > > > > >> > > > Staging repo: > > > >> > > > https://repository.apache.org/content/repositories/orgapache > > > >> tomee-1113 > > > >> > > > > > > >> > > > Source zip: > > > >> > > > /org/apache/tomee/tomee-project/7.0.5/tomee-project-7. > > > >> > > 0.5-source-release.zip > > > >> > > > <https://repository.apache.org/service/local/ > > > >> > > repositories/orgapachetomee-1113/content/org/apache/tomee/ > > > >> > > tomee-project/7.0.5/tomee-project-7.0.5-source-release.zip> > > > >> > > > > > > >> > > > Dist area: > > > >> > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1113/ > > > >> > > > > > > >> > > > Legal: > > > >> > > > > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1113/legal.zip > > > >> > > > > > > >> > > > Keys: > > > >> > > > https://dist.apache.org/repos/dist/release/tomee/KEYS > > > >> > > > > > > >> > > > Changelog: > > > >> > > > https://issues.apache.org/jira/browse/TOMEE-2175?jql= > > > >> > > > project%20%3D%20TOMEE%20AND%20(status%20%3D%20Resolved% > > > >> > > > 20OR%20status%20%3D%20CLOSED)%20AND%20fixVersion%20%3D%207. > > > >> > > > 0.5%20ORDER%20BY%20priority%20DESC%2C%20updated%20DESC > > > >> > > > > > > >> > > > (If anyone knows a better way to get that list, let me know > ;-) > > ) > > > >> > > > > > > >> > > > Please vote: > > > >> > > > +1: Release > > > >> > > > -1 Do not release because ... > > > >> > > > > > > >> > > > The vote will be open for 3 days or the consensus is binding > (At > > > >> least > > > >> > 3 > > > >> > > > binding votes). > > > >> > > > > > > >> > > > Many thanks > > > >> > > > > > > >> > > > Jon > > > >> > > > > > >> > > > > >> > > > > > > > > > > > > > >
