Hi all, thanks for the thread, JL! Sorry, a bit longer than anticipated ;)
As promised in the other thread, I took a look at the grype scan results. While were are many false positives (mostly related to the Geronimo specs and ActiveMQ), there are indeed some CVEs of interest: - cxf - tomcat (will be fixed in the next tomcat release) - xmlsec (should most likely be possible to update) - jackson-databind (should most likely be possible to update) Imho, the most important ones originate from cxf 3.1.18 for which we won’t get patches anymore, i.e. we would need to fork, backport the relevant CVE fixes and release it as shaded dependency within TomEE. I think the main issue arises from the fact, that we never communicated or announced some sort of EOL statement for any of the older branches (1.7.x, 7.0.x or 7.1.x) like it is done for example for Tomcat [1]. The silent reader or the wise developer will know, that no release withing the last two years most certainly means eol for the respective series but there will be a (perhaps rather small) community of people waiting for a release while running with their vulnerable TomEE for the last years. Therefore, I see the following options (no ordering, no preferences, just a listing): #### ## Option (A) We decide to do a release without patching the known CXF CVEs and announce the EOL of the 7.1.x series in a similar manner as it done in Tomcat [1]. In this announcement, we state that security vulnerability reports will not be checked against the 7.1.x branch, bugs affecting only the 7.1.x branch will not be addressed and releases of the 7.1.x branch are highly unlikely. After a certain grace period, we remove the 7.1.x download links, the documentation from the website and the artifacts from the cdn. Note, that all 7.1.x releases will always be available from the archive. ## Option (B) We decide to do a release, patch the known CXF CVEs by forking CXF and release it as shaded dependency within TomEE. Subsequently, we announce the EOL of the 7.1.x similar to option (A). ## Option (C) We decide, that 7.1.4 from 2020 was the final release of the 7.1.x series. Subsequently, we announce the EOL of the 7.1.x similar to option (A). ## Option (D) We don’t release a new version of the 7.1.x series and do not announce any sort of EOL statement (status quo). We agree to not put much effort into the 7.1.x series and stop maintaining it. ## Option (E) We don’t release a new version of the 7.1.x series and do not announce any sort of EOL statement (status quo). We agree to not put much effort into the 7.1.x series and stop maintaining it. To avoid user confusion, we remove the download links, the documentation and the artifacts from the cdn but all 7.1.x release will always be available from the archive. ## Option (F) – (Z) » Your Input Here « #### Perhaps there are other options as well, but that are the ones, which directly went into my mind while thinking about it. A similar discussion needs to be done for 1.7.x and 7.0.x if we find some consensus for the 7.1.x series. I am a bit torn apart in this discussion. On the one hand, I am thinking: “Hey, we somehow “owe” the community one last release before declaring it eol and stop maintaining it”. On the other hand, this rational could also be used as an excuse to ask for a “last” 7.0.x or a “last” 1.7.x. I agree, that releasing a TomEE 7.1.5 with known CXF vulnerabilities isn’t really desirable and we cannot maintain 3rd party libs indefinitely. We might be better in investing resources in 8.0.x and a stable 9.0.x release in order to later shift our attention to EE10 ;) Gruß Richard [1] https://tomcat.apache.org/tomcat-80-eol.html Am Dienstag, dem 02.08.2022 um 16:07 +0200 schrieb Jean-Louis Monteiro: > Hi all, > > Don't want to hijack the other thread, so starting a new one based on > the > discussion. > > I don't think releasing a "last 7.1.x" version with CVEs would be of > > any good > > I join Alex on this one. Does it really make sense to release a TomEE > app > server with known CVEs? > > I'm not arguing on the grype output and the validity or not of the > report. > But overall, we do have EOL libraries in there and we know we won't > get > patches even for CVEs for CXF and other libraries. > > > @Alex Thanks. We might not be able to address all CVEs as some of > > the > libs used for EE7 aren't patched / updated anymore. I will have a > look. > > This is also your point Richard. > > Based on this, does it mean we should call 7.1.x EOL and stop > producing > releases? > The path to TomEE 8.x is pretty straightforward and backward > compatible so > it's not like moving from 8.x to 9.x. > > What do you think? > > -- > Jean-Louis Monteiro > http://twitter.com/jlouismonteiro > http://www.tomitribe.com > > > ---------- Forwarded message --------- > From: Zowalla, Richard <[email protected]> > Date: Tue, Aug 2, 2022 at 3:48 PM > Subject: [CANCEL] [VOTE] Apache TomEE 7.1.5 > To: [email protected] <[email protected]> > > > Hi, > > thanks for the concerns raised. Better to check the CVE report and do > a > re-roll ;-) > > @JL: Will take a look. > > @Alex Thanks. We might not be able to address all CVEs as some of the > libs > used for EE7 aren't patched / updated anymore. I will have a look. > > Gruß > Richard > ________________________________ > Von: Jean-Louis Monteiro <[email protected]> > Gesendet: Dienstag, 2. August 2022 15:30:31 > An: [email protected] > Betreff: Re: [VOTE] Apache TomEE 7.1.5 > > -1 (binding) > > Something went bad during the release. Looks like our libs are still > 1.7.5-SNAPSHOT. > -- > Jean-Louis Monteiro > http://twitter.com/jlouismonteiro > http://www.tomitribe.com > > > On Tue, Aug 2, 2022 at 2:37 PM Alex The Rocker <[email protected]> > wrote: > > > Hello, > > > > [-1] (non binding) > > > > Indeed, I downloaded TomEE+ 7.1.5 binary (from > > > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1206/tomee-7.1.5/apache-tomee-7.1.5-plus.tar.gz > > ) > > and then I ran Grype (https://github.com/anchore/grype) on TomEE+'s > > archive extract directory. > > > > That gives 2 Critical and 125 High CVEs (see attached Grype output > > for > > this scan). > > > > I agree with whoever will say that Grype isn't quite smart, but > > nevertheless the world is now paranoid with security matter. > > > > I don't think releasing a "last 7.1.x" version with CVEs would be > > of > > any good, so Grype's output is all false positive, then at least we > > need a statement to avoid confusion in this page: > > https://tomee.apache.org/security/tomee.html > > > > Please also note in attached Grype output the Warning lines related > > to > > archive-xbean-asm6-shaded-4.8.jar: isn't that showing a somehow > > malformed MANIFEST ? > > > > Thanks, > > Alex > > > > Le lun. 1 août 2022 à 19:35, Richard Zowalla <[email protected]> a > > écrit : > > > Hi all, > > > > > > this is a first attempt at a vote for a release of Apache TomEE > > > 7.1.5 > > > > > > It is a maintenance release with some bug fixes and dependencies > > > upgrades for which were was some interest on the list. > > > > > > Yet, a discussion, if this will be the last release of the 7.1.x > > > series, is pending. > > > > > > Here are some infos: > > > > > > Maven Repo: > > > https://repository.apache.org/content/repositories/orgapachetomee-1206 > > > > > > <repositories> > > > <repository> > > > <id>tomee-7.1.5-release-test</id> > > > <name>Testing TomEE 7.1.5 release candidate</name> > > > <url> > > > https://repository.apache.org/content/repositories/orgapachetomee-1206 > > > </url> > > > </repository> > > > </repositories> > > > > > > > > > Binaries & Source: > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1206/ > > > > > > Tag: > > > https://github.com/apache/tomee/tree/tomee-project-7.1.5 > > > > > > Latest (green) CI/CD build: > > > > > > https://ci-builds.apache.org/job/Tomee/job/tomee-7.1.x/19/ > > > > > > Release notes: > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12349482 > > > > > > Here is an adoc generated version of the changelog as well: > > > > > > > > > == Dependency upgrade > > > > > > [.compact] > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-2959[TOMEE-959]2 j > > > ackson 2.12.0 > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-3941[TOMEE-3941] > > > ActiveMQ 5.16.5 > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-3985[TOMEE-3985] > > > BatchEE 1.0.2 > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-3772[TOMEE-3772] > > > JUnit 4.13.2 > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-2979[TOMEE-2979] > > > MyFaces 2.2.14 > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-4016[TOMEE-4016] > > > Myfaces 2.2.15 > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-2958[TOMEE-2958] > > > Tomcat 8.5.61 > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-4017[TOMEE-4017] > > > Tomcat 8.5.81 > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-2939[TOMEE-2939] > > > bcprov-jdk15on 1.67 > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-4018[TOMEE-4018] > > > bcprov-jdk15on 1.70 > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-3719[TOMEE-3719] > > > commons-io 2.8 > > > > > > == Bug > > > > > > [.compact] > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-2919[TOMEE-2919] > > > java.util.ConcurrentModificationException error deploying ear in > > > TomEE > > Plus 7.1.4 > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-2968[TOMEE-2968] > > > Postgres connection error when a password contains "}" > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-2125[TOMEE-2125] > > > Datasource config: MaxWait, timeBetweenEvictionRunsMillis and > > MinEvictableIdleTimeMillis are ignored > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-3718[TOMEE-3718] > > > Missing mime mappings > > > > > > == Improvement > > > > > > [.compact] > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-2957[TOMEE-2957] > > > Fix OWASP Checks on ASF Jenkins Environment > > > - link: > > > https://issues.apache.org/jira/browse/TOMEE-2973[TOMEE-2973] > > > TomEE :: Examples :: JSF2/CDI/BV/JPA/DeltaSpike uses too old > > > version of > > commons-lang3 > > > > > > Please VOTE > > > > > > [+1] go ship it > > > [+0] meh, don't care > > > [-1] stop, there is a ${showstopper} > > > > > > The VOTE is open for 72h or as long as needed. > > > > > > Gruß > > > Richard > > >
