Hi Richard, I vote (non-binding) for option B, i.e. releasing a TomEE 7.1.5 with patched CVEs and annoucing that this will be the last one of 7.1.x series and that users must have a plan to migrate to 8.0.x (or 9.0.x when it'll be released).
Thanks, Alex Le mar. 2 août 2022 à 20:19, Richard Zowalla <[email protected]> a écrit : > > Hi all, > > thanks for the thread, JL! Sorry, a bit longer than anticipated ;) > > As promised in the other thread, I took a look at the grype scan > results. While were are many false positives (mostly related to the > Geronimo specs and ActiveMQ), there are indeed some CVEs of interest: > > - cxf > - tomcat (will be fixed in the next tomcat release) > - xmlsec (should most likely be possible to update) > - jackson-databind (should most likely be possible to update) > > Imho, the most important ones originate from cxf 3.1.18 for which we > won’t get patches anymore, i.e. we would need to fork, backport the > relevant CVE fixes and release it as shaded dependency within TomEE. > > I think the main issue arises from the fact, that we never communicated > or announced some sort of EOL statement for any of the older branches > (1.7.x, 7.0.x or 7.1.x) like it is done for example for Tomcat [1]. > > The silent reader or the wise developer will know, that no release > withing the last two years most certainly means eol for the respective > series but there will be a (perhaps rather small) community of people > waiting for a release while running with their vulnerable TomEE for > the last years. > > Therefore, I see the following options (no ordering, no preferences, > just a listing): > > #### > > ## Option (A) > > We decide to do a release without patching the known CXF CVEs and > announce the EOL of the 7.1.x series in a similar manner as it done in > Tomcat [1]. > > In this announcement, we state that security vulnerability reports will > not be checked against the 7.1.x branch, bugs affecting only the 7.1.x > branch will not be addressed and releases of the 7.1.x branch are > highly unlikely. After a certain grace period, we remove the 7.1.x > download links, the documentation from the website and the artifacts > from the cdn. Note, that all 7.1.x releases will always be available > from the archive. > > ## Option (B) > > We decide to do a release, patch the known CXF CVEs by forking CXF and > release it as shaded dependency within TomEE. Subsequently, we announce > the EOL of the 7.1.x similar to option (A). > > ## Option (C) > > We decide, that 7.1.4 from 2020 was the final release of the 7.1.x > series. Subsequently, we announce the EOL of the 7.1.x similar to > option (A). > > ## Option (D) > > We don’t release a new version of the 7.1.x series and do not announce > any sort of EOL statement (status quo). We agree to not put much effort > into the 7.1.x series and stop maintaining it. > > ## Option (E) > > We don’t release a new version of the 7.1.x series and do not announce > any sort of EOL statement (status quo). We agree to not put much effort > into the 7.1.x series and stop maintaining it. To avoid user confusion, > we remove the download links, the documentation and the artifacts from > the cdn but all 7.1.x release will always be available from the > archive. > > ## Option (F) – (Z) > > » Your Input Here « > > #### > > Perhaps there are other options as well, but that are the ones, which > directly went into my mind while thinking about it. A similar > discussion needs to be done for 1.7.x and 7.0.x if we find some > consensus for the 7.1.x series. > > I am a bit torn apart in this discussion. On the one hand, I am > thinking: “Hey, we somehow “owe” the community one last release before > declaring it eol and stop maintaining it”. On the other hand, this > rational could also be used as an excuse to ask for a “last” 7.0.x or a > “last” 1.7.x. > > I agree, that releasing a TomEE 7.1.5 with known CXF vulnerabilities > isn’t really desirable and we cannot maintain 3rd party libs > indefinitely. We might be better in investing resources in 8.0.x and a > stable 9.0.x release in order to later shift our attention to EE10 ;) > > Gruß > Richard > > > > [1] https://tomcat.apache.org/tomcat-80-eol.html > > > Am Dienstag, dem 02.08.2022 um 16:07 +0200 schrieb Jean-Louis Monteiro: > > Hi all, > > > > Don't want to hijack the other thread, so starting a new one based on > > the > > discussion. > > > > I don't think releasing a "last 7.1.x" version with CVEs would be of > > > any good > > > > I join Alex on this one. Does it really make sense to release a TomEE > > app > > server with known CVEs? > > > > I'm not arguing on the grype output and the validity or not of the > > report. > > But overall, we do have EOL libraries in there and we know we won't > > get > > patches even for CVEs for CXF and other libraries. > > > > > @Alex Thanks. We might not be able to address all CVEs as some of > > > the > > libs used for EE7 aren't patched / updated anymore. I will have a > > look. > > > > This is also your point Richard. > > > > Based on this, does it mean we should call 7.1.x EOL and stop > > producing > > releases? > > The path to TomEE 8.x is pretty straightforward and backward > > compatible so > > it's not like moving from 8.x to 9.x. > > > > What do you think? > > > > -- > > Jean-Louis Monteiro > > http://twitter.com/jlouismonteiro > > http://www.tomitribe.com > > > > > > ---------- Forwarded message --------- > > From: Zowalla, Richard <[email protected]> > > Date: Tue, Aug 2, 2022 at 3:48 PM > > Subject: [CANCEL] [VOTE] Apache TomEE 7.1.5 > > To: [email protected] <[email protected]> > > > > > > Hi, > > > > thanks for the concerns raised. Better to check the CVE report and do > > a > > re-roll ;-) > > > > @JL: Will take a look. > > > > @Alex Thanks. We might not be able to address all CVEs as some of the > > libs > > used for EE7 aren't patched / updated anymore. I will have a look. > > > > Gruß > > Richard > > ________________________________ > > Von: Jean-Louis Monteiro <[email protected]> > > Gesendet: Dienstag, 2. August 2022 15:30:31 > > An: [email protected] > > Betreff: Re: [VOTE] Apache TomEE 7.1.5 > > > > -1 (binding) > > > > Something went bad during the release. Looks like our libs are still > > 1.7.5-SNAPSHOT. > > -- > > Jean-Louis Monteiro > > http://twitter.com/jlouismonteiro > > http://www.tomitribe.com > > > > > > On Tue, Aug 2, 2022 at 2:37 PM Alex The Rocker <[email protected]> > > wrote: > > > > > Hello, > > > > > > [-1] (non binding) > > > > > > Indeed, I downloaded TomEE+ 7.1.5 binary (from > > > > > > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1206/tomee-7.1.5/apache-tomee-7.1.5-plus.tar.gz > > > ) > > > and then I ran Grype (https://github.com/anchore/grype) on TomEE+'s > > > archive extract directory. > > > > > > That gives 2 Critical and 125 High CVEs (see attached Grype output > > > for > > > this scan). > > > > > > I agree with whoever will say that Grype isn't quite smart, but > > > nevertheless the world is now paranoid with security matter. > > > > > > I don't think releasing a "last 7.1.x" version with CVEs would be > > > of > > > any good, so Grype's output is all false positive, then at least we > > > need a statement to avoid confusion in this page: > > > https://tomee.apache.org/security/tomee.html > > > > > > Please also note in attached Grype output the Warning lines related > > > to > > > archive-xbean-asm6-shaded-4.8.jar: isn't that showing a somehow > > > malformed MANIFEST ? > > > > > > Thanks, > > > Alex > > > > > > Le lun. 1 août 2022 à 19:35, Richard Zowalla <[email protected]> a > > > écrit : > > > > Hi all, > > > > > > > > this is a first attempt at a vote for a release of Apache TomEE > > > > 7.1.5 > > > > > > > > It is a maintenance release with some bug fixes and dependencies > > > > upgrades for which were was some interest on the list. > > > > > > > > Yet, a discussion, if this will be the last release of the 7.1.x > > > > series, is pending. > > > > > > > > Here are some infos: > > > > > > > > Maven Repo: > > > > https://repository.apache.org/content/repositories/orgapachetomee-1206 > > > > > > > > <repositories> > > > > <repository> > > > > <id>tomee-7.1.5-release-test</id> > > > > <name>Testing TomEE 7.1.5 release candidate</name> > > > > <url> > > > > https://repository.apache.org/content/repositories/orgapachetomee-1206 > > > > </url> > > > > </repository> > > > > </repositories> > > > > > > > > > > > > Binaries & Source: > > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1206/ > > > > > > > > Tag: > > > > https://github.com/apache/tomee/tree/tomee-project-7.1.5 > > > > > > > > Latest (green) CI/CD build: > > > > > > > > https://ci-builds.apache.org/job/Tomee/job/tomee-7.1.x/19/ > > > > > > > > Release notes: > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12349482 > > > > > > > > Here is an adoc generated version of the changelog as well: > > > > > > > > > > > > == Dependency upgrade > > > > > > > > [.compact] > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-2959[TOMEE-959]2 j > > > > ackson 2.12.0 > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-3941[TOMEE-3941] > > > > ActiveMQ 5.16.5 > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-3985[TOMEE-3985] > > > > BatchEE 1.0.2 > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-3772[TOMEE-3772] > > > > JUnit 4.13.2 > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-2979[TOMEE-2979] > > > > MyFaces 2.2.14 > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-4016[TOMEE-4016] > > > > Myfaces 2.2.15 > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-2958[TOMEE-2958] > > > > Tomcat 8.5.61 > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-4017[TOMEE-4017] > > > > Tomcat 8.5.81 > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-2939[TOMEE-2939] > > > > bcprov-jdk15on 1.67 > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-4018[TOMEE-4018] > > > > bcprov-jdk15on 1.70 > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-3719[TOMEE-3719] > > > > commons-io 2.8 > > > > > > > > == Bug > > > > > > > > [.compact] > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-2919[TOMEE-2919] > > > > java.util.ConcurrentModificationException error deploying ear in > > > > TomEE > > > Plus 7.1.4 > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-2968[TOMEE-2968] > > > > Postgres connection error when a password contains "}" > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-2125[TOMEE-2125] > > > > Datasource config: MaxWait, timeBetweenEvictionRunsMillis and > > > MinEvictableIdleTimeMillis are ignored > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-3718[TOMEE-3718] > > > > Missing mime mappings > > > > > > > > == Improvement > > > > > > > > [.compact] > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-2957[TOMEE-2957] > > > > Fix OWASP Checks on ASF Jenkins Environment > > > > - link: > > > > https://issues.apache.org/jira/browse/TOMEE-2973[TOMEE-2973] > > > > TomEE :: Examples :: JSF2/CDI/BV/JPA/DeltaSpike uses too old > > > > version of > > > commons-lang3 > > > > > > > > Please VOTE > > > > > > > > [+1] go ship it > > > > [+0] meh, don't care > > > > [-1] stop, there is a ${showstopper} > > > > > > > > The VOTE is open for 72h or as long as needed. > > > > > > > > Gruß > > > > Richard > > > > >
