How deep down the rabbit hole should the dependency checks normally go? Looks like the big ones I was tracking with security updates were done.
johnzon 1.2.21 tomcat 9.0.81 bouncy castle 1.76 Still poking around a bit but there’s obviously a lot. On Wed, Oct 11, 2023 at 2:09 AM Richard Zowalla <r...@apache.org> wrote: > In theory, every committer can act as release manager. > > There are some steps in the process, which requires PMC karma, though > (such as adding a key to the KEYS file, moving stuff to the release are > on SVN, start the VOTE, etc.). > > The process is documented here: [1] > > That being said: > > I am currently planning to start the release process for TomEE 9.1.1 > within this week. Due to the Tomcat security issues released yesterday, > we need to do some backporting, which will consume additional time. (It > just interrupted my preparations, so it needs additional CI / TCK > cycles) > > A release usally consumes around 1-3 hours of work. Mostly because you > have to wait for stuff being build or to run some basic sanity checks > before starting and to not forget any step. > > What would really help for a TomEE 8.0.16 is to carefully re-check the > current dependencies for important 3rd party dependencies (and update > if needed. Note: Each update or bunch of updates shouldn't break the > build. A full build on CI takes around 4-8 hours) on that branch, build > it locally and conduct some sanity checks (for example: same lib in > different versions in /lib -> check and fix) with the created > tar.gz/zip files. > > This is one of the steps, which usually consumes a lot of time. If you > want to give it a try, I am happy to help out for the steps which > require PMC involvement. Otherwise, I might find some time in the next > week to start a release of 8.0.16 - just let me know and I can plan my > time accordingly ;-) > > Gruß > Richard > > > > > [1] https://tomee.apache.org/dev/release-tomee.html > > > Am Dienstag, dem 10.10.2023 um 17:56 -0500 schrieb Jonathan S. Fisher: > > Jean-Louis, are there directions anywhere? Not promising anything :) > > > > On Tue, Oct 10, 2023 at 5:22 PM Jean-Louis Monteiro > > <jlmonte...@tomitribe.com> wrote: > > > > > > Whomever is committer can do it. > > > > > > I was just trying to give you an honest reply regarding my > > > availabilities > > > and give visibility to the rest of the community and the other > > > committers > > > at the same time. > > > > > > Hope it helps. > > > > > > > > > Le mar. 10 oct. 2023, 23:27, Jamie Johnson <jej2...@gmail.com> a > > > écrit : > > > > > > > I’m not sure what that entails or who would go about doing it. Is > > > > it a > > > > community or contributor driven thing? > > > > > > > > On Tue, Oct 10, 2023 at 3:25 PM Jean-Louis Monteiro < > > > > jlmonte...@tomitribe.com> wrote: > > > > > > > > > I think most of the energy is currently on TomEE 9 and the new > > > > > TomEE 10. > > > > > I've also noticed some Tomcat CVE today if I remember > > > > > correctly. > > > > > > > > > > I'm all hands on TomEE 10 currently because we need to fill the > > > > > feature > > > > > gaps on all implementations. So speaking about myself, not sure > > > > > I can > > > > > trigger a build and deliver the whole process in the next > > > > > couple of days > > > > or > > > > > weeks. > > > > > > > > > > If someone can do it, I'm happy to review, test and vote on the > > > > > release. > > > > > -- > > > > > Jean-Louis Monteiro > > > > > http://twitter.com/jlouismonteiro > > > > > http://www.tomitribe.com > > > > > > > > > > > > > > > On Tue, Oct 10, 2023 at 5:48 PM Jamie Johnson > > > > > <jej2...@gmail.com> wrote: > > > > > > > > > > > Is there a timeline for the release of 8.0.16? There are a > > > > > > few > > > > security > > > > > > issues associated with johnzon that we’d like to leverage > > > > > > while we > > > > > migrate > > > > > > to a newer version of TomEE. > > > > > > > > > > > > > > > > > > > > > > >