How deep down the rabbit hole should the dependency checks normally go?
Looks like the big ones I was tracking with security updates were done.

johnzon 1.2.21
tomcat 9.0.81
bouncy castle 1.76

Still poking around a bit but there’s obviously a lot.

On Wed, Oct 11, 2023 at 2:09 AM Richard Zowalla <r...@apache.org> wrote:

> In theory, every committer can act as release manager.
>
> There are some steps in the process, which requires PMC karma, though
> (such as adding a key to the KEYS file, moving stuff to the release are
> on SVN, start the VOTE, etc.).
>
> The process is documented here: [1]
>
> That being said:
>
> I am currently planning to start the release process for TomEE 9.1.1
> within this week. Due to the Tomcat security issues released yesterday,
> we need to do some backporting, which will consume additional time. (It
> just interrupted my preparations, so it needs additional CI / TCK
> cycles)
>
> A release usally consumes around 1-3 hours of work. Mostly because you
> have to wait for stuff being build or to run some basic sanity checks
> before starting and to not forget any step.
>
> What would really help for a TomEE 8.0.16 is to carefully re-check the
> current dependencies for important 3rd party dependencies (and update
> if needed. Note: Each update or bunch of updates shouldn't break the
> build. A full build on CI takes around 4-8 hours) on that branch, build
> it locally and conduct some sanity checks (for example: same lib in
> different versions in /lib -> check and fix) with the created
> tar.gz/zip files.
>
> This is one of the steps, which usually consumes a lot of time. If you
> want to give it a try, I am happy to help out for the steps which
> require PMC involvement. Otherwise, I might find some time in the next
> week to start a release of 8.0.16 - just let me know and I can plan my
> time accordingly ;-)
>
> Gruß
> Richard
>
>
>
>
> [1] https://tomee.apache.org/dev/release-tomee.html
>
>
> Am Dienstag, dem 10.10.2023 um 17:56 -0500 schrieb Jonathan S. Fisher:
> > Jean-Louis, are there directions anywhere? Not promising anything :)
> >
> > On Tue, Oct 10, 2023 at 5:22 PM Jean-Louis Monteiro
> > <jlmonte...@tomitribe.com> wrote:
> > >
> > > Whomever is committer can do it.
> > >
> > > I was just trying to give you an honest reply regarding my
> > > availabilities
> > > and give visibility to the rest of the community and the other
> > > committers
> > > at the same time.
> > >
> > > Hope it helps.
> > >
> > >
> > > Le mar. 10 oct. 2023, 23:27, Jamie Johnson <jej2...@gmail.com> a
> > > écrit :
> > >
> > > > I’m not sure what that entails or who would go about doing it. Is
> > > > it a
> > > > community or contributor driven thing?
> > > >
> > > > On Tue, Oct 10, 2023 at 3:25 PM Jean-Louis Monteiro <
> > > > jlmonte...@tomitribe.com> wrote:
> > > >
> > > > > I think most of the energy is currently on TomEE 9 and the new
> > > > > TomEE 10.
> > > > > I've also noticed some Tomcat CVE today if I remember
> > > > > correctly.
> > > > >
> > > > > I'm all hands on TomEE 10 currently because we need to fill the
> > > > > feature
> > > > > gaps on all implementations. So speaking about myself, not sure
> > > > > I can
> > > > > trigger a build and deliver the whole process in the next
> > > > > couple of days
> > > > or
> > > > > weeks.
> > > > >
> > > > > If someone can do it, I'm happy to review, test and vote on the
> > > > > release.
> > > > > --
> > > > > Jean-Louis Monteiro
> > > > > http://twitter.com/jlouismonteiro
> > > > > http://www.tomitribe.com
> > > > >
> > > > >
> > > > > On Tue, Oct 10, 2023 at 5:48 PM Jamie Johnson
> > > > > <jej2...@gmail.com> wrote:
> > > > >
> > > > > > Is there a timeline for the release of 8.0.16?  There are a
> > > > > > few
> > > > security
> > > > > > issues associated with johnzon that we’d like to leverage
> > > > > > while we
> > > > > migrate
> > > > > > to a newer version of TomEE.
> > > > > >
> > > > >
> > > >
> >
> >
> >
>
>

Reply via email to