The list doesn't allow attachments, so maybe add it as plain text (or put it into a gist)
Gruß Richard Am 22. Oktober 2023 21:48:22 MESZ schrieb "Jonathan S. Fisher" <jfis...@apache.org>: >Attached! Thank you! > >On Sat, Oct 21, 2023 at 7:42 PM Richard Zowalla <rich...@zowalla.com> wrote: >> >> Just send it in the required ascii armored format via your apache mail (or >> via die web ui on lists.apache.org after login. >> >> I can take care of it. >> >> >> Am 22. Oktober 2023 01:05:53 MESZ schrieb "Jonathan S. Fisher" >> <exabr...@gmail.com>: >> >Richard thanks. Anyone on this thread able to add me to the KEYS file? >> >I'd like to give this a roll :) >> > >> >cheers, >> > >> > >> >On Thu, Oct 19, 2023 at 7:12 AM Jamie Johnson <jej2...@gmail.com> wrote: >> >> >> >> Just checking in on this. Anything the community can do to facilitate the >> >> release? >> >> >> >> On Tue, Oct 17, 2023 at 9:58 AM Richard Zowalla <rich...@zowalla.com> >> >> wrote: >> >> >> >> > Hi, >> >> > >> >> > see https://tomee.apache.org/dev/release-tomee.html >> >> > >> >> > Might be beneficial to join the ASF slack with your apache.org mail. >> >> > >> >> > Starting the VOTE, moving artifacts to release area as well as updating >> >> > https://downloads.apache.org/tomee/KEYS needs to be done by a PMC >> >> > member. >> >> > >> >> > Gruß >> >> > Richard >> >> > >> >> > Am 17. Oktober 2023 15:50:33 MESZ schrieb "Jonathan S. Fisher" < >> >> > exabr...@gmail.com>: >> >> > >-----BEGIN PGP SIGNED MESSAGE----- >> >> > >Hash: SHA512 >> >> > > >> >> > >ello other TomEE committers :) >> >> > > >> >> > >If I wanted to cut 8.0.16, how do I do that? My personal GPG key is >> >> > >871638A21A7F2C38066471420306A354336B4F0D. I'll sign this text block to >> >> > >prove I have control of my key. >> >> > > >> >> > >Thank you! >> >> > >-----BEGIN PGP SIGNATURE----- >> >> > > >> >> > >iLkEARMKAB0WIQSHFjiiGn8sOAZkcUIDBqNUM2tPDQUCZS6RIAAKCRADBqNUM2tP >> >> > >DYahAgkBNYn+LlIdFttvNW6KAJXHgNEQxmjJ6ALb7VaaEdqAXjMNxwglLQQQVOVY >> >> > >NtRxRj5nHDOXUVqwLjftisxyNnAkx50CCQHYbqySGYuWOxMdS8jsDGA2/UjTp0ib >> >> > >RkLoChrMvppzIK5GOvd0UyBKmrvG3dkzJwQllPZ3EYvNZfLyl+/K5oOshg== >> >> > >=d0gl >> >> > >-----END PGP SIGNATURE----- >> >> > > >> >> > > >> >> > > >> >> > >On Sat, Oct 14, 2023 at 6:12 AM Jamie Johnson <jej2...@gmail.com> >> >> > >wrote: >> >> > >> >> >> > >> Looks like tomcat 9.0.82 was released! >> >> > >> >> >> > >> On Wed, Oct 11, 2023 at 12:54 PM Jamie Johnson <jej2...@gmail.com> >> >> > wrote: >> >> > >> >> >> > >> > Looks right to me as well. Thanks Richard! >> >> > >> > >> >> > >> > On Wed, Oct 11, 2023 at 12:45 PM Richard Zowalla >> >> > >> > <rich...@zowalla.com >> >> > > >> >> > >> > wrote: >> >> > >> > >> >> > >> >> I think we are running into >> >> > >> >> https://bz.apache.org/bugzilla/show_bug.cgi?id=67664 >> >> > >> >> >> >> > >> >> This requires 9.0.82 to become available. >> >> > >> >> >> >> > >> >> They are already voting: >> >> > >> >> https://lists.apache.org/thread/qro48x3xnvhvvxxv3hwnqnnsrrry773j >> >> > >> >> >> >> > >> >> After 9.0.82 becomes available, we are most likely in a good >> >> > >> >> shape to >> >> > >> >> start a release >> >> > >> >> >> >> > >> >> Gruß >> >> > >> >> Richard >> >> > >> >> >> >> > >> >> Am 11. Oktober 2023 18:14:09 MESZ schrieb Richard Zowalla < >> >> > >> >> rich...@zowalla.com>: >> >> > >> >> >It seems the Tomcat upgrade breaks some connection pool related >> >> > tests. >> >> > >> >> > >> >> > >> >> >I guess we need to check our integration code to fix it: >> >> > >> >> >> >> > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/testReport/ >> >> > >> >> > >> >> > >> >> >So if anyone wants to dig, feel free. >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> >Am 11. Oktober 2023 16:56:27 MESZ schrieb Jamie Johnson < >> >> > >> >> jej2...@gmail.com>: >> >> > >> >> >>There are other vulnerabilities (pulled from https://osv.dev/) >> >> > that >> >> > >> >> can be >> >> > >> >> >>addressed, but need to be reviewed. The format below is >> >> > >> >> >>dependency >> >> > >> >> >>current_version (fix_version). >> >> > >> >> >> >> >> > >> >> >>org.apache.httpcomponents:httpclient 4.2.2 (>= 4.5.13) >> >> > >> >> >>GHSA-2x83-r56g-cv47 (4.2.3), GHSA-7r82-7xv7-xcpj >> >> > >> >> >>(4.5.13), GHSA-fmj5-wv96-r2ch (4.3.6), GHSA-cfh5-3ghh-wfjx >> >> > >> >> >>(4.3.5) >> >> > >> >> >> >> >> > >> >> >>xalan:xalan 2.7.2 (2.7.3) >> >> > >> >> >>GHSA-9339-86wc-4qgf (2.7.3) >> >> > >> >> >> >> >> > >> >> >>org.apache.commons:commons-compress 1.14 (>=1.24.0) >> >> > >> >> >>GHSA-hrmr-f5m6-m9pq (1.18), GHSA-xqfj-vm6h-2x34 (1.22), >> >> > >> >> GHSA-h436-432x-8fvx >> >> > >> >> >>(1.16), GHSA-crv7-7245-f45f (1.21), GHSA-mc84-pj99-q6hh >> >> > >> >> >>(1.21), GHSA-7hfm-57qf-j43q (1.21), GHSA-cgwf-w82q-5jrr (1.24.0) >> >> > >> >> >> >> >> > >> >> >>org.eclipse.jetty:jetty-server 9.4.49.v20220914 >> >> > >> >> >>(9.4.51.v20230217) >> >> > >> >> >>GHSA-qw69-rqj8-6qw8 (9.4.51.v20230217), GHSA-p26g-97m4-6q7c >> >> > >> >> >>(9.4.51.v20230217) >> >> > >> >> >> >> >> > >> >> >>org.eclipse.jetty:jetty-http 9.4.49.v20220914 (>=9.4.53) >> >> > >> >> >>GHSA-hmr7-m48g-48f6 (9.4.52), GHSA-wgh7-54f2-x98r (9.4.53) >> >> > >> >> >> >> >> > >> >> >>org.eclipse.jetty:jetty-servlets 9.4.49.v20220914 (9.4.53) >> >> > >> >> >>GHSA-3gh6-v5v9-6v9j (9.4.53) >> >> > >> >> >> >> >> > >> >> >>org.apache.sshd:sshd-core 2.1.0 (>=2.10.0) >> >> > >> >> >>GHSA-9279-7hph-r3xw (2.7.0), GHSA-fhw8-8j55-vwgq >> >> > >> >> >>(2.9.2), GHSA-mjmq-gwgm-5qhm (2.10.0) >> >> > >> >> >> >> >> > >> >> >>com.google.code.gson:gson 2.2.4 (2.8.9) >> >> > >> >> >>GHSA-4jrv-ppp4-jm57 (2.8.9) >> >> > >> >> >> >> >> > >> >> >>org.webjars:handlebars 1.2.1 (4.7.7) >> >> > >> >> >>GHSA-f2jv-r9rf-7988 (4.7.7) >> >> > >> >> >> >> >> > >> >> >>org.apache.ivy:ivy 2.3.0 (>= 2.5.2) >> >> > >> >> >>GHSA-wv7w-rj2x-556x (2.5.1), GHSA-2jc4-r94c-rp7h (2.5.2) >> >> > >> >> >> >> >> > >> >> >> >> >> > >> >> >>On Wed, Oct 11, 2023 at 6:49 AM Jamie Johnson >> >> > >> >> >><jej2...@gmail.com> >> >> > >> >> wrote: >> >> > >> >> >> >> >> > >> >> >>> How deep down the rabbit hole should the dependency checks >> >> > normally >> >> > >> >> go? >> >> > >> >> >>> Looks like the big ones I was tracking with security updates >> >> > >> >> >>> were >> >> > >> >> done. >> >> > >> >> >>> >> >> > >> >> >>> johnzon 1.2.21 >> >> > >> >> >>> tomcat 9.0.81 >> >> > >> >> >>> bouncy castle 1.76 >> >> > >> >> >>> >> >> > >> >> >>> Still poking around a bit but there’s obviously a lot. >> >> > >> >> >>> >> >> > >> >> >>> On Wed, Oct 11, 2023 at 2:09 AM Richard Zowalla >> >> > >> >> >>> <r...@apache.org >> >> > > >> >> > >> >> wrote: >> >> > >> >> >>> >> >> > >> >> >>>> In theory, every committer can act as release manager. >> >> > >> >> >>>> >> >> > >> >> >>>> There are some steps in the process, which requires PMC >> >> > >> >> >>>> karma, >> >> > though >> >> > >> >> >>>> (such as adding a key to the KEYS file, moving stuff to the >> >> > release >> >> > >> >> are >> >> > >> >> >>>> on SVN, start the VOTE, etc.). >> >> > >> >> >>>> >> >> > >> >> >>>> The process is documented here: [1] >> >> > >> >> >>>> >> >> > >> >> >>>> That being said: >> >> > >> >> >>>> >> >> > >> >> >>>> I am currently planning to start the release process for >> >> > >> >> >>>> TomEE >> >> > 9.1.1 >> >> > >> >> >>>> within this week. Due to the Tomcat security issues released >> >> > >> >> yesterday, >> >> > >> >> >>>> we need to do some backporting, which will consume additional >> >> > time. >> >> > >> >> (It >> >> > >> >> >>>> just interrupted my preparations, so it needs additional CI / >> >> > TCK >> >> > >> >> >>>> cycles) >> >> > >> >> >>>> >> >> > >> >> >>>> A release usally consumes around 1-3 hours of work. Mostly >> >> > because >> >> > >> >> you >> >> > >> >> >>>> have to wait for stuff being build or to run some basic >> >> > >> >> >>>> sanity >> >> > checks >> >> > >> >> >>>> before starting and to not forget any step. >> >> > >> >> >>>> >> >> > >> >> >>>> What would really help for a TomEE 8.0.16 is to carefully >> >> > re-check >> >> > >> >> the >> >> > >> >> >>>> current dependencies for important 3rd party dependencies >> >> > >> >> >>>> (and >> >> > update >> >> > >> >> >>>> if needed. Note: Each update or bunch of updates shouldn't >> >> > break the >> >> > >> >> >>>> build. A full build on CI takes around 4-8 hours) on that >> >> > branch, >> >> > >> >> build >> >> > >> >> >>>> it locally and conduct some sanity checks (for example: same >> >> > lib in >> >> > >> >> >>>> different versions in /lib -> check and fix) with the created >> >> > >> >> >>>> tar.gz/zip files. >> >> > >> >> >>>> >> >> > >> >> >>>> This is one of the steps, which usually consumes a lot of >> >> > >> >> >>>> time. >> >> > If >> >> > >> >> you >> >> > >> >> >>>> want to give it a try, I am happy to help out for the steps >> >> > which >> >> > >> >> >>>> require PMC involvement. Otherwise, I might find some time in >> >> > the >> >> > >> >> next >> >> > >> >> >>>> week to start a release of 8.0.16 - just let me know and I >> >> > >> >> >>>> can >> >> > plan >> >> > >> >> my >> >> > >> >> >>>> time accordingly ;-) >> >> > >> >> >>>> >> >> > >> >> >>>> Gruß >> >> > >> >> >>>> Richard >> >> > >> >> >>>> >> >> > >> >> >>>> >> >> > >> >> >>>> >> >> > >> >> >>>> >> >> > >> >> >>>> [1] https://tomee.apache.org/dev/release-tomee.html >> >> > >> >> >>>> >> >> > >> >> >>>> >> >> > >> >> >>>> Am Dienstag, dem 10.10.2023 um 17:56 -0500 schrieb Jonathan >> >> > >> >> >>>> S. >> >> > >> >> Fisher: >> >> > >> >> >>>> > Jean-Louis, are there directions anywhere? Not promising >> >> > anything >> >> > >> >> :) >> >> > >> >> >>>> > >> >> > >> >> >>>> > On Tue, Oct 10, 2023 at 5:22 PM Jean-Louis Monteiro >> >> > >> >> >>>> > <jlmonte...@tomitribe.com> wrote: >> >> > >> >> >>>> > > >> >> > >> >> >>>> > > Whomever is committer can do it. >> >> > >> >> >>>> > > >> >> > >> >> >>>> > > I was just trying to give you an honest reply regarding >> >> > >> >> >>>> > > my >> >> > >> >> >>>> > > availabilities >> >> > >> >> >>>> > > and give visibility to the rest of the community and the >> >> > other >> >> > >> >> >>>> > > committers >> >> > >> >> >>>> > > at the same time. >> >> > >> >> >>>> > > >> >> > >> >> >>>> > > Hope it helps. >> >> > >> >> >>>> > > >> >> > >> >> >>>> > > >> >> > >> >> >>>> > > Le mar. 10 oct. 2023, 23:27, Jamie Johnson < >> >> > jej2...@gmail.com> a >> >> > >> >> >>>> > > écrit : >> >> > >> >> >>>> > > >> >> > >> >> >>>> > > > I’m not sure what that entails or who would go about >> >> > doing it. >> >> > >> >> Is >> >> > >> >> >>>> > > > it a >> >> > >> >> >>>> > > > community or contributor driven thing? >> >> > >> >> >>>> > > > >> >> > >> >> >>>> > > > On Tue, Oct 10, 2023 at 3:25 PM Jean-Louis Monteiro < >> >> > >> >> >>>> > > > jlmonte...@tomitribe.com> wrote: >> >> > >> >> >>>> > > > >> >> > >> >> >>>> > > > > I think most of the energy is currently on TomEE 9 >> >> > >> >> >>>> > > > > and >> >> > the >> >> > >> >> new >> >> > >> >> >>>> > > > > TomEE 10. >> >> > >> >> >>>> > > > > I've also noticed some Tomcat CVE today if I remember >> >> > >> >> >>>> > > > > correctly. >> >> > >> >> >>>> > > > > >> >> > >> >> >>>> > > > > I'm all hands on TomEE 10 currently because we need >> >> > >> >> >>>> > > > > to >> >> > fill >> >> > >> >> the >> >> > >> >> >>>> > > > > feature >> >> > >> >> >>>> > > > > gaps on all implementations. So speaking about >> >> > >> >> >>>> > > > > myself, >> >> > not >> >> > >> >> sure >> >> > >> >> >>>> > > > > I can >> >> > >> >> >>>> > > > > trigger a build and deliver the whole process in the >> >> > next >> >> > >> >> >>>> > > > > couple of days >> >> > >> >> >>>> > > > or >> >> > >> >> >>>> > > > > weeks. >> >> > >> >> >>>> > > > > >> >> > >> >> >>>> > > > > If someone can do it, I'm happy to review, test and >> >> > vote on >> >> > >> >> the >> >> > >> >> >>>> > > > > release. >> >> > >> >> >>>> > > > > -- >> >> > >> >> >>>> > > > > Jean-Louis Monteiro >> >> > >> >> >>>> > > > > http://twitter.com/jlouismonteiro >> >> > >> >> >>>> > > > > http://www.tomitribe.com >> >> > >> >> >>>> > > > > >> >> > >> >> >>>> > > > > >> >> > >> >> >>>> > > > > On Tue, Oct 10, 2023 at 5:48 PM Jamie Johnson >> >> > >> >> >>>> > > > > <jej2...@gmail.com> wrote: >> >> > >> >> >>>> > > > > >> >> > >> >> >>>> > > > > > Is there a timeline for the release of 8.0.16? >> >> > >> >> >>>> > > > > > There >> >> > are a >> >> > >> >> >>>> > > > > > few >> >> > >> >> >>>> > > > security >> >> > >> >> >>>> > > > > > issues associated with johnzon that we’d like to >> >> > leverage >> >> > >> >> >>>> > > > > > while we >> >> > >> >> >>>> > > > > migrate >> >> > >> >> >>>> > > > > > to a newer version of TomEE. >> >> > >> >> >>>> > > > > > >> >> > >> >> >>>> > > > > >> >> > >> >> >>>> > > > >> >> > >> >> >>>> > >> >> > >> >> >>>> > >> >> > >> >> >>>> > >> >> > >> >> >>>> >> >> > >> >> >>>> >> >> > >> >> >> >> > >> > >> >> > > >> >> > > >> >> > > >> >> > >-- >> >> > >Jonathan | exabr...@gmail.com >> >> > >Pessimists, see a jar as half empty. Optimists, in contrast, see it as >> >> > >half full. >> >> > >Engineers, of course, understand the glass is twice as big as it needs >> >> > >to >> >> > be. >> >> > >> > >> > >> > >> >-- >> >Jonathan | exabr...@gmail.com >> >Pessimists, see a jar as half empty. Optimists, in contrast, see it as >> >half full. >> >Engineers, of course, understand the glass is twice as big as it needs to >> >be.
