Mukul>I feel that, XalanJ should not move to Attic sometime soon +1
I wonder if we can fix CVE in xalan-j, and then let it rest, move to attic or whatever. The CVE is trivial to fix, so I belive it would be vey nice of Xalan PMC to release a fix. I came from Apache JMeter here (see https://bz.apache.org/bugzilla/show_bug.cgi?id=66171 ), and it turns out that JMeter has non-trivial use of xalan-j. Of course, we could spend some time on replacing xalan-j with something else, however, it is cumbersome, and it would be way easier if we could have more time doing that. Just in case: CVE raises red flags, so having that "CVE pressure" is not really helpful for JMeter devs. Gary> Before you consider volunteering to perform a release, I would Gary> encourage you to try locally, building a release is a lot more than Gary> compiling a jar ;-) and there might not be anyone available to help Gary> once you hit a snag, IOW, pitfalls, and time sink. Gary, I was able to build xalan-j on my macOS 12 with Java 11 with minor updates like "bump minimal Java from 1.3 to 1.7, and remove explicit boot classpath overrides". I spent less than 15 minutes to get xalan-j_2_7_2-bin.tar.gz, xalan-j_2_7_2-src.tar.gz. So I don't understand what do you mean by "try locally". It just works. Well, -src.tar.gz contains several jar files which are no-no under the current ASF policy, however, I believe the jars could be downloaded from the Internet via small Ant task, so it would not take much time to rip off the jars from src.tar.gz and still keep the sources buildable. So would you please consider releasing xalan-j to fix the CVE? Vladimir --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@xalan.apache.org For additional commands, e-mail: dev-h...@xalan.apache.org
