>Java 11 (LTS) might be a better baseline 1) Building Xalan with Java 8 is **easier** than building xalan-j with Java 11. 2) Raising "bytecode level to Java 11" does not seem to be reasonable for fixing CVE. So I'm inclined that we should fix the CVE with keeping the bytecode at java 1.7. I just checked, and Java11 allows building with target=1.6. Java 8 allows building with target=1.5 3) Having bytecode at 1.7 (or 1.5/1.6) would make it easier for the consumers to drop-replace xalan-2.7.2.jar with xalan-2.7.3.jar
>Companies which are paying to stick with these old versions are also highly >unlikely to be upgrading Xalan-J to a new version They will upgrade provided there's a trivial upgrade path. For xalan 2.7.2 we could make a release that brings minimal disruption and which fixes the CVE. For example, many companies would happily upgrade log4j 1.2.17 to 1.2.18 provided The case is very same there, and many companies have to fork log4j1 for the sole reason of fixing CVEs. Vladimir --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@xalan.apache.org For additional commands, e-mail: dev-h...@xalan.apache.org
