Mukul > IMHO, I therefore disagree with what you've written above as, 'The Mukul > 2.7.3 release is broken and unusable'.
There are severe issues with artifacts on Maven Central: 1) https://issues.apache.org/jira/browse/XALANJ-2649 Xalan 2.7.3 is missing dependencies It means the users have to do manual adjustments when they dump dependencies. 2) https://issues.apache.org/jira/browse/XALANJ-2650 The pom file for xalan 2.7.3 and serializer 2.7.3 misses license It means the users can't just upgrade the version, but they have to go through licensing audit again. It is not the end of the world, but those are out--of-thin-air issues for the users. Of course, workarounds exist, but, well, both issues affect usability. Having at least one release that fixes CVEs is better than not having a release at all, however, it would indeed be great if there could be a next release shortly to fix those issues. Mukul>i.e, the file xalan-j_2_7_3-src.zip that Mukul>I've downloaded as mentioned above) built fine As you mention the source release package, could you please check if xalan-j_2_7_3-src.zip contains only source code, and it contains no binary/compiled files? I see a lot of jar files with class files inside (e.g. lib folder, tools folder). That violates the ASF release policy which says > binary/bytecode MUST only add binary/bytecode files that are the result > of compiling that version of the source code release and its dependencies Do you think xalan-j_2_7_3-src.zip violates the ASF release policy? https://www.apache.org/legal/release-policy.html#source-packages Vladimir
