[
https://issues.apache.org/jira/browse/AXIS2-6072?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17893141#comment-17893141
]
Robert Lazarski edited comment on AXIS2-6072 at 10/26/24 8:05 PM:
------------------------------------------------------------------
Axis2 has no dependencies on Rampart - it is the other way around.
Anyways, the Axis2 github repo is up to date with the latest jakarta standards
that will be going out in 2.0.0, while the upcoming Rampart 1.8.0 is up to date
in github on opensaml 4.x libs with a follow up planned for a 2.0.0 release
supporting opensaml 5.x.
Part of the problem is we lack active committers and this being opensource, the
best way to contribute is via PR's on github.
was (Author: robertlazarski):
Axis2 has no dependencies on Rampart - it is the other way around.
Anyways, the Axis2 github repo is up to date with the latest jakarta standards
that will be going out in 2.0.0, while the upcoming Rampart 1.8.3 is up to date
in github on opensaml 4.x libs with a follow up planned for a 2.0.0 release
supporting opensaml 5.x.
Part of the problem is we lack active committers and this being opensource, the
best way to contribute is via PR's on github.
> Request to make changes to replace the EOL/deprecated libraries required to
> support axis2 with the available alternatives
> -------------------------------------------------------------------------------------------------------------------------
>
> Key: AXIS2-6072
> URL: https://issues.apache.org/jira/browse/AXIS2-6072
> Project: Axis2
> Issue Type: Improvement
> Affects Versions: 1.8.2
> Reporter: Atharva Gokhale
> Priority: Major
> Labels: security
>
> I have created this ticket to request the discontinuation of the usage of
> certain libraries that are being required to support the usage of the
> presently available versions of axis2. This mainly includes the dependencies
> from the rampart series including rampart-trust, rampart-core, and
> rampart-policy. Since these libraries are EOL since a long time and do not
> have any latest version(s) released since 6-7 years, it is challenging to
> address the security vulnerabilities posed by these and the other
> dependencies being used by these transitively. An important example of this
> is the requirement of the older versions of opensaml required to in turn
> support the outdated rampart dependencies.
> Thus, we wish to ask that when would Apache stop the requirement to keep
> using such outdated dependencies and update the code to make it compatible
> with respect to the latest available alternatives for an important resource
> like axis2?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org
