I actually also help maintain axis 1, if you check out the project from GitHub and do "git log --" you will notice that I have been the most active committer there recently.
The way Apache foundation projects work, is that there is a VP who is elected to be responsible for security issues of all subprojects. That's me currently. To keep Axis2 active, I am also required to be responsible for Axis 1.x too. I used it back in the day and know the architecture to a certain extent, but claim no deep knowledge without some effort. The way Apache projects also works though is the community contributes with patches and testing when necessary. That all being said, Axis PMC member Andreas Veithen was the committer that through his gracious contributions over many years made it possible to keep the axis 1 git repo up to date in a modern way. Andreas occasionally still responds to these types of mailing list threads - sometimes he does and sometimes he doesn't. Robert On Wed, Sep 29, 2021, 21:32 Chea Sovanreach (NCS) < sovanreach.c...@ncs.com.sg> wrote: > Hi Robert, > > > > Appreciate the quick response on your end. > > > > As mentioned there is one member who keeps the Axis1.x updated throughout > the years, is it possible to share his/her contact here? We would like to > reach out to him/her to understand more about current Axis1.x latest build. > > > > Thank you. > > > > > > Kind Regards, > > *Reach* > > > > > > > > *From:* robertlazarski <robertlazar...@gmail.com> > *Sent:* Wednesday, 29 September 2021 6:00 pm > *To:* java-user@axis.apache.org > *Subject:* Re: [Axis2] Migration Issues > > > > [External email] Please be cautious when clicking on any links or > attachments. > ------------------------------ > > Concerning help for a migration to Axis2, I don't have much to add > unfortunately. > > > > I myself wrote part of the migration guide 15 years ago and without being > a recent user I would have to dive deep into the source code of both > projects - something you and your team would be better suited for. > > > > There is possiblity someone else can respond. Frankly, there isn't that > many of us left here after twenty years. > > > > Apache requires a minimum of three active members and we have that - but > the Axis 1.x people mostly.are lurkers at this point. They do respond > occasionally. > > > > On Wed, Sep 29, 2021, 05:48 robertlazarski <robertlazar...@gmail.com> > wrote: > > While there has not been an official axis 1 release since 1.4 in 2006, > there has been hundreds of commits to the project in git since then. > > > > https://github.com/apache/axis-axis1-java > <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Faxis-axis1-java&data=04%7C01%7Csovanreach.chea%40ncs.com.sg%7Cd66a2b8bb7fe41f8f73e08d9832ffe23%7Cca90d8f589634b6ebca99ac468bcc7a8%7C1%7C0%7C637685064412906897%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=p14hq3oCkvpvATFG7rAsSLMkapucOycm0XOk8Fn1q0E%3D&reserved=0> > > > > The Apache security team requires all active repos to have vulnerabilities > fixed. There are no open CVE's in the project that I am aware of. > > > > I am not personally an axis 1.x user and there has been very little recent > traffic for the project in Jira and the mailing list. Therefore there is > little motivation for a release from our team. > > > > There was one member of our project that kept Axis 1.x updated for many > years by adding maven support and a lot of other commits, making it easier > to maintain. > > > > Challenges for the project include newer JDK support - JDK 11 for example > has a minimum source compatibility requirement of JDK 6 however there are > hundreds of compile errors at that level. > > > > Because of all this, a release would require community help to push it > forward. > > > > I suggest building from source. A release would require contributions and > testing. The "Apache way" encourages becoming a committer to projects to > get involved in such a complicated situation. > > > > Robert > > > > On Tue, Sep 28, 2021, 23:53 Chea Sovanreach (NCS) < > sovanreach.c...@ncs.com.sg> wrote: > > Hi Axis2 Team, > > > > We have been trying to upgrade from Axis1 -> Axis2 for our project due to > security vulnerability (CVE-2019-0227 : A Server Side Request Forgery > (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was > last released in 2 (cvedetails.com) > <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cvedetails.com%2Fcve%2FCVE-2019-0227%2F&data=04%7C01%7Csovanreach.chea%40ncs.com.sg%7Cd66a2b8bb7fe41f8f73e08d9832ffe23%7Cca90d8f589634b6ebca99ac468bcc7a8%7C1%7C0%7C637685064412916892%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=WSTaiz9ILq26Ic%2B40Pk%2BT77sNsO7eWQQfDnOAzCvsQQ%3D&reserved=0>. > However, there are so many APIs that have changed and ways to implement > those are not straightforward. > > For example, *org.apache.axis.message.MessageElement* is totally removed. > There is no clear guideline or documentation on how to implement similar > APIs in Axis2. > > > > Please help to advise on how we can improve our migration process and > places where we can the reference to look for the changes. > > > > *Note*: have checked out the official migration guide on your website > https://axis.apache.org/axis2/java/core/docs/migration.html > <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faxis.apache.org%2Faxis2%2Fjava%2Fcore%2Fdocs%2Fmigration.html&data=04%7C01%7Csovanreach.chea%40ncs.com.sg%7Cd66a2b8bb7fe41f8f73e08d9832ffe23%7Cca90d8f589634b6ebca99ac468bcc7a8%7C1%7C0%7C637685064412926887%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=pUlFxq9cOCBG%2FO2y3LbAsedB%2FJAiAm2%2BrjqnmkM3QxE%3D&reserved=0> > , but this is far from enough for us to do the migration. > > > > Thank you. > > > > > > Kind Regards, > > *Reach* > > > >
