Re: [DISCUSS] RMI support in Jackrabbit
On 18.09.2023 13:50, Julian Reschke wrote: ... Update...: - RMI is disabled by default now (https://issues.apache.org/jira/browse/JCR-4960) - all of RMI is deprecated and marked for removal in 2.22.x (https://issues.apache.org/jira/browse/JCR-4973, https://issues.apache.org/jira/browse/JCR-4981, https://issues.apache.org/jira/browse/JCR-5025). Note that the last issue was only noticed last week, and still needs to go into releases. - the deprecation (and plan for removal) is noted on the web site (https://issues.apache.org/jira/browse/JCRSITE-57) Next steps: - make another trunk release containing the deprecation in jackrabbit-standalone (https://issues.apache.org/jira/browse/JCR-5025) - second half of this month - release new 2.20.x with complete deprecation info (early March) - remove RMI support in trunk (see tickets and PRs: https://issues.apache.org/jira/browse/JCR-5026, https://issues.apache.org/jira/browse/JCR-5027, https://issues.apache.org/jira/browse/JCR-5028) - release from trunk (early April) After that, I'd like to cut a new stable branch for use in Oak "latest and greatest". Feedback appreciated, Julian
AW: [DISCUSS] RMI support in Jackrabbit
+1 on deprecating. our stopper of removing it is JCR-4954 greets claus
Re: [DISCUSS] RMI support in Jackrabbit
On Mon, Sep 18, 2023 at 8:50 PM Julian Reschke wrote: > > To whom it may concern... > > Jackrabbit's RMI support has been essentially unmaintained for half a > decade now, and also does not support JCR 2.0. > > We recently had to go into emergence mode due to vulnerabilities of > components used by us when accessed over RMI (see > https://nvd.nist.gov/vuln/detail/CVE-2023-37895). > > In response to that, we have changed the default settings in our server > and standalone bundles (https://issues.apache.org/jira/browse/JCR-4960), > and have removed the use of the vulnerable component > (https://issues.apache.org/jira/browse/JCR-4949). > > As next steps, I'd like to first formally deprecate jackrabbit-jcr-rmi > (https://issues.apache.org/jira/browse/JCR-4973), and then later remove > it altogether (https://issues.apache.org/jira/browse/JCR-4972). The > deprecation would get backported to the stable maintenance branch > (2.20.x), while the removal would only happen in the unstable branch for > now. +1 on both deprecating jackrabbit-jcr-rmi now and removing it later. Thanks, Woonsan > > Feedback appreciated (eiher here or in the tickets). > > Best regards, Julian > >
[DISCUSS] RMI support in Jackrabbit
To whom it may concern... Jackrabbit's RMI support has been essentially unmaintained for half a decade now, and also does not support JCR 2.0. We recently had to go into emergence mode due to vulnerabilities of components used by us when accessed over RMI (see https://nvd.nist.gov/vuln/detail/CVE-2023-37895). In response to that, we have changed the default settings in our server and standalone bundles (https://issues.apache.org/jira/browse/JCR-4960), and have removed the use of the vulnerable component (https://issues.apache.org/jira/browse/JCR-4949). As next steps, I'd like to first formally deprecate jackrabbit-jcr-rmi (https://issues.apache.org/jira/browse/JCR-4973), and then later remove it altogether (https://issues.apache.org/jira/browse/JCR-4972). The deprecation would get backported to the stable maintenance branch (2.20.x), while the removal would only happen in the unstable branch for now. Feedback appreciated (eiher here or in the tickets). Best regards, Julian