Re: [VOTE] Release Apache Maven version 3.8.7

2022-12-29 Thread Petr Široký 
+1 (non-binding)

Tested with several projects, ranging from small single-module ones to some 
with hundreds of sub-modules. No issue found.




--- Original Message ---
On Saturday, December 24th, 2022 at 21:20, Michael Osipov  
wrote:


> 
> 
> Hi,
> 
> We solved 19 issues:
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316922=12352690
> 
> There are still hundreds of issues left in JIRA:
> https://issues.apache.org/jira/issues/?jql=project %3D MNG AND resolution %3D 
> Unresolved
> 
> Staging repo:
> https://repository.apache.org/content/repositories/maven-1839/
> 
> Dev dist directory:
> https://dist.apache.org/repos/dist/dev/maven/maven-3/3.8.7/
> 
> Source release checksums:
> apache-maven-3.8.7-src.zip sha512:
> 7c5bbdfbd85711d11f93254208978b47e4dcf010f94a1b9f549c3040507d751dff10d99c5f3af5fa92fd44b4261fc950d69eac345736f62007416e1350319891
> apache-maven-3.8.7-src.tar.gz sha512:
> 99dc6a44811d945d2d9a9e88b32abde5a82e4a8fa202ff217a5e3106d7fc532f347cff01331f6c2c0d86b2cf67fc0d0ee609d0c7d39b352a9422b990e49a81eb
> 
> Binary release checksums:
> apache-maven-3.8.7-bin.zip sha512:
> c687fcdc3890bcf0f9f9dbc42ceded21dc80f0dcc5541c28912a99224694793f6e437998e46b5939bd314178865263c62a069c6c6f15d1d0541eea75748c46fd
> apache-maven-3.8.7-bin.tar.gz sha512:
> 21c2be0a180a326353e8f6d12289f74bc7cd53080305f05358936f3a1b6dd4d91203f4cc799e81761cf5c53c5bbe9dcc13bdb27ec8f57ecf21b2f9ceec3c8d27
> 
> Draft for release notes:
> https://github.com/apache/maven-site/pull/356
> 
> Guide to testing staged releases:
> http://maven.apache.org/guides/development/guide-testing-releases.html
> 
> Vote open until 2022-12-30T20:00Z
> 
> [ ] +1
> [ ] +0
> [ ] -1
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> For additional commands, e-mail: dev-h...@maven.apache.org

-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org

Re: [VOTE] Release Apache Maven Daemon 1.0.0-m1

2022-12-29 Thread Guillaume Nodet 
+1

Le ven. 16 déc. 2022 à 14:07, Guillaume Nodet  a écrit :

> I've staged a candidate release at
>   https://dist.apache.org/repos/dist/dev/maven/mvnd/1.0.0-m1/
>
> Note that this release is based on the latest Maven 4.0.0-alpha-3.
> The release notes are available at
>
> https://github.com/apache/maven-mvnd/releases/tag/untagged-2285434bf6532985094a
>
> Please review and vote !
> --
> 
> Guillaume Nodet
>
>

-- 

Guillaume Nodet

Re: [VOTE] Release Apache Maven version 3.8.7

2022-12-29 Thread Mark Derricutt 

On 25 Dec 2022, at 9:20, Michael Osipov wrote:


Hi,

We solved 19 issues:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316922=12352690


+1 non-binding.


---
"The ease with which a change can be implemented has no relevance at all 
to whether it is the right change for the (Java) Platform for all time." 
 Mark Reinhold.


Mark Derricutt
http://www.chaliceofblood.net
http://www.theoryinpractice.net
http://twitter.com/talios
http://facebook.com/mderricutt

Re: How secure is invoking a single mojo?

2022-12-29 Thread Romain Manni-Bucau 
Hi Aldrin,

Maybe DefaultModelReader from maen-model-builder module but depends if you
want the pom resolved or just the raw pom too.

Romain Manni-Bucau
@rmannibucau  |  Blog
 | Old Blog
 | Github  |
LinkedIn  | Book



Le mer. 28 déc. 2022 à 22:10, Aldrin Leal  a écrit :

> Tamas,
>
> Thanks for your idea. If I wanted to resolve from reading a pom file from
> scratch, where you'd point me at (thinking MavenXpp3Reader and friends
> perhaps?).
>
> --
> -- Aldrin Leal,  / https://aldrinleal.link
>
>
> On Fri, Dec 16, 2022 at 4:17 PM Tamás Cservenák 
> wrote:
>
> > You can write a simple app, using resolver. There are demo that perform
> > fully functional things, for example
> >
> >
> >
> https://github.com/apache/maven-resolver/blob/master/maven-resolver-demos/maven-resolver-demo-snippets/src/main/java/org/apache/maven/resolver/examples/GetDependencyTree.java
> >
> > Hth
> > T
> >
> > On Fri, Dec 16, 2022, 22:12 Aldrin Leal  wrote:
> >
> > > Thanks Michael, indeed this can be better worded What about?
> > >
> > > How to programatically list a poms dependencies (incl transitive)
> without
> > > the risk of running untrusted/unauthorized code?
> > >
> > > --
> > > -- Aldrin Leal,  / https://aldrinleal.link
> > >
> > >
> > > On Fri, Dec 16, 2022 at 3:55 PM Michael Osipov 
> > > wrote:
> > >
> > > > Am 2022-12-16 um 18:02 schrieb Aldrin Leal:
> > > > > Hello,
> > > > >
> > > > > Just a question I'd like to confirm with you guys: How "safe" is to
> > run
> > > > > `dependency:tree` on a given arbitrary pom?
> > > > >
> > > > > I mean, whats the likelihood of that pom.xml triggering some
> "unsafe"
> > > > code?
> > > > >
> > > > > And how would you do this in (listing all the required runtime jar
> > > files
> > > > > for a given project) the most secure way if you were given this
> task?
> > > >
> > > > Safety and security are two different things. What are you striving
> > for?
> > > >
> > > >
> > > > -
> > > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> > > > For additional commands, e-mail: dev-h...@maven.apache.org
> > > >
> > > >
> > >
> >
>

Re: [VOTE] Release Apache Maven version 3.8.7

2022-12-29 Thread Sylwester Lachiewicz 
+1

sob., 24 gru 2022, 21:20 użytkownik Michael Osipov 
napisał:

> Hi,
>
> We solved 19 issues:
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316922=12352690
>
> There are still hundreds of issues left in JIRA:
>
> https://issues.apache.org/jira/issues/?jql=project%20%3D%20MNG%20AND%20resolution%20%3D%20Unresolved
>
> Staging repo:
> https://repository.apache.org/content/repositories/maven-1839/
>
> Dev dist directory:
> https://dist.apache.org/repos/dist/dev/maven/maven-3/3.8.7/
>
> Source release checksums:
> apache-maven-3.8.7-src.zip sha512:
>
> 7c5bbdfbd85711d11f93254208978b47e4dcf010f94a1b9f549c3040507d751dff10d99c5f3af5fa92fd44b4261fc950d69eac345736f62007416e1350319891
> apache-maven-3.8.7-src.tar.gz sha512:
>
> 99dc6a44811d945d2d9a9e88b32abde5a82e4a8fa202ff217a5e3106d7fc532f347cff01331f6c2c0d86b2cf67fc0d0ee609d0c7d39b352a9422b990e49a81eb
>
> Binary release checksums:
> apache-maven-3.8.7-bin.zip sha512:
>
> c687fcdc3890bcf0f9f9dbc42ceded21dc80f0dcc5541c28912a99224694793f6e437998e46b5939bd314178865263c62a069c6c6f15d1d0541eea75748c46fd
> apache-maven-3.8.7-bin.tar.gz sha512:
>
> 21c2be0a180a326353e8f6d12289f74bc7cd53080305f05358936f3a1b6dd4d91203f4cc799e81761cf5c53c5bbe9dcc13bdb27ec8f57ecf21b2f9ceec3c8d27
>
> Draft for release notes:
> https://github.com/apache/maven-site/pull/356
>
> Guide to testing staged releases:
> http://maven.apache.org/guides/development/guide-testing-releases.html
>
> Vote open until 2022-12-30T20:00Z
>
> [ ] +1
> [ ] +0
> [ ] -1
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> For additional commands, e-mail: dev-h...@maven.apache.org
>
>

Re: [VOTE] Release Apache Maven version 3.8.7

2022-12-29 Thread Olivier Lamy 
+1

On Tue, 27 Dec 2022 at 18:30, Herve Boutemy  wrote:
>
> +1
>
> Reproducible Builds ok: reference built with JDK 8 on Windows
>
> thanks a lot
>
> Hervé
>
> On 2022/12/24 20:20:32 Michael Osipov wrote:
> > Hi,
> >
> > We solved 19 issues:
> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316922=12352690
> >
> > There are still hundreds of issues left in JIRA:
> > https://issues.apache.org/jira/issues/?jql=project%20%3D%20MNG%20AND%20resolution%20%3D%20Unresolved
> >
> > Staging repo:
> > https://repository.apache.org/content/repositories/maven-1839/
> >
> > Dev dist directory:
> > https://dist.apache.org/repos/dist/dev/maven/maven-3/3.8.7/
> >
> > Source release checksums:
> > apache-maven-3.8.7-src.zip sha512:
> > 7c5bbdfbd85711d11f93254208978b47e4dcf010f94a1b9f549c3040507d751dff10d99c5f3af5fa92fd44b4261fc950d69eac345736f62007416e1350319891
> > apache-maven-3.8.7-src.tar.gz sha512:
> > 99dc6a44811d945d2d9a9e88b32abde5a82e4a8fa202ff217a5e3106d7fc532f347cff01331f6c2c0d86b2cf67fc0d0ee609d0c7d39b352a9422b990e49a81eb
> >
> > Binary release checksums:
> > apache-maven-3.8.7-bin.zip sha512:
> > c687fcdc3890bcf0f9f9dbc42ceded21dc80f0dcc5541c28912a99224694793f6e437998e46b5939bd314178865263c62a069c6c6f15d1d0541eea75748c46fd
> > apache-maven-3.8.7-bin.tar.gz sha512:
> > 21c2be0a180a326353e8f6d12289f74bc7cd53080305f05358936f3a1b6dd4d91203f4cc799e81761cf5c53c5bbe9dcc13bdb27ec8f57ecf21b2f9ceec3c8d27
> >
> > Draft for release notes:
> > https://github.com/apache/maven-site/pull/356
> >
> > Guide to testing staged releases:
> > http://maven.apache.org/guides/development/guide-testing-releases.html
> >
> > Vote open until 2022-12-30T20:00Z
> >
> > [ ] +1
> > [ ] +0
> > [ ] -1
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> > For additional commands, e-mail: dev-h...@maven.apache.org
> >
> >
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> For additional commands, e-mail: dev-h...@maven.apache.org
>

-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org