Re: [VOTE] Require Java 17 for Maven 4

2024-02-28 Thread Thomas Matthijs 
+1


On Wed, Feb 28, 2024, at 08:30, Benjamin Marwell wrote:
> Hi Maven Devs/Users/Committers and PMC members!
>
> After several discussions on the mailing lists, I would like to
> start a vote in favour of setting the minimal Java bytecode target
> of Maven-Core 4 to 17 and hence require Java 17 for Maven 4.
>
> This is a procedural majority vote [1*]:
> You can also vote with fractions and negative votes are not vetoes.
>
> Please also notice:
> * Maven 3 will stay at Java 8 no matter what.
> * We may raise Maven 4 to JDK 21 later if we feel like it (depending
> on the release date).
>   This is not part of this vote.
> * The linked PR is not part of this vote (this is not a code vote).
>   But you may take a look at it to understand the intended change.
>
> PR: https://github.com/apache/maven/pull/1430
>
> Maven-Parent will not be raised with this vote, the other PR is not
> part of this vote.
>
> Please refrain from starting discussions in this thread, but do
> include a reasoning on downvotes and feel free to start a new
> discussion on the mailing list, or comment on the existing ones.
>
> ---
>
> Vote open for 72 hours:
>
> [ ] +1 (set JDK17 min version for Maven 4.x)
> [ ] +0
> [ ] -1 (please include reasoning)
>
> ---
>
> - Ben
>
> [1*]: https://www.apache.org/foundation/voting.html
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> For additional commands, e-mail: dev-h...@maven.apache.org

-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org

Re: Maven Dependency Plugin - Log4j vulnerabilities

2022-03-02 Thread Thomas Matthijs 
That was just to demonstrate how i got the dependency chain, that file
was there, but if you're going to be this hostile, i'm not interested
anymore, muting thread

On Thu, 3 Mar 2022 at 08:48, Piotr Żygieło  wrote:
>
> On Thu, 3 Mar 2022 at 08:37, Thomas Matthijs  wrote:
> >
> > Can confirm this project downloads log4j 1.12.12 for me
>
> As I see it - you confirm something else.
>
> > Failed to read artifact descriptor for log4j:log4j:jar:1.2.12:
>
> Failed to read artifact descriptor for log4j:log4j:jar:1.2.12:
> _artifact descriptor_
>
> --
> Piotrek
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> For additional commands, e-mail: dev-h...@maven.apache.org
>

-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org

Re: Maven Dependency Plugin - Log4j vulnerabilities

2022-03-02 Thread Thomas Matthijs 
Hello,

Can confirm this project downloads log4j 1.12.12 for me

rm -rf ~/.m2/repository/log4j/log4j
sudo chown root:root ~/.m2/repository/log4j/log4j

[ERROR] Failed to execute goal
org.apache.maven.plugins:maven-dependency-plugin:3.2.0:copy
(copy-artifact) on project demo: Execution copy-artifact of goal
org.apache.maven.plugins:maven-dependency-plugin:3.2.0:copy failed:
Plugin org.apache.maven.plugins:maven-dependency-plugin:3.2.0 or one
of its dependencies could not be resolved: Failed to collect
dependencies at
org.apache.maven.plugins:maven-dependency-plugin:jar:3.2.0 ->
org.apache.maven.reporting:maven-reporting-impl:jar:3.0.0 ->
org.apache.maven.doxia:doxia-site-renderer:jar:1.7.4 ->
org.apache.velocity:velocity-tools:jar:2.0 ->
commons-digester:commons-digester:jar:1.8 ->
commons-logging:commons-logging:jar:1.1 -> log4j:log4j:jar:1.2.12:
Failed to read artifact descriptor for log4j:log4j:jar:1.2.12:

So the dependency chain seems to be

org.apache.maven.plugins:maven-dependency-plugin:jar:3.2.0
-> org.apache.maven.reporting:maven-reporting-impl:jar:3.0.0
-> org.apache.maven.doxia:doxia-site-renderer:jar:1.7.4
-> org.apache.velocity:velocity-tools:jar:2.0
-> commons-digester:commons-digester:jar:1.8
-> commons-logging:commons-logging:jar:1.1
-> log4j:log4j:jar:1.2.12:

Regards

On Mon, 28 Feb 2022 at 13:52, Juraj Veverka
 wrote:
>
> Hi David
>
> Many thanks for your email, I really appreciate your reply. This is an
> isolated example of the problem.
> https://github.com/jveverka/mvn-dependency-log4j
> You can find all repro steps there. In case of any questions, feel free
> to contact me.
>
> Kind regards
> Juraj Veverka
>
>
>
> On Mon, Feb 28, 2022 at 12:14 PM David Milet  wrote:
>
> > Where I work we decided to address log4j vulnerabilities only for
> > components directly used by the application and actually performing logging.
> > We ignored transitive dependencies and maven plug-ins.
> > I’m curious about this use case from Venu though, what application would
> > rely on the maven dependency plugin at runtime? Does it mean you’re pulling
> > maven dependencies after application startup?
> >
> > > On Feb 28, 2022, at 03:30, Slawomir Jaranowski 
> > wrote:
> > >
> > > Hi,
> > >
> > > Please provide more information, like plugin, mven, os version.
> > >
> > > We also need an example project which reproduces your issue.
> > > When we can't reproduce we can't help.
> > >
> > > pon., 28 lut 2022 o 08:55 Jaladi, Venumadhav
> > >  napisał(a):
> > >
> > >> Hi team,
> > >>
> > >> Can I expect any response?  Is this the right email address for my
> > >> question?
> > >>
> > >> Thanks,
> > >> Venu
> > >>
> > >>
> > >>> On Thu, Feb 24, 2022 at 6:47 AM Jaladi, Venumadhav <
> > >>> jaladi.venumad...@verizon.com> wrote:
> > >>>
> > >>> Hi team,
> > >>>
> > >>> We are using the Maven Dependency Plugin in one of our projects and our
> > >>> scanning tools are showing multiple vulnerabilities related to Log4j
> > >>> (CVE-2019-17571, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305,
> > >>> CVE-2022-23307 and CVE-2021-4104).
> > >>>
> > >>> We would  like to know if there are any plans to release a newer
> > version
> > >>> of Maven Dependency Plugin with the fixes of these
> > >>> vulnerabilities(referring to the latest version of Log4j libraries).
> > If
> > >>> so, is there any planned date for this release?
> > >>>
> > >>> Please let us know any any more information is required.
> > >>>
> > >>> Thanks,
> > >>> Venu
> > >>>
> > >>
> > >
> > >
> > > --
> > > Sławomir Jaranowski
> >
> >
>
> --
>
> Best Regards
>
>
> --
>
> Juraj Veverka  | Solution Design Architect
>
> M +421 917 521 285
>
> www.globallogic.sk  
>
>    [image: GLTwitter]
> 
> 
> 
> 
>
> http://www.globallogic.com/Disclaimer.htm

-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org

Re: Any feedback for MNG-6261?

2017-07-28 Thread Thomas Matthijs 
Have you double checked file permissions? if it can't read the parent
pom (maybe not all dirs are +x etc) then it wil have the behavior you
see

On Thu, Jul 27, 2017 at 10:07 PM, Dawid Weiss  wrote:
> I added a comment on that issue. The problem is not deterministic for
> some reason -- I can execute identical maven on identical code on the
> same computer and get two different outcomes (consistenly). I have no
> idea how to debug it better too -- passing -X doesn't yield any
> reasonable logs. Looks very strange.
>
> Dawid
>
>
> On Thu, Jul 27, 2017 at 7:37 PM, Robert Scholte  wrote:
>> I had a look at it, but can't reproduce the issue with the attached project
>> Even when using exactly the same directory
>> (D:\repositories\carrotsearch.com\lingo4g) my build succeeds.
>> A failing project is really required to fix this.
>>
>> Robert
>>
>>
>> On Thu, 27 Jul 2017 13:41:16 +0200, Dawid Weiss 
>> wrote:
>>
>>> Hello,
>>>
>>> Just wanted to hear if anybody has any idea about MNG-6261 I filed
>>> recently -- there is a relatively simple repro attached and it fails
>>> with Maven 3.5.0+; I've been wondering if it's a bug or an illegal
>>> abuse of the submodule/parent pom relationship.
>>>
>>> Dawid
>>>
>>> -
>>> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
>>> For additional commands, e-mail: dev-h...@maven.apache.org
>>
>>
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
>> For additional commands, e-mail: dev-h...@maven.apache.org
>>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> For additional commands, e-mail: dev-h...@maven.apache.org
>

-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org

Re: Publish Maven releases on SDKMAN!

2017-04-16 Thread Thomas Matthijs 
Looks like yet another package manager, and just as most upstream
projects don't provide the packages/build for every linux distro and
package manager system under the sun, this project looks no different.

The sdkman community should help provide the maven releases on it, and
not the maven community (they can however overlap).

Regards

On Sun, Apr 16, 2017 at 1:33 AM, Marco Vermeulen  wrote:
> Paul,
>
> I really am not trying to sell anything. I'm trying to help your community.
> You will get no *arguments* in favour or against from me.
>
> My users keep asking for Maven on SDKMAN, and I sincerely wish to give them
> what they ask for. Whether the community is willing to lend a hand is
> entirely up to the *committers* of this project.
>
> On Sun, 16 Apr 2017 at 00:12 Paul Hammant  wrote:
>
>> Marco,
>>
>> You could sell your idea better, I think. You have "Most of the big
>> projects want to do this" as one of the stronger arguments in favor, which
>> isn't enough. For 20 years, Lean/Agilistas have focussed on "what is the
>> problem you're trying to solve?". And that is the question, I personally*
>> would want to make to you.
>>
>> * I'm an interloper to this list, not a committer.
>>
>> Maven experts really do one setup thing: "brew install maven" (or equiv).
>>
>> Then they clone repos that purport to be example applications for the think
>> they want (SpringBoot, Grails). Then they mvn install that and the bits of
>> the SDK they need come down to their local cache. It has been four years
>> since I last acquired a new JVM technology any other way.
>>
>> - Paul
>>

-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org