Re: 8.0.16 release
I did the upload for you ;-) - should be fine now and the VOTE is up. Am Sonntag, dem 29.10.2023 um 13:47 -0500 schrieb Jonathan Fisher: > They’re playing in Frankfurt next week! > > I re-ran the tool, I’m not sure what fixed it, but the binaries > appear to be there now. > > Sent from my iPhone > > > On Oct 29, 2023, at 1:25 PM, Richard Zowalla > > wrote: > > > > I will take care of it, so we can start the vote. > > Have fun @ KC Chiefs play, Jonathan. Many thanks for re-doing the > > release. > > > > > Am Sonntag, dem 29.10.2023 um 19:06 +0100 schrieb Richard > > > Zowalla: > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1223/tomee-8.0.16/ > > > seems to be empty? > > > > > > Am 29. Oktober 2023 18:45:06 MEZ schrieb "Jonathan S. Fisher" > > > : > > > > Done. > > > > > > > > Staging repo is closed. > > > > > > > > Artifacts uploaded here: > > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1223 > > > > > > > > tomee-8.x pushed > > > > > > > > Tag pushed: > > > > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.16 > > > > > > > > On Sun, Oct 29, 2023 at 12:08 PM Jonathan S. Fisher > > > > wrote: > > > > > > > > > > Perfect thanks, that is done. > > > > > > > > > > New release is building and uploading. I checked the bom poms > > > > > before I > > > > > started. KC Chiefs play in a few hours so I'm hoping to have > > > > > it > > > > > ready > > > > > before then. > > > > > > > > > > > > > > > On Sun, Oct 29, 2023 at 11:41 AM Richard Zowalla > > > > > wrote: > > > > > > > > > > > > Checkout https://dist.apache.org/repos/dist/dev/tomee/ via > > > > > > SVN, > > > > > > run an SVN delete in staging-1222 and commit :-) > > > > > > > > > > > > Am 29. Oktober 2023 17:34:47 MEZ schrieb "Jonathan S. > > > > > > Fisher" > > > > > > : > > > > > > > 1) Logged into Nexus, clicked "drop repo" > > > > > > > 2) git tag -d from the command line, went into github, > > > > > > > also > > > > > > > deleted the tag > > > > > > > 3) for the life of me I can't figure out how to do this. > > > > > > > I > > > > > > > see the > > > > > > > artifacts here: > > > > > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1222/ > > > > > > > > > > > > > > On Sun, Oct 29, 2023 at 11:06 AM Jonathan S. Fisher > > > > > > > wrote: > > > > > > > > > > > > > > > > Doing this now, thanks > > > > > > > > > > > > > > > > > > > > > > > > On Sun, Oct 29, 2023 at 10:46 AM Richard Zowalla > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > Hey Jonathan, > > > > > > > > > > > > > > > > > > if you want to do the re-roll, you need to: > > > > > > > > > > > > > > > > > > (1) drop the staging repo > > > > > > > > > (2) drop the tag > > > > > > > > > (3) drop the staged binaries in dist/dev > > > > > > > > > (4) do the re-roll (as with the release before) > > > > > > > > > > > > > > > > > > I will fix the release notes regarding 9.0.82. Just > > > > > > > > > give > > > > > > > > > me a ping, if we can start a new vote. > > > > > > > > > > > > > > > > > > Gruß > > > > > > > > > Richard > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Am 28. Oktober 2023 21:02:52 MESZ schrieb Richard > > > > > > > > > Zowalla > > > > > > > > > : > > > > > > > > > > Don't worry about the side thing ;-) - it can even > > > > > > > > > > wait until the vote > > > > > > > > > > is other. > > > > > > > > > > > > > > > > > > > > You can see an example for it here: [1] > > > > > > > > > > > > > > > > > > > > I'll check the signatures and if that looks good, I > > > > > > > > > > am > > > > > > > > > > going to start > > > > > > > > > > the vote for you. > > > > > > > > > > > > > > > > > > > > Thnaks, Jonathan!! > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > [1] > > > > > > > > > > https://github.com/apache/tomee-site-generator/commit/6798a27b06553a9e0818da9250ba5c5930ed0bbe > > > > > > > > > > > > > > > > > > > > Am Samstag, dem 28.10.2023 um 13:57 -0500 schrieb > > > > > > > > > > Jonathan S. Fisher: > > > > > > > > > > > A... just kidding, I need to do the tomee- > > > > > > > > > > > site- > > > > > > > > > > > generator thing. > > > > > > > > > > > I'll have to figure that out or do it by hand. > > > > > > > > > > > > > > > > > > > > > > On Sat, Oct 28, 2023 at 1:52 PM Jonathan S. > > > > > > > > > > > Fisher > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Awesome! Thank you! > > > > > > > > > > > > > > > > > > > > > > > > I've pushed the tag, the binaries are uploaded, > > > > > > > > > > > > release notes are > > > > > > > > > > > > now > > > > > > > > > > > > generated. Please double check my tag! > > > > > > > > > > > > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.16 > > > > > > > > > > > > > > > > > > > > > > > > If everything is all good, yes please and thank > > > > > > > > > > > > you, call the vote! > > > > > > > > > > > > > > > > > > > > >
Re: 8.0.16 release
They’re playing in Frankfurt next week! I re-ran the tool, I’m not sure what fixed it, but the binaries appear to be there now. Sent from my iPhone > On Oct 29, 2023, at 1:25 PM, Richard Zowalla wrote: > > I will take care of it, so we can start the vote. > Have fun @ KC Chiefs play, Jonathan. Many thanks for re-doing the > release. > >> Am Sonntag, dem 29.10.2023 um 19:06 +0100 schrieb Richard Zowalla: >> https://dist.apache.org/repos/dist/dev/tomee/staging-1223/tomee-8.0.16/ >> seems to be empty? >> >> Am 29. Oktober 2023 18:45:06 MEZ schrieb "Jonathan S. Fisher" >> : >>> Done. >>> >>> Staging repo is closed. >>> >>> Artifacts uploaded here: >>> https://dist.apache.org/repos/dist/dev/tomee/staging-1223 >>> >>> tomee-8.x pushed >>> >>> Tag pushed: >>> https://github.com/apache/tomee/releases/tag/tomee-project-8.0.16 >>> >>> On Sun, Oct 29, 2023 at 12:08 PM Jonathan S. Fisher >>> wrote: Perfect thanks, that is done. New release is building and uploading. I checked the bom poms before I started. KC Chiefs play in a few hours so I'm hoping to have it ready before then. On Sun, Oct 29, 2023 at 11:41 AM Richard Zowalla wrote: > > Checkout https://dist.apache.org/repos/dist/dev/tomee/ via SVN, > run an SVN delete in staging-1222 and commit :-) > > Am 29. Oktober 2023 17:34:47 MEZ schrieb "Jonathan S. Fisher" > : >> 1) Logged into Nexus, clicked "drop repo" >> 2) git tag -d from the command line, went into github, also >> deleted the tag >> 3) for the life of me I can't figure out how to do this. I >> see the >> artifacts here: >> https://dist.apache.org/repos/dist/dev/tomee/staging-1222/ >> >> On Sun, Oct 29, 2023 at 11:06 AM Jonathan S. Fisher >> wrote: >>> >>> Doing this now, thanks >>> >>> >>> On Sun, Oct 29, 2023 at 10:46 AM Richard Zowalla >>> wrote: Hey Jonathan, if you want to do the re-roll, you need to: (1) drop the staging repo (2) drop the tag (3) drop the staged binaries in dist/dev (4) do the re-roll (as with the release before) I will fix the release notes regarding 9.0.82. Just give me a ping, if we can start a new vote. Gruß Richard Am 28. Oktober 2023 21:02:52 MESZ schrieb Richard Zowalla : > Don't worry about the side thing ;-) - it can even > wait until the vote > is other. > > You can see an example for it here: [1] > > I'll check the signatures and if that looks good, I am > going to start > the vote for you. > > Thnaks, Jonathan!! > > > [1] > https://github.com/apache/tomee-site-generator/commit/6798a27b06553a9e0818da9250ba5c5930ed0bbe > > Am Samstag, dem 28.10.2023 um 13:57 -0500 schrieb > Jonathan S. Fisher: >> A... just kidding, I need to do the tomee-site- >> generator thing. >> I'll have to figure that out or do it by hand. >> >> On Sat, Oct 28, 2023 at 1:52 PM Jonathan S. Fisher >> wrote: >>> > > >>> Awesome! Thank you! >>> >>> I've pushed the tag, the binaries are uploaded, >>> release notes are >>> now >>> generated. Please double check my tag! >>> https://github.com/apache/tomee/releases/tag/tomee-project-8.0.16 >>> >>> If everything is all good, yes please and thank >>> you, call the vote! >>> >>> On Sat, Oct 28, 2023 at 1:42 PM Richard Zowalla >>> >>> wrote: FYI: Just did it on the staged 8.0.16 version on dist/dev. Looks ok (so no need to worry about). Am Samstag, dem 28.10.2023 um 20:35 +0200 schrieb Richard Zowalla: > Regarding (1): > > You can run grype on the lib folder [1] and > check the output. > There will be some false-positive entries but > if you missed > something > really important, it should appear there. > > With the ActiveMQ upgrade I do not expect > anything unforseen > though > ;-) > > Gruß > Richard > > > > [1] https://github.com/anchore/grype > > > Am Donnerstag, dem 26.10.2023 um 07:18 -0500 > schrieb Jonathan > S. > Fisher: >> Richard, thank you sir; I assigned that >> ticket to myself. If
Re: 8.0.16 release
I will take care of it, so we can start the vote. Have fun @ KC Chiefs play, Jonathan. Many thanks for re-doing the release. Am Sonntag, dem 29.10.2023 um 19:06 +0100 schrieb Richard Zowalla: > https://dist.apache.org/repos/dist/dev/tomee/staging-1223/tomee-8.0.16/ > seems to be empty? > > Am 29. Oktober 2023 18:45:06 MEZ schrieb "Jonathan S. Fisher" > : > > Done. > > > > Staging repo is closed. > > > > Artifacts uploaded here: > > https://dist.apache.org/repos/dist/dev/tomee/staging-1223 > > > > tomee-8.x pushed > > > > Tag pushed: > > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.16 > > > > On Sun, Oct 29, 2023 at 12:08 PM Jonathan S. Fisher > > wrote: > > > > > > Perfect thanks, that is done. > > > > > > New release is building and uploading. I checked the bom poms > > > before I > > > started. KC Chiefs play in a few hours so I'm hoping to have it > > > ready > > > before then. > > > > > > > > > On Sun, Oct 29, 2023 at 11:41 AM Richard Zowalla > > > wrote: > > > > > > > > Checkout https://dist.apache.org/repos/dist/dev/tomee/ via SVN, > > > > run an SVN delete in staging-1222 and commit :-) > > > > > > > > Am 29. Oktober 2023 17:34:47 MEZ schrieb "Jonathan S. Fisher" > > > > : > > > > > 1) Logged into Nexus, clicked "drop repo" > > > > > 2) git tag -d from the command line, went into github, also > > > > > deleted the tag > > > > > 3) for the life of me I can't figure out how to do this. I > > > > > see the > > > > > artifacts here: > > > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1222/ > > > > > > > > > > On Sun, Oct 29, 2023 at 11:06 AM Jonathan S. Fisher > > > > > wrote: > > > > > > > > > > > > Doing this now, thanks > > > > > > > > > > > > > > > > > > On Sun, Oct 29, 2023 at 10:46 AM Richard Zowalla > > > > > > wrote: > > > > > > > > > > > > > > Hey Jonathan, > > > > > > > > > > > > > > if you want to do the re-roll, you need to: > > > > > > > > > > > > > > (1) drop the staging repo > > > > > > > (2) drop the tag > > > > > > > (3) drop the staged binaries in dist/dev > > > > > > > (4) do the re-roll (as with the release before) > > > > > > > > > > > > > > I will fix the release notes regarding 9.0.82. Just give > > > > > > > me a ping, if we can start a new vote. > > > > > > > > > > > > > > Gruß > > > > > > > Richard > > > > > > > > > > > > > > > > > > > > > > > > > > > > Am 28. Oktober 2023 21:02:52 MESZ schrieb Richard Zowalla > > > > > > > : > > > > > > > > Don't worry about the side thing ;-) - it can even > > > > > > > > wait until the vote > > > > > > > > is other. > > > > > > > > > > > > > > > > You can see an example for it here: [1] > > > > > > > > > > > > > > > > I'll check the signatures and if that looks good, I am > > > > > > > > going to start > > > > > > > > the vote for you. > > > > > > > > > > > > > > > > Thnaks, Jonathan!! > > > > > > > > > > > > > > > > > > > > > > > > [1] > > > > > > > > https://github.com/apache/tomee-site-generator/commit/6798a27b06553a9e0818da9250ba5c5930ed0bbe > > > > > > > > > > > > > > > > Am Samstag, dem 28.10.2023 um 13:57 -0500 schrieb > > > > > > > > Jonathan S. Fisher: > > > > > > > > > A... just kidding, I need to do the tomee-site- > > > > > > > > > generator thing. > > > > > > > > > I'll have to figure that out or do it by hand. > > > > > > > > > > > > > > > > > > On Sat, Oct 28, 2023 at 1:52 PM Jonathan S. Fisher > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Awesome! Thank you! > > > > > > > > > > > > > > > > > > > > I've pushed the tag, the binaries are uploaded, > > > > > > > > > > release notes are > > > > > > > > > > now > > > > > > > > > > generated. Please double check my tag! > > > > > > > > > > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.16 > > > > > > > > > > > > > > > > > > > > If everything is all good, yes please and thank > > > > > > > > > > you, call the vote! > > > > > > > > > > > > > > > > > > > > On Sat, Oct 28, 2023 at 1:42 PM Richard Zowalla > > > > > > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > FYI: Just did it on the staged 8.0.16 version on > > > > > > > > > > > dist/dev. Looks > > > > > > > > > > > ok (so > > > > > > > > > > > no need to worry about). > > > > > > > > > > > > > > > > > > > > > > Am Samstag, dem 28.10.2023 um 20:35 +0200 schrieb > > > > > > > > > > > Richard > > > > > > > > > > > Zowalla: > > > > > > > > > > > > Regarding (1): > > > > > > > > > > > > > > > > > > > > > > > > You can run grype on the lib folder [1] and > > > > > > > > > > > > check the output. > > > > > > > > > > > > There will be some false-positive entries but > > > > > > > > > > > > if you missed > > > > > > > > > > > > something > > > > > > > > > > > > really important, it should appear there. > > > > > > > > > > > > > > > > > > > > > > > > With the ActiveMQ upgrade I do not expect > > > > > > > > > > > > anything unforseen > > > > > > > > > > > >
Re: 8.0.16 release
https://dist.apache.org/repos/dist/dev/tomee/staging-1223/tomee-8.0.16/ seems to be empty? Am 29. Oktober 2023 18:45:06 MEZ schrieb "Jonathan S. Fisher" : >Done. > >Staging repo is closed. > >Artifacts uploaded here: >https://dist.apache.org/repos/dist/dev/tomee/staging-1223 > >tomee-8.x pushed > >Tag pushed: https://github.com/apache/tomee/releases/tag/tomee-project-8.0.16 > >On Sun, Oct 29, 2023 at 12:08 PM Jonathan S. Fisher wrote: >> >> Perfect thanks, that is done. >> >> New release is building and uploading. I checked the bom poms before I >> started. KC Chiefs play in a few hours so I'm hoping to have it ready >> before then. >> >> >> On Sun, Oct 29, 2023 at 11:41 AM Richard Zowalla wrote: >> > >> > Checkout https://dist.apache.org/repos/dist/dev/tomee/ via SVN, run an SVN >> > delete in staging-1222 and commit :-) >> > >> > Am 29. Oktober 2023 17:34:47 MEZ schrieb "Jonathan S. Fisher" >> > : >> > >1) Logged into Nexus, clicked "drop repo" >> > >2) git tag -d from the command line, went into github, also deleted the >> > >tag >> > >3) for the life of me I can't figure out how to do this. I see the >> > >artifacts here: >> > >https://dist.apache.org/repos/dist/dev/tomee/staging-1222/ >> > > >> > >On Sun, Oct 29, 2023 at 11:06 AM Jonathan S. Fisher >> > >wrote: >> > >> >> > >> Doing this now, thanks >> > >> >> > >> >> > >> On Sun, Oct 29, 2023 at 10:46 AM Richard Zowalla >> > >> wrote: >> > >> > >> > >> > Hey Jonathan, >> > >> > >> > >> > if you want to do the re-roll, you need to: >> > >> > >> > >> > (1) drop the staging repo >> > >> > (2) drop the tag >> > >> > (3) drop the staged binaries in dist/dev >> > >> > (4) do the re-roll (as with the release before) >> > >> > >> > >> > I will fix the release notes regarding 9.0.82. Just give me a ping, >> > >> > if we can start a new vote. >> > >> > >> > >> > Gruß >> > >> > Richard >> > >> > >> > >> > >> > >> > >> > >> > Am 28. Oktober 2023 21:02:52 MESZ schrieb Richard Zowalla >> > >> > : >> > >> > >Don't worry about the side thing ;-) - it can even wait until the >> > >> > >vote >> > >> > >is other. >> > >> > > >> > >> > >You can see an example for it here: [1] >> > >> > > >> > >> > >I'll check the signatures and if that looks good, I am going to start >> > >> > >the vote for you. >> > >> > > >> > >> > >Thnaks, Jonathan!! >> > >> > > >> > >> > > >> > >> > >[1] >> > >> > >https://github.com/apache/tomee-site-generator/commit/6798a27b06553a9e0818da9250ba5c5930ed0bbe >> > >> > > >> > >> > >Am Samstag, dem 28.10.2023 um 13:57 -0500 schrieb Jonathan S. Fisher: >> > >> > >> A... just kidding, I need to do the tomee-site-generator thing. >> > >> > >> I'll have to figure that out or do it by hand. >> > >> > >> >> > >> > >> On Sat, Oct 28, 2023 at 1:52 PM Jonathan S. Fisher >> > >> > >> wrote: >> > >> > >> > >> > >> > > >> > >> > > >> > >> > >> > Awesome! Thank you! >> > >> > >> > >> > >> > >> > I've pushed the tag, the binaries are uploaded, release notes are >> > >> > >> > now >> > >> > >> > generated. Please double check my tag! >> > >> > >> > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.16 >> > >> > >> > >> > >> > >> > If everything is all good, yes please and thank you, call the >> > >> > >> > vote! >> > >> > >> > >> > >> > >> > On Sat, Oct 28, 2023 at 1:42 PM Richard Zowalla >> > >> > >> > wrote: >> > >> > >> > > >> > >> > >> > > FYI: Just did it on the staged 8.0.16 version on dist/dev. >> > >> > >> > > Looks >> > >> > >> > > ok (so >> > >> > >> > > no need to worry about). >> > >> > >> > > >> > >> > >> > > Am Samstag, dem 28.10.2023 um 20:35 +0200 schrieb Richard >> > >> > >> > > Zowalla: >> > >> > >> > > > Regarding (1): >> > >> > >> > > > >> > >> > >> > > > You can run grype on the lib folder [1] and check the output. >> > >> > >> > > > There will be some false-positive entries but if you missed >> > >> > >> > > > something >> > >> > >> > > > really important, it should appear there. >> > >> > >> > > > >> > >> > >> > > > With the ActiveMQ upgrade I do not expect anything unforseen >> > >> > >> > > > though >> > >> > >> > > > ;-) >> > >> > >> > > > >> > >> > >> > > > Gruß >> > >> > >> > > > Richard >> > >> > >> > > > >> > >> > >> > > > >> > >> > >> > > > >> > >> > >> > > > [1] https://github.com/anchore/grype >> > >> > >> > > > >> > >> > >> > > > >> > >> > >> > > > Am Donnerstag, dem 26.10.2023 um 07:18 -0500 schrieb Jonathan >> > >> > >> > > > S. >> > >> > >> > > > Fisher: >> > >> > >> > > > > Richard, thank you sir; I assigned that ticket to myself. >> > >> > >> > > > > If >> > >> > >> > > > > anyone >> > >> > >> > > > > else is aware of anything else I can upgrade before >> > >> > >> > > > > release, >> > >> > >> > > > > please >> > >> > >> > > > > speak up :) >> > >> > >> > > > > >> > >> > >> > > > > Also good news: for whatever reason, I'm able to build >> > >> > >> > > > > tomee-release-tools now. The atlassian maven repository hit >> > >> > >> > > > > me with >> > >> > >> > > > > a >> > >> > >> > > > >
Re: 8.0.16 release
Alright. Will do some checks later and start a new vote. Thanks! Am 29. Oktober 2023 18:45:06 MEZ schrieb "Jonathan S. Fisher" : >Done. > >Staging repo is closed. > >Artifacts uploaded here: >https://dist.apache.org/repos/dist/dev/tomee/staging-1223 > >tomee-8.x pushed > >Tag pushed: https://github.com/apache/tomee/releases/tag/tomee-project-8.0.16 > >On Sun, Oct 29, 2023 at 12:08 PM Jonathan S. Fisher wrote: >> >> Perfect thanks, that is done. >> >> New release is building and uploading. I checked the bom poms before I >> started. KC Chiefs play in a few hours so I'm hoping to have it ready >> before then. >> >> >> On Sun, Oct 29, 2023 at 11:41 AM Richard Zowalla wrote: >> > >> > Checkout https://dist.apache.org/repos/dist/dev/tomee/ via SVN, run an SVN >> > delete in staging-1222 and commit :-) >> > >> > Am 29. Oktober 2023 17:34:47 MEZ schrieb "Jonathan S. Fisher" >> > : >> > >1) Logged into Nexus, clicked "drop repo" >> > >2) git tag -d from the command line, went into github, also deleted the >> > >tag >> > >3) for the life of me I can't figure out how to do this. I see the >> > >artifacts here: >> > >https://dist.apache.org/repos/dist/dev/tomee/staging-1222/ >> > > >> > >On Sun, Oct 29, 2023 at 11:06 AM Jonathan S. Fisher >> > >wrote: >> > >> >> > >> Doing this now, thanks >> > >> >> > >> >> > >> On Sun, Oct 29, 2023 at 10:46 AM Richard Zowalla >> > >> wrote: >> > >> > >> > >> > Hey Jonathan, >> > >> > >> > >> > if you want to do the re-roll, you need to: >> > >> > >> > >> > (1) drop the staging repo >> > >> > (2) drop the tag >> > >> > (3) drop the staged binaries in dist/dev >> > >> > (4) do the re-roll (as with the release before) >> > >> > >> > >> > I will fix the release notes regarding 9.0.82. Just give me a ping, >> > >> > if we can start a new vote. >> > >> > >> > >> > Gruß >> > >> > Richard >> > >> > >> > >> > >> > >> > >> > >> > Am 28. Oktober 2023 21:02:52 MESZ schrieb Richard Zowalla >> > >> > : >> > >> > >Don't worry about the side thing ;-) - it can even wait until the >> > >> > >vote >> > >> > >is other. >> > >> > > >> > >> > >You can see an example for it here: [1] >> > >> > > >> > >> > >I'll check the signatures and if that looks good, I am going to start >> > >> > >the vote for you. >> > >> > > >> > >> > >Thnaks, Jonathan!! >> > >> > > >> > >> > > >> > >> > >[1] >> > >> > >https://github.com/apache/tomee-site-generator/commit/6798a27b06553a9e0818da9250ba5c5930ed0bbe >> > >> > > >> > >> > >Am Samstag, dem 28.10.2023 um 13:57 -0500 schrieb Jonathan S. Fisher: >> > >> > >> A... just kidding, I need to do the tomee-site-generator thing. >> > >> > >> I'll have to figure that out or do it by hand. >> > >> > >> >> > >> > >> On Sat, Oct 28, 2023 at 1:52 PM Jonathan S. Fisher >> > >> > >> wrote: >> > >> > >> > >> > >> > > >> > >> > > >> > >> > >> > Awesome! Thank you! >> > >> > >> > >> > >> > >> > I've pushed the tag, the binaries are uploaded, release notes are >> > >> > >> > now >> > >> > >> > generated. Please double check my tag! >> > >> > >> > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.16 >> > >> > >> > >> > >> > >> > If everything is all good, yes please and thank you, call the >> > >> > >> > vote! >> > >> > >> > >> > >> > >> > On Sat, Oct 28, 2023 at 1:42 PM Richard Zowalla >> > >> > >> > wrote: >> > >> > >> > > >> > >> > >> > > FYI: Just did it on the staged 8.0.16 version on dist/dev. >> > >> > >> > > Looks >> > >> > >> > > ok (so >> > >> > >> > > no need to worry about). >> > >> > >> > > >> > >> > >> > > Am Samstag, dem 28.10.2023 um 20:35 +0200 schrieb Richard >> > >> > >> > > Zowalla: >> > >> > >> > > > Regarding (1): >> > >> > >> > > > >> > >> > >> > > > You can run grype on the lib folder [1] and check the output. >> > >> > >> > > > There will be some false-positive entries but if you missed >> > >> > >> > > > something >> > >> > >> > > > really important, it should appear there. >> > >> > >> > > > >> > >> > >> > > > With the ActiveMQ upgrade I do not expect anything unforseen >> > >> > >> > > > though >> > >> > >> > > > ;-) >> > >> > >> > > > >> > >> > >> > > > Gruß >> > >> > >> > > > Richard >> > >> > >> > > > >> > >> > >> > > > >> > >> > >> > > > >> > >> > >> > > > [1] https://github.com/anchore/grype >> > >> > >> > > > >> > >> > >> > > > >> > >> > >> > > > Am Donnerstag, dem 26.10.2023 um 07:18 -0500 schrieb Jonathan >> > >> > >> > > > S. >> > >> > >> > > > Fisher: >> > >> > >> > > > > Richard, thank you sir; I assigned that ticket to myself. >> > >> > >> > > > > If >> > >> > >> > > > > anyone >> > >> > >> > > > > else is aware of anything else I can upgrade before >> > >> > >> > > > > release, >> > >> > >> > > > > please >> > >> > >> > > > > speak up :) >> > >> > >> > > > > >> > >> > >> > > > > Also good news: for whatever reason, I'm able to build >> > >> > >> > > > > tomee-release-tools now. The atlassian maven repository hit >> > >> > >> > > > > me with >> > >> > >> > > > > a >> > >> > >> > > > > rate limit briefly but it
Re: 8.0.16 release
Done. Staging repo is closed. Artifacts uploaded here: https://dist.apache.org/repos/dist/dev/tomee/staging-1223 tomee-8.x pushed Tag pushed: https://github.com/apache/tomee/releases/tag/tomee-project-8.0.16 On Sun, Oct 29, 2023 at 12:08 PM Jonathan S. Fisher wrote: > > Perfect thanks, that is done. > > New release is building and uploading. I checked the bom poms before I > started. KC Chiefs play in a few hours so I'm hoping to have it ready > before then. > > > On Sun, Oct 29, 2023 at 11:41 AM Richard Zowalla wrote: > > > > Checkout https://dist.apache.org/repos/dist/dev/tomee/ via SVN, run an SVN > > delete in staging-1222 and commit :-) > > > > Am 29. Oktober 2023 17:34:47 MEZ schrieb "Jonathan S. Fisher" > > : > > >1) Logged into Nexus, clicked "drop repo" > > >2) git tag -d from the command line, went into github, also deleted the tag > > >3) for the life of me I can't figure out how to do this. I see the > > >artifacts here: > > >https://dist.apache.org/repos/dist/dev/tomee/staging-1222/ > > > > > >On Sun, Oct 29, 2023 at 11:06 AM Jonathan S. Fisher > > >wrote: > > >> > > >> Doing this now, thanks > > >> > > >> > > >> On Sun, Oct 29, 2023 at 10:46 AM Richard Zowalla > > >> wrote: > > >> > > > >> > Hey Jonathan, > > >> > > > >> > if you want to do the re-roll, you need to: > > >> > > > >> > (1) drop the staging repo > > >> > (2) drop the tag > > >> > (3) drop the staged binaries in dist/dev > > >> > (4) do the re-roll (as with the release before) > > >> > > > >> > I will fix the release notes regarding 9.0.82. Just give me a ping, if > > >> > we can start a new vote. > > >> > > > >> > Gruß > > >> > Richard > > >> > > > >> > > > >> > > > >> > Am 28. Oktober 2023 21:02:52 MESZ schrieb Richard Zowalla > > >> > : > > >> > >Don't worry about the side thing ;-) - it can even wait until the > > >> > >vote > > >> > >is other. > > >> > > > > >> > >You can see an example for it here: [1] > > >> > > > > >> > >I'll check the signatures and if that looks good, I am going to start > > >> > >the vote for you. > > >> > > > > >> > >Thnaks, Jonathan!! > > >> > > > > >> > > > > >> > >[1] > > >> > >https://github.com/apache/tomee-site-generator/commit/6798a27b06553a9e0818da9250ba5c5930ed0bbe > > >> > > > > >> > >Am Samstag, dem 28.10.2023 um 13:57 -0500 schrieb Jonathan S. Fisher: > > >> > >> A... just kidding, I need to do the tomee-site-generator thing. > > >> > >> I'll have to figure that out or do it by hand. > > >> > >> > > >> > >> On Sat, Oct 28, 2023 at 1:52 PM Jonathan S. Fisher > > >> > >> wrote: > > >> > >> > > > >> > > > > >> > > > > >> > >> > Awesome! Thank you! > > >> > >> > > > >> > >> > I've pushed the tag, the binaries are uploaded, release notes are > > >> > >> > now > > >> > >> > generated. Please double check my tag! > > >> > >> > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.16 > > >> > >> > > > >> > >> > If everything is all good, yes please and thank you, call the > > >> > >> > vote! > > >> > >> > > > >> > >> > On Sat, Oct 28, 2023 at 1:42 PM Richard Zowalla > > >> > >> > wrote: > > >> > >> > > > > >> > >> > > FYI: Just did it on the staged 8.0.16 version on dist/dev. Looks > > >> > >> > > ok (so > > >> > >> > > no need to worry about). > > >> > >> > > > > >> > >> > > Am Samstag, dem 28.10.2023 um 20:35 +0200 schrieb Richard > > >> > >> > > Zowalla: > > >> > >> > > > Regarding (1): > > >> > >> > > > > > >> > >> > > > You can run grype on the lib folder [1] and check the output. > > >> > >> > > > There will be some false-positive entries but if you missed > > >> > >> > > > something > > >> > >> > > > really important, it should appear there. > > >> > >> > > > > > >> > >> > > > With the ActiveMQ upgrade I do not expect anything unforseen > > >> > >> > > > though > > >> > >> > > > ;-) > > >> > >> > > > > > >> > >> > > > Gruß > > >> > >> > > > Richard > > >> > >> > > > > > >> > >> > > > > > >> > >> > > > > > >> > >> > > > [1] https://github.com/anchore/grype > > >> > >> > > > > > >> > >> > > > > > >> > >> > > > Am Donnerstag, dem 26.10.2023 um 07:18 -0500 schrieb Jonathan > > >> > >> > > > S. > > >> > >> > > > Fisher: > > >> > >> > > > > Richard, thank you sir; I assigned that ticket to myself. If > > >> > >> > > > > anyone > > >> > >> > > > > else is aware of anything else I can upgrade before release, > > >> > >> > > > > please > > >> > >> > > > > speak up :) > > >> > >> > > > > > > >> > >> > > > > Also good news: for whatever reason, I'm able to build > > >> > >> > > > > tomee-release-tools now. The atlassian maven repository hit > > >> > >> > > > > me with > > >> > >> > > > > a > > >> > >> > > > > rate limit briefly but it seems to have lifted. > > >> > >> > > > > > > >> > >> > > > > I have three questions at this point in time: > > >> > >> > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for > > >> > >> > > > > CVE's? > > >> > >> > > > > 2. Are there CVEs we ignore? (basically ones that are > > >> > >> > > > > present > > >> > >> > > > >
Re: 8.0.16 release
Perfect thanks, that is done. New release is building and uploading. I checked the bom poms before I started. KC Chiefs play in a few hours so I'm hoping to have it ready before then. On Sun, Oct 29, 2023 at 11:41 AM Richard Zowalla wrote: > > Checkout https://dist.apache.org/repos/dist/dev/tomee/ via SVN, run an SVN > delete in staging-1222 and commit :-) > > Am 29. Oktober 2023 17:34:47 MEZ schrieb "Jonathan S. Fisher" > : > >1) Logged into Nexus, clicked "drop repo" > >2) git tag -d from the command line, went into github, also deleted the tag > >3) for the life of me I can't figure out how to do this. I see the > >artifacts here: > >https://dist.apache.org/repos/dist/dev/tomee/staging-1222/ > > > >On Sun, Oct 29, 2023 at 11:06 AM Jonathan S. Fisher > >wrote: > >> > >> Doing this now, thanks > >> > >> > >> On Sun, Oct 29, 2023 at 10:46 AM Richard Zowalla > >> wrote: > >> > > >> > Hey Jonathan, > >> > > >> > if you want to do the re-roll, you need to: > >> > > >> > (1) drop the staging repo > >> > (2) drop the tag > >> > (3) drop the staged binaries in dist/dev > >> > (4) do the re-roll (as with the release before) > >> > > >> > I will fix the release notes regarding 9.0.82. Just give me a ping, if > >> > we can start a new vote. > >> > > >> > Gruß > >> > Richard > >> > > >> > > >> > > >> > Am 28. Oktober 2023 21:02:52 MESZ schrieb Richard Zowalla > >> > : > >> > >Don't worry about the side thing ;-) - it can even wait until the vote > >> > >is other. > >> > > > >> > >You can see an example for it here: [1] > >> > > > >> > >I'll check the signatures and if that looks good, I am going to start > >> > >the vote for you. > >> > > > >> > >Thnaks, Jonathan!! > >> > > > >> > > > >> > >[1] > >> > >https://github.com/apache/tomee-site-generator/commit/6798a27b06553a9e0818da9250ba5c5930ed0bbe > >> > > > >> > >Am Samstag, dem 28.10.2023 um 13:57 -0500 schrieb Jonathan S. Fisher: > >> > >> A... just kidding, I need to do the tomee-site-generator thing. > >> > >> I'll have to figure that out or do it by hand. > >> > >> > >> > >> On Sat, Oct 28, 2023 at 1:52 PM Jonathan S. Fisher > >> > >> wrote: > >> > >> > > >> > > > >> > > > >> > >> > Awesome! Thank you! > >> > >> > > >> > >> > I've pushed the tag, the binaries are uploaded, release notes are > >> > >> > now > >> > >> > generated. Please double check my tag! > >> > >> > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.16 > >> > >> > > >> > >> > If everything is all good, yes please and thank you, call the vote! > >> > >> > > >> > >> > On Sat, Oct 28, 2023 at 1:42 PM Richard Zowalla > >> > >> > wrote: > >> > >> > > > >> > >> > > FYI: Just did it on the staged 8.0.16 version on dist/dev. Looks > >> > >> > > ok (so > >> > >> > > no need to worry about). > >> > >> > > > >> > >> > > Am Samstag, dem 28.10.2023 um 20:35 +0200 schrieb Richard > >> > >> > > Zowalla: > >> > >> > > > Regarding (1): > >> > >> > > > > >> > >> > > > You can run grype on the lib folder [1] and check the output. > >> > >> > > > There will be some false-positive entries but if you missed > >> > >> > > > something > >> > >> > > > really important, it should appear there. > >> > >> > > > > >> > >> > > > With the ActiveMQ upgrade I do not expect anything unforseen > >> > >> > > > though > >> > >> > > > ;-) > >> > >> > > > > >> > >> > > > Gruß > >> > >> > > > Richard > >> > >> > > > > >> > >> > > > > >> > >> > > > > >> > >> > > > [1] https://github.com/anchore/grype > >> > >> > > > > >> > >> > > > > >> > >> > > > Am Donnerstag, dem 26.10.2023 um 07:18 -0500 schrieb Jonathan > >> > >> > > > S. > >> > >> > > > Fisher: > >> > >> > > > > Richard, thank you sir; I assigned that ticket to myself. If > >> > >> > > > > anyone > >> > >> > > > > else is aware of anything else I can upgrade before release, > >> > >> > > > > please > >> > >> > > > > speak up :) > >> > >> > > > > > >> > >> > > > > Also good news: for whatever reason, I'm able to build > >> > >> > > > > tomee-release-tools now. The atlassian maven repository hit > >> > >> > > > > me with > >> > >> > > > > a > >> > >> > > > > rate limit briefly but it seems to have lifted. > >> > >> > > > > > >> > >> > > > > I have three questions at this point in time: > >> > >> > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for > >> > >> > > > > CVE's? > >> > >> > > > > 2. Are there CVEs we ignore? (basically ones that are present > >> > >> > > > > but > >> > >> > > > > don't apply to us) > >> > >> > > > > 3. I ran a build locally and got two test failures. Looks > >> > >> > > > > like CI > >> > >> > > > > did > >> > >> > > > > too: > >> > >> > > > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ > >> > >> > > > > > >> > >> > > > > It doesn't look related to the EclipseLink change unless I > >> > >> > > > > screwed > >> > >> > > > > the > >> > >> > > > > pooch on something. Are these known issues by chance? > >> > >> > > > > > >> > >> > > > > On Thu, Oct 26, 2023 at
Re: 8.0.16 release
Checkout https://dist.apache.org/repos/dist/dev/tomee/ via SVN, run an SVN delete in staging-1222 and commit :-) Am 29. Oktober 2023 17:34:47 MEZ schrieb "Jonathan S. Fisher" : >1) Logged into Nexus, clicked "drop repo" >2) git tag -d from the command line, went into github, also deleted the tag >3) for the life of me I can't figure out how to do this. I see the >artifacts here: >https://dist.apache.org/repos/dist/dev/tomee/staging-1222/ > >On Sun, Oct 29, 2023 at 11:06 AM Jonathan S. Fisher wrote: >> >> Doing this now, thanks >> >> >> On Sun, Oct 29, 2023 at 10:46 AM Richard Zowalla wrote: >> > >> > Hey Jonathan, >> > >> > if you want to do the re-roll, you need to: >> > >> > (1) drop the staging repo >> > (2) drop the tag >> > (3) drop the staged binaries in dist/dev >> > (4) do the re-roll (as with the release before) >> > >> > I will fix the release notes regarding 9.0.82. Just give me a ping, if we >> > can start a new vote. >> > >> > Gruß >> > Richard >> > >> > >> > >> > Am 28. Oktober 2023 21:02:52 MESZ schrieb Richard Zowalla >> > : >> > >Don't worry about the side thing ;-) - it can even wait until the vote >> > >is other. >> > > >> > >You can see an example for it here: [1] >> > > >> > >I'll check the signatures and if that looks good, I am going to start >> > >the vote for you. >> > > >> > >Thnaks, Jonathan!! >> > > >> > > >> > >[1] >> > >https://github.com/apache/tomee-site-generator/commit/6798a27b06553a9e0818da9250ba5c5930ed0bbe >> > > >> > >Am Samstag, dem 28.10.2023 um 13:57 -0500 schrieb Jonathan S. Fisher: >> > >> A... just kidding, I need to do the tomee-site-generator thing. >> > >> I'll have to figure that out or do it by hand. >> > >> >> > >> On Sat, Oct 28, 2023 at 1:52 PM Jonathan S. Fisher >> > >> wrote: >> > >> > >> > > >> > > >> > >> > Awesome! Thank you! >> > >> > >> > >> > I've pushed the tag, the binaries are uploaded, release notes are >> > >> > now >> > >> > generated. Please double check my tag! >> > >> > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.16 >> > >> > >> > >> > If everything is all good, yes please and thank you, call the vote! >> > >> > >> > >> > On Sat, Oct 28, 2023 at 1:42 PM Richard Zowalla >> > >> > wrote: >> > >> > > >> > >> > > FYI: Just did it on the staged 8.0.16 version on dist/dev. Looks >> > >> > > ok (so >> > >> > > no need to worry about). >> > >> > > >> > >> > > Am Samstag, dem 28.10.2023 um 20:35 +0200 schrieb Richard >> > >> > > Zowalla: >> > >> > > > Regarding (1): >> > >> > > > >> > >> > > > You can run grype on the lib folder [1] and check the output. >> > >> > > > There will be some false-positive entries but if you missed >> > >> > > > something >> > >> > > > really important, it should appear there. >> > >> > > > >> > >> > > > With the ActiveMQ upgrade I do not expect anything unforseen >> > >> > > > though >> > >> > > > ;-) >> > >> > > > >> > >> > > > Gruß >> > >> > > > Richard >> > >> > > > >> > >> > > > >> > >> > > > >> > >> > > > [1] https://github.com/anchore/grype >> > >> > > > >> > >> > > > >> > >> > > > Am Donnerstag, dem 26.10.2023 um 07:18 -0500 schrieb Jonathan >> > >> > > > S. >> > >> > > > Fisher: >> > >> > > > > Richard, thank you sir; I assigned that ticket to myself. If >> > >> > > > > anyone >> > >> > > > > else is aware of anything else I can upgrade before release, >> > >> > > > > please >> > >> > > > > speak up :) >> > >> > > > > >> > >> > > > > Also good news: for whatever reason, I'm able to build >> > >> > > > > tomee-release-tools now. The atlassian maven repository hit >> > >> > > > > me with >> > >> > > > > a >> > >> > > > > rate limit briefly but it seems to have lifted. >> > >> > > > > >> > >> > > > > I have three questions at this point in time: >> > >> > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for >> > >> > > > > CVE's? >> > >> > > > > 2. Are there CVEs we ignore? (basically ones that are present >> > >> > > > > but >> > >> > > > > don't apply to us) >> > >> > > > > 3. I ran a build locally and got two test failures. Looks >> > >> > > > > like CI >> > >> > > > > did >> > >> > > > > too: >> > >> > > > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ >> > >> > > > > >> > >> > > > > It doesn't look related to the EclipseLink change unless I >> > >> > > > > screwed >> > >> > > > > the >> > >> > > > > pooch on something. Are these known issues by chance? >> > >> > > > > >> > >> > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla >> > >> > > > > >> > >> > > > > wrote: >> > >> > > > > > >> > >> > > > > > Might be relevant for your release preperations: >> > >> > > > > > https://issues.apache.org/jira/browse/TOMEE-4263 >> > >> > > > > > >> > >> > > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. >> > >> > > > > > Fisher" >> > >> > > > > > : >> > >> > > > > > > Thank you, eclipselink has been updated and boms also >> > >> > > > > > > updated. >> > >> > > > > > > >> > >> > > > > > > Are the tomee release
Re: 8.0.16 release
1) Logged into Nexus, clicked "drop repo" 2) git tag -d from the command line, went into github, also deleted the tag 3) for the life of me I can't figure out how to do this. I see the artifacts here: https://dist.apache.org/repos/dist/dev/tomee/staging-1222/ On Sun, Oct 29, 2023 at 11:06 AM Jonathan S. Fisher wrote: > > Doing this now, thanks > > > On Sun, Oct 29, 2023 at 10:46 AM Richard Zowalla wrote: > > > > Hey Jonathan, > > > > if you want to do the re-roll, you need to: > > > > (1) drop the staging repo > > (2) drop the tag > > (3) drop the staged binaries in dist/dev > > (4) do the re-roll (as with the release before) > > > > I will fix the release notes regarding 9.0.82. Just give me a ping, if we > > can start a new vote. > > > > Gruß > > Richard > > > > > > > > Am 28. Oktober 2023 21:02:52 MESZ schrieb Richard Zowalla > > : > > >Don't worry about the side thing ;-) - it can even wait until the vote > > >is other. > > > > > >You can see an example for it here: [1] > > > > > >I'll check the signatures and if that looks good, I am going to start > > >the vote for you. > > > > > >Thnaks, Jonathan!! > > > > > > > > >[1] > > >https://github.com/apache/tomee-site-generator/commit/6798a27b06553a9e0818da9250ba5c5930ed0bbe > > > > > >Am Samstag, dem 28.10.2023 um 13:57 -0500 schrieb Jonathan S. Fisher: > > >> A... just kidding, I need to do the tomee-site-generator thing. > > >> I'll have to figure that out or do it by hand. > > >> > > >> On Sat, Oct 28, 2023 at 1:52 PM Jonathan S. Fisher > > >> wrote: > > >> > > > > > > > > > >> > Awesome! Thank you! > > >> > > > >> > I've pushed the tag, the binaries are uploaded, release notes are > > >> > now > > >> > generated. Please double check my tag! > > >> > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.16 > > >> > > > >> > If everything is all good, yes please and thank you, call the vote! > > >> > > > >> > On Sat, Oct 28, 2023 at 1:42 PM Richard Zowalla > > >> > wrote: > > >> > > > > >> > > FYI: Just did it on the staged 8.0.16 version on dist/dev. Looks > > >> > > ok (so > > >> > > no need to worry about). > > >> > > > > >> > > Am Samstag, dem 28.10.2023 um 20:35 +0200 schrieb Richard > > >> > > Zowalla: > > >> > > > Regarding (1): > > >> > > > > > >> > > > You can run grype on the lib folder [1] and check the output. > > >> > > > There will be some false-positive entries but if you missed > > >> > > > something > > >> > > > really important, it should appear there. > > >> > > > > > >> > > > With the ActiveMQ upgrade I do not expect anything unforseen > > >> > > > though > > >> > > > ;-) > > >> > > > > > >> > > > Gruß > > >> > > > Richard > > >> > > > > > >> > > > > > >> > > > > > >> > > > [1] https://github.com/anchore/grype > > >> > > > > > >> > > > > > >> > > > Am Donnerstag, dem 26.10.2023 um 07:18 -0500 schrieb Jonathan > > >> > > > S. > > >> > > > Fisher: > > >> > > > > Richard, thank you sir; I assigned that ticket to myself. If > > >> > > > > anyone > > >> > > > > else is aware of anything else I can upgrade before release, > > >> > > > > please > > >> > > > > speak up :) > > >> > > > > > > >> > > > > Also good news: for whatever reason, I'm able to build > > >> > > > > tomee-release-tools now. The atlassian maven repository hit > > >> > > > > me with > > >> > > > > a > > >> > > > > rate limit briefly but it seems to have lifted. > > >> > > > > > > >> > > > > I have three questions at this point in time: > > >> > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for > > >> > > > > CVE's? > > >> > > > > 2. Are there CVEs we ignore? (basically ones that are present > > >> > > > > but > > >> > > > > don't apply to us) > > >> > > > > 3. I ran a build locally and got two test failures. Looks > > >> > > > > like CI > > >> > > > > did > > >> > > > > too: > > >> > > > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ > > >> > > > > > > >> > > > > It doesn't look related to the EclipseLink change unless I > > >> > > > > screwed > > >> > > > > the > > >> > > > > pooch on something. Are these known issues by chance? > > >> > > > > > > >> > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla > > >> > > > > > > >> > > > > wrote: > > >> > > > > > > > >> > > > > > Might be relevant for your release preperations: > > >> > > > > > https://issues.apache.org/jira/browse/TOMEE-4263 > > >> > > > > > > > >> > > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. > > >> > > > > > Fisher" > > >> > > > > > : > > >> > > > > > > Thank you, eclipselink has been updated and boms also > > >> > > > > > > updated. > > >> > > > > > > > > >> > > > > > > Are the tomee release tools still needed? > > >> > > > > > > > > >> > > > > > > [ERROR] Failed to execute goal on project release-tools: > > >> > > > > > > Could > > >> > > > > > > not > > >> > > > > > > resolve dependencies for project > > >> > > > > > > org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: > > >> > > > > > > Failed >
Re: 8.0.16 release
Doing this now, thanks On Sun, Oct 29, 2023 at 10:46 AM Richard Zowalla wrote: > > Hey Jonathan, > > if you want to do the re-roll, you need to: > > (1) drop the staging repo > (2) drop the tag > (3) drop the staged binaries in dist/dev > (4) do the re-roll (as with the release before) > > I will fix the release notes regarding 9.0.82. Just give me a ping, if we can > start a new vote. > > Gruß > Richard > > > > Am 28. Oktober 2023 21:02:52 MESZ schrieb Richard Zowalla > : > >Don't worry about the side thing ;-) - it can even wait until the vote > >is other. > > > >You can see an example for it here: [1] > > > >I'll check the signatures and if that looks good, I am going to start > >the vote for you. > > > >Thnaks, Jonathan!! > > > > > >[1] > >https://github.com/apache/tomee-site-generator/commit/6798a27b06553a9e0818da9250ba5c5930ed0bbe > > > >Am Samstag, dem 28.10.2023 um 13:57 -0500 schrieb Jonathan S. Fisher: > >> A... just kidding, I need to do the tomee-site-generator thing. > >> I'll have to figure that out or do it by hand. > >> > >> On Sat, Oct 28, 2023 at 1:52 PM Jonathan S. Fisher > >> wrote: > >> > > > > > > >> > Awesome! Thank you! > >> > > >> > I've pushed the tag, the binaries are uploaded, release notes are > >> > now > >> > generated. Please double check my tag! > >> > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.16 > >> > > >> > If everything is all good, yes please and thank you, call the vote! > >> > > >> > On Sat, Oct 28, 2023 at 1:42 PM Richard Zowalla > >> > wrote: > >> > > > >> > > FYI: Just did it on the staged 8.0.16 version on dist/dev. Looks > >> > > ok (so > >> > > no need to worry about). > >> > > > >> > > Am Samstag, dem 28.10.2023 um 20:35 +0200 schrieb Richard > >> > > Zowalla: > >> > > > Regarding (1): > >> > > > > >> > > > You can run grype on the lib folder [1] and check the output. > >> > > > There will be some false-positive entries but if you missed > >> > > > something > >> > > > really important, it should appear there. > >> > > > > >> > > > With the ActiveMQ upgrade I do not expect anything unforseen > >> > > > though > >> > > > ;-) > >> > > > > >> > > > Gruß > >> > > > Richard > >> > > > > >> > > > > >> > > > > >> > > > [1] https://github.com/anchore/grype > >> > > > > >> > > > > >> > > > Am Donnerstag, dem 26.10.2023 um 07:18 -0500 schrieb Jonathan > >> > > > S. > >> > > > Fisher: > >> > > > > Richard, thank you sir; I assigned that ticket to myself. If > >> > > > > anyone > >> > > > > else is aware of anything else I can upgrade before release, > >> > > > > please > >> > > > > speak up :) > >> > > > > > >> > > > > Also good news: for whatever reason, I'm able to build > >> > > > > tomee-release-tools now. The atlassian maven repository hit > >> > > > > me with > >> > > > > a > >> > > > > rate limit briefly but it seems to have lifted. > >> > > > > > >> > > > > I have three questions at this point in time: > >> > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for > >> > > > > CVE's? > >> > > > > 2. Are there CVEs we ignore? (basically ones that are present > >> > > > > but > >> > > > > don't apply to us) > >> > > > > 3. I ran a build locally and got two test failures. Looks > >> > > > > like CI > >> > > > > did > >> > > > > too: > >> > > > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ > >> > > > > > >> > > > > It doesn't look related to the EclipseLink change unless I > >> > > > > screwed > >> > > > > the > >> > > > > pooch on something. Are these known issues by chance? > >> > > > > > >> > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla > >> > > > > > >> > > > > wrote: > >> > > > > > > >> > > > > > Might be relevant for your release preperations: > >> > > > > > https://issues.apache.org/jira/browse/TOMEE-4263 > >> > > > > > > >> > > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. > >> > > > > > Fisher" > >> > > > > > : > >> > > > > > > Thank you, eclipselink has been updated and boms also > >> > > > > > > updated. > >> > > > > > > > >> > > > > > > Are the tomee release tools still needed? > >> > > > > > > > >> > > > > > > [ERROR] Failed to execute goal on project release-tools: > >> > > > > > > Could > >> > > > > > > not > >> > > > > > > resolve dependencies for project > >> > > > > > > org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: > >> > > > > > > Failed > >> > > > > > > to > >> > > > > > > collect dependencies at org.tomitribe.jamira:jamira- > >> > > > > > > core:jar:0.4 > >> > > > > > > -> > >> > > > > > > com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: > >> > > > > > > Failed > >> > > > > > > to > >> > > > > > > read > >> > > > > > > artifact descriptor for > >> > > > > > > com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: > >> > > > > > > The > >> > > > > > > following > >> > > > > > > artifacts could not be resolved: > >> > > > > > > com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 > >> > > > > > > (absent): > >> >
Re: 8.0.16 release
Hey Jonathan, if you want to do the re-roll, you need to: (1) drop the staging repo (2) drop the tag (3) drop the staged binaries in dist/dev (4) do the re-roll (as with the release before) I will fix the release notes regarding 9.0.82. Just give me a ping, if we can start a new vote. Gruß Richard Am 28. Oktober 2023 21:02:52 MESZ schrieb Richard Zowalla : >Don't worry about the side thing ;-) - it can even wait until the vote >is other. > >You can see an example for it here: [1] > >I'll check the signatures and if that looks good, I am going to start >the vote for you. > >Thnaks, Jonathan!! > > >[1] >https://github.com/apache/tomee-site-generator/commit/6798a27b06553a9e0818da9250ba5c5930ed0bbe > >Am Samstag, dem 28.10.2023 um 13:57 -0500 schrieb Jonathan S. Fisher: >> A... just kidding, I need to do the tomee-site-generator thing. >> I'll have to figure that out or do it by hand. >> >> On Sat, Oct 28, 2023 at 1:52 PM Jonathan S. Fisher >> wrote: >> > > > >> > Awesome! Thank you! >> > >> > I've pushed the tag, the binaries are uploaded, release notes are >> > now >> > generated. Please double check my tag! >> > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.16 >> > >> > If everything is all good, yes please and thank you, call the vote! >> > >> > On Sat, Oct 28, 2023 at 1:42 PM Richard Zowalla >> > wrote: >> > > >> > > FYI: Just did it on the staged 8.0.16 version on dist/dev. Looks >> > > ok (so >> > > no need to worry about). >> > > >> > > Am Samstag, dem 28.10.2023 um 20:35 +0200 schrieb Richard >> > > Zowalla: >> > > > Regarding (1): >> > > > >> > > > You can run grype on the lib folder [1] and check the output. >> > > > There will be some false-positive entries but if you missed >> > > > something >> > > > really important, it should appear there. >> > > > >> > > > With the ActiveMQ upgrade I do not expect anything unforseen >> > > > though >> > > > ;-) >> > > > >> > > > Gruß >> > > > Richard >> > > > >> > > > >> > > > >> > > > [1] https://github.com/anchore/grype >> > > > >> > > > >> > > > Am Donnerstag, dem 26.10.2023 um 07:18 -0500 schrieb Jonathan >> > > > S. >> > > > Fisher: >> > > > > Richard, thank you sir; I assigned that ticket to myself. If >> > > > > anyone >> > > > > else is aware of anything else I can upgrade before release, >> > > > > please >> > > > > speak up :) >> > > > > >> > > > > Also good news: for whatever reason, I'm able to build >> > > > > tomee-release-tools now. The atlassian maven repository hit >> > > > > me with >> > > > > a >> > > > > rate limit briefly but it seems to have lifted. >> > > > > >> > > > > I have three questions at this point in time: >> > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for >> > > > > CVE's? >> > > > > 2. Are there CVEs we ignore? (basically ones that are present >> > > > > but >> > > > > don't apply to us) >> > > > > 3. I ran a build locally and got two test failures. Looks >> > > > > like CI >> > > > > did >> > > > > too: >> > > > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ >> > > > > >> > > > > It doesn't look related to the EclipseLink change unless I >> > > > > screwed >> > > > > the >> > > > > pooch on something. Are these known issues by chance? >> > > > > >> > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla >> > > > > >> > > > > wrote: >> > > > > > >> > > > > > Might be relevant for your release preperations: >> > > > > > https://issues.apache.org/jira/browse/TOMEE-4263 >> > > > > > >> > > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. >> > > > > > Fisher" >> > > > > > : >> > > > > > > Thank you, eclipselink has been updated and boms also >> > > > > > > updated. >> > > > > > > >> > > > > > > Are the tomee release tools still needed? >> > > > > > > >> > > > > > > [ERROR] Failed to execute goal on project release-tools: >> > > > > > > Could >> > > > > > > not >> > > > > > > resolve dependencies for project >> > > > > > > org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: >> > > > > > > Failed >> > > > > > > to >> > > > > > > collect dependencies at org.tomitribe.jamira:jamira- >> > > > > > > core:jar:0.4 >> > > > > > > -> >> > > > > > > com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: >> > > > > > > Failed >> > > > > > > to >> > > > > > > read >> > > > > > > artifact descriptor for >> > > > > > > com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: >> > > > > > > The >> > > > > > > following >> > > > > > > artifacts could not be resolved: >> > > > > > > com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 >> > > > > > > (absent): >> > > > > > > Could >> > > > > > > not transfer artifact >> > > > > > > com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 >> > > > > > > from/to >> > > > > > > atlassian >> > > > > > > ( >> > > > > > > https://maven.atlassian.com/content/repositories/atlassian-publi >> > > > > > > c/): >> > > > > > > status code: 429, reason phrase: Too Many
Re: 8.0.16 release
Don't worry about the side thing ;-) - it can even wait until the vote is other. You can see an example for it here: [1] I'll check the signatures and if that looks good, I am going to start the vote for you. Thnaks, Jonathan!! [1] https://github.com/apache/tomee-site-generator/commit/6798a27b06553a9e0818da9250ba5c5930ed0bbe Am Samstag, dem 28.10.2023 um 13:57 -0500 schrieb Jonathan S. Fisher: > A... just kidding, I need to do the tomee-site-generator thing. > I'll have to figure that out or do it by hand. > > On Sat, Oct 28, 2023 at 1:52 PM Jonathan S. Fisher > wrote: > > > > Awesome! Thank you! > > > > I've pushed the tag, the binaries are uploaded, release notes are > > now > > generated. Please double check my tag! > > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.16 > > > > If everything is all good, yes please and thank you, call the vote! > > > > On Sat, Oct 28, 2023 at 1:42 PM Richard Zowalla > > wrote: > > > > > > FYI: Just did it on the staged 8.0.16 version on dist/dev. Looks > > > ok (so > > > no need to worry about). > > > > > > Am Samstag, dem 28.10.2023 um 20:35 +0200 schrieb Richard > > > Zowalla: > > > > Regarding (1): > > > > > > > > You can run grype on the lib folder [1] and check the output. > > > > There will be some false-positive entries but if you missed > > > > something > > > > really important, it should appear there. > > > > > > > > With the ActiveMQ upgrade I do not expect anything unforseen > > > > though > > > > ;-) > > > > > > > > Gruß > > > > Richard > > > > > > > > > > > > > > > > [1] https://github.com/anchore/grype > > > > > > > > > > > > Am Donnerstag, dem 26.10.2023 um 07:18 -0500 schrieb Jonathan > > > > S. > > > > Fisher: > > > > > Richard, thank you sir; I assigned that ticket to myself. If > > > > > anyone > > > > > else is aware of anything else I can upgrade before release, > > > > > please > > > > > speak up :) > > > > > > > > > > Also good news: for whatever reason, I'm able to build > > > > > tomee-release-tools now. The atlassian maven repository hit > > > > > me with > > > > > a > > > > > rate limit briefly but it seems to have lifted. > > > > > > > > > > I have three questions at this point in time: > > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for > > > > > CVE's? > > > > > 2. Are there CVEs we ignore? (basically ones that are present > > > > > but > > > > > don't apply to us) > > > > > 3. I ran a build locally and got two test failures. Looks > > > > > like CI > > > > > did > > > > > too: > > > > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ > > > > > > > > > > It doesn't look related to the EclipseLink change unless I > > > > > screwed > > > > > the > > > > > pooch on something. Are these known issues by chance? > > > > > > > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla > > > > > > > > > > wrote: > > > > > > > > > > > > Might be relevant for your release preperations: > > > > > > https://issues.apache.org/jira/browse/TOMEE-4263 > > > > > > > > > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. > > > > > > Fisher" > > > > > > : > > > > > > > Thank you, eclipselink has been updated and boms also > > > > > > > updated. > > > > > > > > > > > > > > Are the tomee release tools still needed? > > > > > > > > > > > > > > [ERROR] Failed to execute goal on project release-tools: > > > > > > > Could > > > > > > > not > > > > > > > resolve dependencies for project > > > > > > > org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: > > > > > > > Failed > > > > > > > to > > > > > > > collect dependencies at org.tomitribe.jamira:jamira- > > > > > > > core:jar:0.4 > > > > > > > -> > > > > > > > com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: > > > > > > > Failed > > > > > > > to > > > > > > > read > > > > > > > artifact descriptor for > > > > > > > com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: > > > > > > > The > > > > > > > following > > > > > > > artifacts could not be resolved: > > > > > > > com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 > > > > > > > (absent): > > > > > > > Could > > > > > > > not transfer artifact > > > > > > > com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 > > > > > > > from/to > > > > > > > atlassian > > > > > > > ( > > > > > > > https://maven.atlassian.com/content/repositories/atlassian-publi > > > > > > > c/): > > > > > > > status code: 429, reason phrase: Too Many Requests (429) > > > > > > > -> > > > > > > > [Help > > > > > > > 1] > > > > > > > > > > > > > > I can't seem to get the artifacts from their Maven > > > > > > > repository > > > > > > > due > > > > > > > to > > > > > > > rate limiting unfortunately. > > > > > > > > > > > > > > > > > > > > > On Wed, Oct 25, 2023 at 8:50 AM Richard Zowalla > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > Feel free to update 3rd party dependencies (make sure > > > > > > > > to > > > > > > > > create >
Re: 8.0.16 release
A... just kidding, I need to do the tomee-site-generator thing. I'll have to figure that out or do it by hand. On Sat, Oct 28, 2023 at 1:52 PM Jonathan S. Fisher wrote: > > Awesome! Thank you! > > I've pushed the tag, the binaries are uploaded, release notes are now > generated. Please double check my tag! > https://github.com/apache/tomee/releases/tag/tomee-project-8.0.16 > > If everything is all good, yes please and thank you, call the vote! > > On Sat, Oct 28, 2023 at 1:42 PM Richard Zowalla wrote: > > > > FYI: Just did it on the staged 8.0.16 version on dist/dev. Looks ok (so > > no need to worry about). > > > > Am Samstag, dem 28.10.2023 um 20:35 +0200 schrieb Richard Zowalla: > > > Regarding (1): > > > > > > You can run grype on the lib folder [1] and check the output. > > > There will be some false-positive entries but if you missed something > > > really important, it should appear there. > > > > > > With the ActiveMQ upgrade I do not expect anything unforseen though > > > ;-) > > > > > > Gruß > > > Richard > > > > > > > > > > > > [1] https://github.com/anchore/grype > > > > > > > > > Am Donnerstag, dem 26.10.2023 um 07:18 -0500 schrieb Jonathan S. > > > Fisher: > > > > Richard, thank you sir; I assigned that ticket to myself. If anyone > > > > else is aware of anything else I can upgrade before release, please > > > > speak up :) > > > > > > > > Also good news: for whatever reason, I'm able to build > > > > tomee-release-tools now. The atlassian maven repository hit me with > > > > a > > > > rate limit briefly but it seems to have lifted. > > > > > > > > I have three questions at this point in time: > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for CVE's? > > > > 2. Are there CVEs we ignore? (basically ones that are present but > > > > don't apply to us) > > > > 3. I ran a build locally and got two test failures. Looks like CI > > > > did > > > > too: > > > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ > > > > > > > > It doesn't look related to the EclipseLink change unless I screwed > > > > the > > > > pooch on something. Are these known issues by chance? > > > > > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla > > > > > > > > wrote: > > > > > > > > > > Might be relevant for your release preperations: > > > > > https://issues.apache.org/jira/browse/TOMEE-4263 > > > > > > > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. Fisher" > > > > > : > > > > > > Thank you, eclipselink has been updated and boms also updated. > > > > > > > > > > > > Are the tomee release tools still needed? > > > > > > > > > > > > [ERROR] Failed to execute goal on project release-tools: Could > > > > > > not > > > > > > resolve dependencies for project > > > > > > org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: Failed > > > > > > to > > > > > > collect dependencies at org.tomitribe.jamira:jamira- > > > > > > core:jar:0.4 > > > > > > -> > > > > > > com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: Failed > > > > > > to > > > > > > read > > > > > > artifact descriptor for > > > > > > com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: The > > > > > > following > > > > > > artifacts could not be resolved: > > > > > > com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 > > > > > > (absent): > > > > > > Could > > > > > > not transfer artifact > > > > > > com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 from/to > > > > > > atlassian > > > > > > ( > > > > > > https://maven.atlassian.com/content/repositories/atlassian-publi > > > > > > c/): > > > > > > status code: 429, reason phrase: Too Many Requests (429) -> > > > > > > [Help > > > > > > 1] > > > > > > > > > > > > I can't seem to get the artifacts from their Maven repository > > > > > > due > > > > > > to > > > > > > rate limiting unfortunately. > > > > > > > > > > > > > > > > > > On Wed, Oct 25, 2023 at 8:50 AM Richard Zowalla > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > Feel free to update 3rd party dependencies (make sure to > > > > > > > create > > > > > > > a Jira, > > > > > > > so it gets into the release notes). To update the BOMs you > > > > > > > can > > > > > > > either > > > > > > > rely on the related GitHub action (will do it automatically > > > > > > > via > > > > > > > a PR) > > > > > > > or just run a quick build. > > > > > > > > > > > > > > > > > > > > > Am Mittwoch, dem 25.10.2023 um 08:40 -0500 schrieb Jonathan > > > > > > > S. > > > > > > > Fisher: > > > > > > > > Richard: thank you sir, I see my key in there. > > > > > > > > Rod: Are the docker images part of the main build? I don't > > > > > > > > use Docker > > > > > > > > professionally, so I'm not very familiar with the whole > > > > > > > > process. > > > > > > > > > > > > > > > > I see Tomcat 9.0.82 in tomee-8.x. Yeehaw! > > > > > > > > > > > > > > > > Does anyone have an issue with me updating to eclipselink > > > > > > > > 2.7.13? > > > > > > > >
Re: 8.0.16 release
Awesome! Thank you! I've pushed the tag, the binaries are uploaded, release notes are now generated. Please double check my tag! https://github.com/apache/tomee/releases/tag/tomee-project-8.0.16 If everything is all good, yes please and thank you, call the vote! On Sat, Oct 28, 2023 at 1:42 PM Richard Zowalla wrote: > > FYI: Just did it on the staged 8.0.16 version on dist/dev. Looks ok (so > no need to worry about). > > Am Samstag, dem 28.10.2023 um 20:35 +0200 schrieb Richard Zowalla: > > Regarding (1): > > > > You can run grype on the lib folder [1] and check the output. > > There will be some false-positive entries but if you missed something > > really important, it should appear there. > > > > With the ActiveMQ upgrade I do not expect anything unforseen though > > ;-) > > > > Gruß > > Richard > > > > > > > > [1] https://github.com/anchore/grype > > > > > > Am Donnerstag, dem 26.10.2023 um 07:18 -0500 schrieb Jonathan S. > > Fisher: > > > Richard, thank you sir; I assigned that ticket to myself. If anyone > > > else is aware of anything else I can upgrade before release, please > > > speak up :) > > > > > > Also good news: for whatever reason, I'm able to build > > > tomee-release-tools now. The atlassian maven repository hit me with > > > a > > > rate limit briefly but it seems to have lifted. > > > > > > I have three questions at this point in time: > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for CVE's? > > > 2. Are there CVEs we ignore? (basically ones that are present but > > > don't apply to us) > > > 3. I ran a build locally and got two test failures. Looks like CI > > > did > > > too: > > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ > > > > > > It doesn't look related to the EclipseLink change unless I screwed > > > the > > > pooch on something. Are these known issues by chance? > > > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla > > > > > > wrote: > > > > > > > > Might be relevant for your release preperations: > > > > https://issues.apache.org/jira/browse/TOMEE-4263 > > > > > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. Fisher" > > > > : > > > > > Thank you, eclipselink has been updated and boms also updated. > > > > > > > > > > Are the tomee release tools still needed? > > > > > > > > > > [ERROR] Failed to execute goal on project release-tools: Could > > > > > not > > > > > resolve dependencies for project > > > > > org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: Failed > > > > > to > > > > > collect dependencies at org.tomitribe.jamira:jamira- > > > > > core:jar:0.4 > > > > > -> > > > > > com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: Failed > > > > > to > > > > > read > > > > > artifact descriptor for > > > > > com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: The > > > > > following > > > > > artifacts could not be resolved: > > > > > com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 > > > > > (absent): > > > > > Could > > > > > not transfer artifact > > > > > com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 from/to > > > > > atlassian > > > > > ( > > > > > https://maven.atlassian.com/content/repositories/atlassian-publi > > > > > c/): > > > > > status code: 429, reason phrase: Too Many Requests (429) -> > > > > > [Help > > > > > 1] > > > > > > > > > > I can't seem to get the artifacts from their Maven repository > > > > > due > > > > > to > > > > > rate limiting unfortunately. > > > > > > > > > > > > > > > On Wed, Oct 25, 2023 at 8:50 AM Richard Zowalla > > > > > > > > > > wrote: > > > > > > > > > > > > Feel free to update 3rd party dependencies (make sure to > > > > > > create > > > > > > a Jira, > > > > > > so it gets into the release notes). To update the BOMs you > > > > > > can > > > > > > either > > > > > > rely on the related GitHub action (will do it automatically > > > > > > via > > > > > > a PR) > > > > > > or just run a quick build. > > > > > > > > > > > > > > > > > > Am Mittwoch, dem 25.10.2023 um 08:40 -0500 schrieb Jonathan > > > > > > S. > > > > > > Fisher: > > > > > > > Richard: thank you sir, I see my key in there. > > > > > > > Rod: Are the docker images part of the main build? I don't > > > > > > > use Docker > > > > > > > professionally, so I'm not very familiar with the whole > > > > > > > process. > > > > > > > > > > > > > > I see Tomcat 9.0.82 in tomee-8.x. Yeehaw! > > > > > > > > > > > > > > Does anyone have an issue with me updating to eclipselink > > > > > > > 2.7.13? > > > > > > > https://github.com/eclipse-ee4j/eclipselink/releases/tag/2.7.13 > > > > > > > We've > > > > > > > been running TomEE 8.0.15 with 2.7.13 in production for a > > > > > > > few > > > > > > > weeks > > > > > > > and haven't seen any issues. > > > > > > > > > > > > > > > > > > > > > On Tue, Oct 24, 2023 at 10:18 AM Rod Jenkins > > > > > > > wrote: > > > > > > > > > > > > > > > > Is there anyway to test the keys before we deploy? We > > > > > > > > have > >
Re: 8.0.16 release
FYI: Just did it on the staged 8.0.16 version on dist/dev. Looks ok (so no need to worry about). Am Samstag, dem 28.10.2023 um 20:35 +0200 schrieb Richard Zowalla: > Regarding (1): > > You can run grype on the lib folder [1] and check the output. > There will be some false-positive entries but if you missed something > really important, it should appear there. > > With the ActiveMQ upgrade I do not expect anything unforseen though > ;-) > > Gruß > Richard > > > > [1] https://github.com/anchore/grype > > > Am Donnerstag, dem 26.10.2023 um 07:18 -0500 schrieb Jonathan S. > Fisher: > > Richard, thank you sir; I assigned that ticket to myself. If anyone > > else is aware of anything else I can upgrade before release, please > > speak up :) > > > > Also good news: for whatever reason, I'm able to build > > tomee-release-tools now. The atlassian maven repository hit me with > > a > > rate limit briefly but it seems to have lifted. > > > > I have three questions at this point in time: > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for CVE's? > > 2. Are there CVEs we ignore? (basically ones that are present but > > don't apply to us) > > 3. I ran a build locally and got two test failures. Looks like CI > > did > > too: > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ > > > > It doesn't look related to the EclipseLink change unless I screwed > > the > > pooch on something. Are these known issues by chance? > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla > > > > wrote: > > > > > > Might be relevant for your release preperations: > > > https://issues.apache.org/jira/browse/TOMEE-4263 > > > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. Fisher" > > > : > > > > Thank you, eclipselink has been updated and boms also updated. > > > > > > > > Are the tomee release tools still needed? > > > > > > > > [ERROR] Failed to execute goal on project release-tools: Could > > > > not > > > > resolve dependencies for project > > > > org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: Failed > > > > to > > > > collect dependencies at org.tomitribe.jamira:jamira- > > > > core:jar:0.4 > > > > -> > > > > com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: Failed > > > > to > > > > read > > > > artifact descriptor for > > > > com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: The > > > > following > > > > artifacts could not be resolved: > > > > com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 > > > > (absent): > > > > Could > > > > not transfer artifact > > > > com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 from/to > > > > atlassian > > > > ( > > > > https://maven.atlassian.com/content/repositories/atlassian-publi > > > > c/): > > > > status code: 429, reason phrase: Too Many Requests (429) -> > > > > [Help > > > > 1] > > > > > > > > I can't seem to get the artifacts from their Maven repository > > > > due > > > > to > > > > rate limiting unfortunately. > > > > > > > > > > > > On Wed, Oct 25, 2023 at 8:50 AM Richard Zowalla > > > > > > > > wrote: > > > > > > > > > > Feel free to update 3rd party dependencies (make sure to > > > > > create > > > > > a Jira, > > > > > so it gets into the release notes). To update the BOMs you > > > > > can > > > > > either > > > > > rely on the related GitHub action (will do it automatically > > > > > via > > > > > a PR) > > > > > or just run a quick build. > > > > > > > > > > > > > > > Am Mittwoch, dem 25.10.2023 um 08:40 -0500 schrieb Jonathan > > > > > S. > > > > > Fisher: > > > > > > Richard: thank you sir, I see my key in there. > > > > > > Rod: Are the docker images part of the main build? I don't > > > > > > use Docker > > > > > > professionally, so I'm not very familiar with the whole > > > > > > process. > > > > > > > > > > > > I see Tomcat 9.0.82 in tomee-8.x. Yeehaw! > > > > > > > > > > > > Does anyone have an issue with me updating to eclipselink > > > > > > 2.7.13? > > > > > > https://github.com/eclipse-ee4j/eclipselink/releases/tag/2.7.13 > > > > > > We've > > > > > > been running TomEE 8.0.15 with 2.7.13 in production for a > > > > > > few > > > > > > weeks > > > > > > and haven't seen any issues. > > > > > > > > > > > > > > > > > > On Tue, Oct 24, 2023 at 10:18 AM Rod Jenkins > > > > > > wrote: > > > > > > > > > > > > > > Is there anyway to test the keys before we deploy? We > > > > > > > have > > > > > > > issues > > > > > > > in the past with new keys and verifying the packages when > > > > > > > the > > > > > > > docker images are built. > > > > > > > > > > > > > > Thanks, > > > > > > > Rod. > > > > > > > > > > > > > > > > > > > > > > > On Oct 24, 2023, at 9:06 AM, Richard Zowalla > > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > Added to > > > > > > > > https://dist.apache.org/repos/dist/release/tomee/KEYS > > > > > > > > > > > > > > > > > Am Dienstag, dem 24.10.2023 um 08:54 -0500 schrieb > > > > > > > > > Jonathan S.
Re: 8.0.16 release
Regarding (1): You can run grype on the lib folder [1] and check the output. There will be some false-positive entries but if you missed something really important, it should appear there. With the ActiveMQ upgrade I do not expect anything unforseen though ;-) Gruß Richard [1] https://github.com/anchore/grype Am Donnerstag, dem 26.10.2023 um 07:18 -0500 schrieb Jonathan S. Fisher: > Richard, thank you sir; I assigned that ticket to myself. If anyone > else is aware of anything else I can upgrade before release, please > speak up :) > > Also good news: for whatever reason, I'm able to build > tomee-release-tools now. The atlassian maven repository hit me with a > rate limit briefly but it seems to have lifted. > > I have three questions at this point in time: > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for CVE's? > 2. Are there CVEs we ignore? (basically ones that are present but > don't apply to us) > 3. I ran a build locally and got two test failures. Looks like CI did > too: > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ > > It doesn't look related to the EclipseLink change unless I screwed > the > pooch on something. Are these known issues by chance? > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla > wrote: > > > > Might be relevant for your release preperations: > > https://issues.apache.org/jira/browse/TOMEE-4263 > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. Fisher" > > : > > > Thank you, eclipselink has been updated and boms also updated. > > > > > > Are the tomee release tools still needed? > > > > > > [ERROR] Failed to execute goal on project release-tools: Could > > > not > > > resolve dependencies for project > > > org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: Failed > > > to > > > collect dependencies at org.tomitribe.jamira:jamira-core:jar:0.4 > > > -> > > > com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: Failed to > > > read > > > artifact descriptor for > > > com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: The > > > following > > > artifacts could not be resolved: > > > com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 (absent): > > > Could > > > not transfer artifact > > > com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 from/to > > > atlassian > > > (https://maven.atlassian.com/content/repositories/atlassian-publi > > > c/): > > > status code: 429, reason phrase: Too Many Requests (429) -> [Help > > > 1] > > > > > > I can't seem to get the artifacts from their Maven repository due > > > to > > > rate limiting unfortunately. > > > > > > > > > On Wed, Oct 25, 2023 at 8:50 AM Richard Zowalla > > > wrote: > > > > > > > > Feel free to update 3rd party dependencies (make sure to create > > > > a Jira, > > > > so it gets into the release notes). To update the BOMs you can > > > > either > > > > rely on the related GitHub action (will do it automatically via > > > > a PR) > > > > or just run a quick build. > > > > > > > > > > > > Am Mittwoch, dem 25.10.2023 um 08:40 -0500 schrieb Jonathan S. > > > > Fisher: > > > > > Richard: thank you sir, I see my key in there. > > > > > Rod: Are the docker images part of the main build? I don't > > > > > use Docker > > > > > professionally, so I'm not very familiar with the whole > > > > > process. > > > > > > > > > > I see Tomcat 9.0.82 in tomee-8.x. Yeehaw! > > > > > > > > > > Does anyone have an issue with me updating to eclipselink > > > > > 2.7.13? > > > > > https://github.com/eclipse-ee4j/eclipselink/releases/tag/2.7.13 > > > > > We've > > > > > been running TomEE 8.0.15 with 2.7.13 in production for a few > > > > > weeks > > > > > and haven't seen any issues. > > > > > > > > > > > > > > > On Tue, Oct 24, 2023 at 10:18 AM Rod Jenkins > > > > > wrote: > > > > > > > > > > > > Is there anyway to test the keys before we deploy? We have > > > > > > issues > > > > > > in the past with new keys and verifying the packages when > > > > > > the > > > > > > docker images are built. > > > > > > > > > > > > Thanks, > > > > > > Rod. > > > > > > > > > > > > > > > > > > > > On Oct 24, 2023, at 9:06 AM, Richard Zowalla > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > Added to > > > > > > > https://dist.apache.org/repos/dist/release/tomee/KEYS > > > > > > > > > > > > > > > Am Dienstag, dem 24.10.2023 um 08:54 -0500 schrieb > > > > > > > > Jonathan S. > > > > > > > > Fisher: > > > > > > > > pasted here: > > > > > > > > > > > > > > > > -BEGIN PGP PUBLIC KEY BLOCK- > > > > > > > > > > > > > > > > mJMEV5tUvhMFK4EEACMEIwQBDFKWRWNFys17LQRo18NBQ0cJk9Hitoo > > > > > > > > Lx1k3dGT > > > > > > > > A > > > > > > > > G2By4TUnNYaR/ranOPJ47IRVr/1E0DBy9RKayUDNFElly6kAfhn/ALM > > > > > > > > mdv68cet > > > > > > > > 9 > > > > > > > > GWkNjV/DwEGmtdXnhuGxXioxN1XkoJJNbjDCBEzx/mDDIna7w3jE2v2 > > > > > > > > 8bXYP9kf > > > > > > > > v > > > > > > > > aLgvUdK0J0pvbmF0aGFuIFMuIEZpc2hlciA8ZXhhYnJpYWxAZ21haWw > > > >
Re: 8.0.16 release
Yes. This is a bit creepy to configure ;-) You need to add credentials in a folder in your userhome ~/.jamira In this directory just add a file "asf.properties" with the following content: #asf #Fri May 05 20:19:56 CEST 2023 password= serverUri=https\://issues.apache.org/jira username= As an alternative, you can check out [1] and run jamira account add apache elmerfudd "GetTh3Rabb1t" https://issues.apache.org/jira To add an account "elmerfudd" with the quoted password and call it "apache". I've copied the output of the generate release command into my mail in case you want to speed up things ;-) I can run the vote for you (as this needs to be done by the PMC) if you think it's ready. For this to happen, you need to push the tag for 8.0.16 to GitHub. Thanks for your work so far & Gruß Richard ### == Dependency upgrade [.compact] - link:https://issues.apache.org/jira/browse/TOMEE-4266[TOMEE-4266] ActiveMQ 5.16.7 / 5.18.3 - link:https://issues.apache.org/jira/browse/TOMEE-4234[TOMEE-4234] Bouncy Castle 1.75 - link:https://issues.apache.org/jira/browse/TOMEE-4229[TOMEE-4229] CVE-2023-34981 in TomEE 8.0.15 - link:https://issues.apache.org/jira/browse/TOMEE-4218[TOMEE-4218] HSQLDB 2.7.2 - link:https://issues.apache.org/jira/browse/TOMEE-4221[TOMEE-4221] JUnit 5.9.3 - link:https://issues.apache.org/jira/browse/TOMEE-4216[TOMEE-4216] Jackson 2.15.1 - link:https://issues.apache.org/jira/browse/TOMEE-4227[TOMEE-4227] Jackson 2.15.2 - link:https://issues.apache.org/jira/browse/TOMEE-4228[TOMEE-4228] Johnzon 1.2.21 - link:https://issues.apache.org/jira/browse/TOMEE-4263[TOMEE-4263] Santuario Java (xmlsec) mitigate CVE-2023-44483 - link:https://issues.apache.org/jira/browse/TOMEE-4224[TOMEE-4224] Tomcat 9.0.76 - link:https://issues.apache.org/jira/browse/TOMEE-4237[TOMEE-4237] Tomcat 9.0.79 - link:https://issues.apache.org/jira/browse/TOMEE-4238[TOMEE-4238] Tomcat 9.0.80 - link:https://issues.apache.org/jira/browse/TOMEE-4262[TOMEE-4262] eclipselink 2.7.13 - link:https://issues.apache.org/jira/browse/TOMEE-4220[TOMEE-4220] log4j 2.20.0 (integration) - link:https://issues.apache.org/jira/browse/TOMEE-4219[TOMEE-4219] xbeans 4.23 == Bug [.compact] - link:https://issues.apache.org/jira/browse/TOMEE-4222[TOMEE-4222] @LoginToContinue JSR-375 (JavaEE Security API) causes IllegalArgumentException - link:https://issues.apache.org/jira/browse/TOMEE-4226[TOMEE-4226] DataSource definition fails when @DataSourceDefinition doesn't define url property == Improvement [.compact] - link:https://issues.apache.org/jira/browse/TOMEE-4031[TOMEE-4031] Improve TomEE Jmx Mbean Support for Parameter Names == Fixed Common Vulnerabilities and Exposures (CVEs) [.compact] - link:https://issues.apache.org/jira/browse/TOMEE-4234[TOMEE-4234] Bouncy Castle 1.75 - link:https://issues.apache.org/jira/browse/TOMEE-4238[TOMEE-4238] Tomcat 9.0.80 - link:https://issues.apache.org/jira/browse/TOMEE-4227[TOMEE-4227] Jackson 2.15.2 - link:https://issues.apache.org/jira/browse/TOMEE-4229[TOMEE-4229] CVE-2023-34981 in Apache TomEE 8.0.15 ### [1] https://github.com/tomitribe/jamira Am Samstag, dem 28.10.2023 um 11:06 -0500 schrieb Jonathan S. Fisher: > Good morning everyone, I'm still stuck at the "Generate release notes > (website)" step on https://tomee.apache.org/dev/release-tomee.html > > ~/opensource/tomee-release-tools$ ./target/release release-notes > generate 8= 0.16 > No jira accounts configured. Run `account add` to configure a jira > account > ~/opensource/tomee-release-tools$ grep -ri . --include=*.java "No > jira > accounts configured" > ~/opensource/tomee-release-tools$ > > Any help appreciated, thank you! > > On Fri, Oct 27, 2023 at 5:10 PM Jonathan S. Fisher > wrote: > > > > Thanks to you and Richard for helping me stumble through. > > > > I'm stuck at this step: > > ~/opensource/tomee-release-tools$ ./target/release release-notes > > generate 8.0.16 > > No jira accounts configured. Run `account add` to configure a jira > > account > > > > ~/opensource/tomee-release-tools$ ./target/release account > > Unknown command: account >
Re: 8.0.16 release
Good morning everyone, I'm still stuck at the "Generate release notes (website)" step on https://tomee.apache.org/dev/release-tomee.html ~/opensource/tomee-release-tools$ ./target/release release-notes generate 8.0.16 No jira accounts configured. Run `account add` to configure a jira account ~/opensource/tomee-release-tools$ grep -ri . --include=*.java "No jira accounts configured" ~/opensource/tomee-release-tools$ Any help appreciated, thank you! On Fri, Oct 27, 2023 at 5:10 PM Jonathan S. Fisher wrote: > > Thanks to you and Richard for helping me stumble through. > > I'm stuck at this step: > ~/opensource/tomee-release-tools$ ./target/release release-notes generate > 8.0.16 > No jira accounts configured. Run `account add` to configure a jira account > > ~/opensource/tomee-release-tools$ ./target/release account > Unknown command: account
Re: 8.0.16 release
Thanks to you and Richard for helping me stumble through. I'm stuck at this step: ~/opensource/tomee-release-tools$ ./target/release release-notes generate 8.0.16 No jira accounts configured. Run `account add` to configure a jira account ~/opensource/tomee-release-tools$ ./target/release account Unknown command: account a, what do I do On Fri, Oct 27, 2023 at 4:57 PM Jonathan Gallimore wrote: > > Upload to here: https://dist.apache.org/repos/dist/dev/tomee/ - this is > where we'll all be getting the artifacts to vote on. If you're using the > release tools, you'll be on this step: "Deploy Source and Distributions to > dist/dev". > > Thanks for all your work on this. > > Jon > > On Fri, Oct 27, 2023 at 10:52 PM Jonathan S. Fisher > wrote: > > > Ok repository is uploaded and closed: > > > > https://repository.apache.org/content/repositories/orgapachetomee-1222/org/apache/tomee/apache-tomee/8.0.16/ > > > > What's next? The directions say to upload but that seems a bit > > premature before calling for a vote or what not... sorry I'm new here! > > https://tomee.apache.org/dev/release-tomee.html > > > > On Fri, Oct 27, 2023 at 4:11 PM Jonathan Gallimore > > wrote: > > > > > > Thanks Jonathan. If it helps, the changeset from 5.17.5 to 5.17.6 isn't > > > massive: https://github.com/apache/activemq/commits/activemq-5.17.x. > > > > > > Jon > > > > > > On Fri, Oct 27, 2023 at 10:00 PM Jonathan S. Fisher > > > wrote: > > > > > > > ope, it's in there now. Just popped up and I merged. > > > > > > > > ActiveMQ merges make a be a bit nervous :) I'll go ahead > > > > release:perform but stop again before closing the repository. > > > > > > > > I'll try running this too with some of our bigger apps and see if I > > > > can find anything wrong. > > > > > > > > On Fri, Oct 27, 2023 at 3:58 PM Jonathan Gallimore > > > > wrote: > > > > > > > > > > It should be done by the build, but I can do that and push it as > > well. > > > > > > > > > > Jon > > > > > > > > > > On Fri, Oct 27, 2023 at 9:55 PM Jonathan S. Fisher < > > exabr...@gmail.com> > > > > > wrote: > > > > > > > > > > > Thanks, do we need to do the bom thing? > > > > > > > > > > > > On Fri, Oct 27, 2023 at 3:53 PM Jonathan Gallimore > > > > > > wrote: > > > > > > > > > > > > > > Done: > > > > > > > > > > > > > > > > > > > https://github.com/apache/tomee/commit/c63eacac4956c29454a0efc3e75e933dd4316b26 > > > > > > > > > > > > > > On Fri, Oct 27, 2023 at 9:46 PM Jonathan Gallimore < > > > > > > > jonathan.gallim...@gmail.com> wrote: > > > > > > > > > > > > > > > Thanks. That commit is incoming in about 1 minute. > > > > > > > > > > > > > > > > Jon > > > > > > > > > > > > > > > > On Fri, Oct 27, 2023 at 9:43 PM Jonathan S. Fisher < > > > > exabr...@gmail.com > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > >> No problemo. I'll cancel, do the pr two step, and rebuild > > > > > > > >> > > > > > > > >> On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore > > > > > > > >> wrote: > > > > > > > >> > > > > > > > > >> > I was about to ask the same. Happy to push the update to the > > > > branch > > > > > > > >> before > > > > > > > >> > a release is kicked off. > > > > > > > >> > > > > > > > > >> > Jon > > > > > > > >> > > > > > > > > >> > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, < > > > > alex.m3...@gmail.com> > > > > > > > >> wrote: > > > > > > > >> > > > > > > > > >> > > Hi > > > > > > > >> > > > > > > > > > >> > > Before it's too late, can 8.0.16 release include (if not > > > > already > > > > > > done) > > > > > > > >> > > the dependency update to ActiveMQ version fixing > > > > CVE-2023-46604 > > > > > > (which > > > > > > > >> > > has High 8.8 score by > > > > > > > >> > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's > > > > > > enabling > > > > > > > >> > > remote code execution ? > > > > > > > >> > > > > > > > > > >> > > As a reminder, ActiveMQ is embedded in TomEE+. > > > > > > > >> > > > > > > > > > >> > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version > > > > 5.16.6, > > > > > > and > > > > > > > >> > > according to > > > > > > > >> > > > > > > > > > >> > > > > > > > > > > > > https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt > > > > > > > >> > > , > > > > > > > >> > > we need at least 5.16.7 > > > > > > > >> > > > > > > > > > >> > > I hope this dependency update can make it in 8.0.16 before > > > > it's > > > > > > > >> > > released (or maybe it's already in the about-to-be voted > > > > 8.0.16 ?) > > > > > > > >> > > > > > > > > > >> > > Thanks, > > > > > > > >> > > Alex > > > > > > > >> > > > > > > > > > >> > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher < > > > > > > exabr...@gmail.com> > > > > > > > >> a > > > > > > > >> > > écrit : > > > > > > > >> > > > > > > > > > > >> > > > Alright, I have the build completed, signed, and > > uploaded > > > > the > > > > > > the > > > > > > > >> > > > Nexus staging repository: orgapachetomee-1221 > > > > > > > >> > > > > > > > >
Re: 8.0.16 release
Upload to here: https://dist.apache.org/repos/dist/dev/tomee/ - this is where we'll all be getting the artifacts to vote on. If you're using the release tools, you'll be on this step: "Deploy Source and Distributions to dist/dev". Thanks for all your work on this. Jon On Fri, Oct 27, 2023 at 10:52 PM Jonathan S. Fisher wrote: > Ok repository is uploaded and closed: > > https://repository.apache.org/content/repositories/orgapachetomee-1222/org/apache/tomee/apache-tomee/8.0.16/ > > What's next? The directions say to upload but that seems a bit > premature before calling for a vote or what not... sorry I'm new here! > https://tomee.apache.org/dev/release-tomee.html > > On Fri, Oct 27, 2023 at 4:11 PM Jonathan Gallimore > wrote: > > > > Thanks Jonathan. If it helps, the changeset from 5.17.5 to 5.17.6 isn't > > massive: https://github.com/apache/activemq/commits/activemq-5.17.x. > > > > Jon > > > > On Fri, Oct 27, 2023 at 10:00 PM Jonathan S. Fisher > > wrote: > > > > > ope, it's in there now. Just popped up and I merged. > > > > > > ActiveMQ merges make a be a bit nervous :) I'll go ahead > > > release:perform but stop again before closing the repository. > > > > > > I'll try running this too with some of our bigger apps and see if I > > > can find anything wrong. > > > > > > On Fri, Oct 27, 2023 at 3:58 PM Jonathan Gallimore > > > wrote: > > > > > > > > It should be done by the build, but I can do that and push it as > well. > > > > > > > > Jon > > > > > > > > On Fri, Oct 27, 2023 at 9:55 PM Jonathan S. Fisher < > exabr...@gmail.com> > > > > wrote: > > > > > > > > > Thanks, do we need to do the bom thing? > > > > > > > > > > On Fri, Oct 27, 2023 at 3:53 PM Jonathan Gallimore > > > > > wrote: > > > > > > > > > > > > Done: > > > > > > > > > > > > > > > https://github.com/apache/tomee/commit/c63eacac4956c29454a0efc3e75e933dd4316b26 > > > > > > > > > > > > On Fri, Oct 27, 2023 at 9:46 PM Jonathan Gallimore < > > > > > > jonathan.gallim...@gmail.com> wrote: > > > > > > > > > > > > > Thanks. That commit is incoming in about 1 minute. > > > > > > > > > > > > > > Jon > > > > > > > > > > > > > > On Fri, Oct 27, 2023 at 9:43 PM Jonathan S. Fisher < > > > exabr...@gmail.com > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > >> No problemo. I'll cancel, do the pr two step, and rebuild > > > > > > >> > > > > > > >> On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore > > > > > > >> wrote: > > > > > > >> > > > > > > > >> > I was about to ask the same. Happy to push the update to the > > > branch > > > > > > >> before > > > > > > >> > a release is kicked off. > > > > > > >> > > > > > > > >> > Jon > > > > > > >> > > > > > > > >> > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, < > > > alex.m3...@gmail.com> > > > > > > >> wrote: > > > > > > >> > > > > > > > >> > > Hi > > > > > > >> > > > > > > > > >> > > Before it's too late, can 8.0.16 release include (if not > > > already > > > > > done) > > > > > > >> > > the dependency update to ActiveMQ version fixing > > > CVE-2023-46604 > > > > > (which > > > > > > >> > > has High 8.8 score by > > > > > > >> > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's > > > > > enabling > > > > > > >> > > remote code execution ? > > > > > > >> > > > > > > > > >> > > As a reminder, ActiveMQ is embedded in TomEE+. > > > > > > >> > > > > > > > > >> > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version > > > 5.16.6, > > > > > and > > > > > > >> > > according to > > > > > > >> > > > > > > > > >> > > > > > > > > > https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt > > > > > > >> > > , > > > > > > >> > > we need at least 5.16.7 > > > > > > >> > > > > > > > > >> > > I hope this dependency update can make it in 8.0.16 before > > > it's > > > > > > >> > > released (or maybe it's already in the about-to-be voted > > > 8.0.16 ?) > > > > > > >> > > > > > > > > >> > > Thanks, > > > > > > >> > > Alex > > > > > > >> > > > > > > > > >> > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher < > > > > > exabr...@gmail.com> > > > > > > >> a > > > > > > >> > > écrit : > > > > > > >> > > > > > > > > > >> > > > Alright, I have the build completed, signed, and > uploaded > > > the > > > > > the > > > > > > >> > > > Nexus staging repository: orgapachetomee-1221 > > > > > > >> > > > > > > > > > >> > > > What's next? I'm a little apprehensive to close out the > > > staging > > > > > repo > > > > > > >> > > > for fear of prematurely publishing a release... > > > > > > >> > > > > > > > > > >> > > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher < > > > > > > >> exabr...@gmail.com> > > > > > > >> > > wrote: > > > > > > >> > > > > > > > > > > >> > > > > I got another good build locally and CI is happy too. > I'm > > > > > going to > > > > > > >> > > > > stage the release! > > > > > > >> > > > > > > > > > > >> > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher < > > > > > > >> exabr...@gmail.com> > > > > > > >> > > wrote: > > > > > > >> > > > > > > >
Re: 8.0.16 release
Ok repository is uploaded and closed: https://repository.apache.org/content/repositories/orgapachetomee-1222/org/apache/tomee/apache-tomee/8.0.16/ What's next? The directions say to upload but that seems a bit premature before calling for a vote or what not... sorry I'm new here! https://tomee.apache.org/dev/release-tomee.html On Fri, Oct 27, 2023 at 4:11 PM Jonathan Gallimore wrote: > > Thanks Jonathan. If it helps, the changeset from 5.17.5 to 5.17.6 isn't > massive: https://github.com/apache/activemq/commits/activemq-5.17.x. > > Jon > > On Fri, Oct 27, 2023 at 10:00 PM Jonathan S. Fisher > wrote: > > > ope, it's in there now. Just popped up and I merged. > > > > ActiveMQ merges make a be a bit nervous :) I'll go ahead > > release:perform but stop again before closing the repository. > > > > I'll try running this too with some of our bigger apps and see if I > > can find anything wrong. > > > > On Fri, Oct 27, 2023 at 3:58 PM Jonathan Gallimore > > wrote: > > > > > > It should be done by the build, but I can do that and push it as well. > > > > > > Jon > > > > > > On Fri, Oct 27, 2023 at 9:55 PM Jonathan S. Fisher > > > wrote: > > > > > > > Thanks, do we need to do the bom thing? > > > > > > > > On Fri, Oct 27, 2023 at 3:53 PM Jonathan Gallimore > > > > wrote: > > > > > > > > > > Done: > > > > > > > > > > > https://github.com/apache/tomee/commit/c63eacac4956c29454a0efc3e75e933dd4316b26 > > > > > > > > > > On Fri, Oct 27, 2023 at 9:46 PM Jonathan Gallimore < > > > > > jonathan.gallim...@gmail.com> wrote: > > > > > > > > > > > Thanks. That commit is incoming in about 1 minute. > > > > > > > > > > > > Jon > > > > > > > > > > > > On Fri, Oct 27, 2023 at 9:43 PM Jonathan S. Fisher < > > exabr...@gmail.com > > > > > > > > > > > wrote: > > > > > > > > > > > >> No problemo. I'll cancel, do the pr two step, and rebuild > > > > > >> > > > > > >> On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore > > > > > >> wrote: > > > > > >> > > > > > > >> > I was about to ask the same. Happy to push the update to the > > branch > > > > > >> before > > > > > >> > a release is kicked off. > > > > > >> > > > > > > >> > Jon > > > > > >> > > > > > > >> > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, < > > alex.m3...@gmail.com> > > > > > >> wrote: > > > > > >> > > > > > > >> > > Hi > > > > > >> > > > > > > > >> > > Before it's too late, can 8.0.16 release include (if not > > already > > > > done) > > > > > >> > > the dependency update to ActiveMQ version fixing > > CVE-2023-46604 > > > > (which > > > > > >> > > has High 8.8 score by > > > > > >> > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's > > > > enabling > > > > > >> > > remote code execution ? > > > > > >> > > > > > > > >> > > As a reminder, ActiveMQ is embedded in TomEE+. > > > > > >> > > > > > > > >> > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version > > 5.16.6, > > > > and > > > > > >> > > according to > > > > > >> > > > > > > > >> > > > > > > https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt > > > > > >> > > , > > > > > >> > > we need at least 5.16.7 > > > > > >> > > > > > > > >> > > I hope this dependency update can make it in 8.0.16 before > > it's > > > > > >> > > released (or maybe it's already in the about-to-be voted > > 8.0.16 ?) > > > > > >> > > > > > > > >> > > Thanks, > > > > > >> > > Alex > > > > > >> > > > > > > > >> > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher < > > > > exabr...@gmail.com> > > > > > >> a > > > > > >> > > écrit : > > > > > >> > > > > > > > > >> > > > Alright, I have the build completed, signed, and uploaded > > the > > > > the > > > > > >> > > > Nexus staging repository: orgapachetomee-1221 > > > > > >> > > > > > > > > >> > > > What's next? I'm a little apprehensive to close out the > > staging > > > > repo > > > > > >> > > > for fear of prematurely publishing a release... > > > > > >> > > > > > > > > >> > > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher < > > > > > >> exabr...@gmail.com> > > > > > >> > > wrote: > > > > > >> > > > > > > > > > >> > > > > I got another good build locally and CI is happy too. I'm > > > > going to > > > > > >> > > > > stage the release! > > > > > >> > > > > > > > > > >> > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher < > > > > > >> exabr...@gmail.com> > > > > > >> > > wrote: > > > > > >> > > > > > > > > > > >> > > > > > Yep! I just logged that one and pushed a PR. Waiting on > > CI > > > > > >> > > > > > > > > > > >> > > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson < > > > > > >> jej2...@gmail.com> > > > > > >> > > wrote: > > > > > >> > > > > > > > > > > > >> > > > > > > Should this be included? > > > > > >> > > > > > > > > > > > >> > > > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from > > 2.3.2 > > > > > >> (xmlsec) to > > > > > >> > > > > > > mitigate CVE-2023-4448 > > > > > >> > > > > > > > > > > > >> > > > > > > Not sure how to find the others without going through > > > > commit > > > > > >> > > history.
Re: 8.0.16 release
Thanks Jonathan. If it helps, the changeset from 5.17.5 to 5.17.6 isn't massive: https://github.com/apache/activemq/commits/activemq-5.17.x. Jon On Fri, Oct 27, 2023 at 10:00 PM Jonathan S. Fisher wrote: > ope, it's in there now. Just popped up and I merged. > > ActiveMQ merges make a be a bit nervous :) I'll go ahead > release:perform but stop again before closing the repository. > > I'll try running this too with some of our bigger apps and see if I > can find anything wrong. > > On Fri, Oct 27, 2023 at 3:58 PM Jonathan Gallimore > wrote: > > > > It should be done by the build, but I can do that and push it as well. > > > > Jon > > > > On Fri, Oct 27, 2023 at 9:55 PM Jonathan S. Fisher > > wrote: > > > > > Thanks, do we need to do the bom thing? > > > > > > On Fri, Oct 27, 2023 at 3:53 PM Jonathan Gallimore > > > wrote: > > > > > > > > Done: > > > > > > > > https://github.com/apache/tomee/commit/c63eacac4956c29454a0efc3e75e933dd4316b26 > > > > > > > > On Fri, Oct 27, 2023 at 9:46 PM Jonathan Gallimore < > > > > jonathan.gallim...@gmail.com> wrote: > > > > > > > > > Thanks. That commit is incoming in about 1 minute. > > > > > > > > > > Jon > > > > > > > > > > On Fri, Oct 27, 2023 at 9:43 PM Jonathan S. Fisher < > exabr...@gmail.com > > > > > > > > > wrote: > > > > > > > > > >> No problemo. I'll cancel, do the pr two step, and rebuild > > > > >> > > > > >> On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore > > > > >> wrote: > > > > >> > > > > > >> > I was about to ask the same. Happy to push the update to the > branch > > > > >> before > > > > >> > a release is kicked off. > > > > >> > > > > > >> > Jon > > > > >> > > > > > >> > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, < > alex.m3...@gmail.com> > > > > >> wrote: > > > > >> > > > > > >> > > Hi > > > > >> > > > > > > >> > > Before it's too late, can 8.0.16 release include (if not > already > > > done) > > > > >> > > the dependency update to ActiveMQ version fixing > CVE-2023-46604 > > > (which > > > > >> > > has High 8.8 score by > > > > >> > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's > > > enabling > > > > >> > > remote code execution ? > > > > >> > > > > > > >> > > As a reminder, ActiveMQ is embedded in TomEE+. > > > > >> > > > > > > >> > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version > 5.16.6, > > > and > > > > >> > > according to > > > > >> > > > > > > >> > > > > https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt > > > > >> > > , > > > > >> > > we need at least 5.16.7 > > > > >> > > > > > > >> > > I hope this dependency update can make it in 8.0.16 before > it's > > > > >> > > released (or maybe it's already in the about-to-be voted > 8.0.16 ?) > > > > >> > > > > > > >> > > Thanks, > > > > >> > > Alex > > > > >> > > > > > > >> > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher < > > > exabr...@gmail.com> > > > > >> a > > > > >> > > écrit : > > > > >> > > > > > > > >> > > > Alright, I have the build completed, signed, and uploaded > the > > > the > > > > >> > > > Nexus staging repository: orgapachetomee-1221 > > > > >> > > > > > > > >> > > > What's next? I'm a little apprehensive to close out the > staging > > > repo > > > > >> > > > for fear of prematurely publishing a release... > > > > >> > > > > > > > >> > > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher < > > > > >> exabr...@gmail.com> > > > > >> > > wrote: > > > > >> > > > > > > > > >> > > > > I got another good build locally and CI is happy too. I'm > > > going to > > > > >> > > > > stage the release! > > > > >> > > > > > > > > >> > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher < > > > > >> exabr...@gmail.com> > > > > >> > > wrote: > > > > >> > > > > > > > > > >> > > > > > Yep! I just logged that one and pushed a PR. Waiting on > CI > > > > >> > > > > > > > > > >> > > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson < > > > > >> jej2...@gmail.com> > > > > >> > > wrote: > > > > >> > > > > > > > > > > >> > > > > > > Should this be included? > > > > >> > > > > > > > > > > >> > > > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from > 2.3.2 > > > > >> (xmlsec) to > > > > >> > > > > > > mitigate CVE-2023-4448 > > > > >> > > > > > > > > > > >> > > > > > > Not sure how to find the others without going through > > > commit > > > > >> > > history. > > > > >> > > > > > > > > > > >> > > > > > > Jamie > > > > >> > > > > > > > > > > >> > > > > > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher < > > > > >> > > exabr...@gmail.com> > > > > >> > > > > > > wrote: > > > > >> > > > > > > > > > > >> > > > > > > > Richard, thank you sir; I assigned that ticket to > > > myself. If > > > > >> > > anyone > > > > >> > > > > > > > else is aware of anything else I can upgrade before > > > release, > > > > >> > > please > > > > >> > > > > > > > speak up :) > > > > >> > > > > > > > > > > > >> > > > > > > > Also good news: for whatever reason, I'm able to > build > > > > >> > > > > > > > tomee-release-tools now. The
Re: 8.0.16 release
ope, it's in there now. Just popped up and I merged. ActiveMQ merges make a be a bit nervous :) I'll go ahead release:perform but stop again before closing the repository. I'll try running this too with some of our bigger apps and see if I can find anything wrong. On Fri, Oct 27, 2023 at 3:58 PM Jonathan Gallimore wrote: > > It should be done by the build, but I can do that and push it as well. > > Jon > > On Fri, Oct 27, 2023 at 9:55 PM Jonathan S. Fisher > wrote: > > > Thanks, do we need to do the bom thing? > > > > On Fri, Oct 27, 2023 at 3:53 PM Jonathan Gallimore > > wrote: > > > > > > Done: > > > > > https://github.com/apache/tomee/commit/c63eacac4956c29454a0efc3e75e933dd4316b26 > > > > > > On Fri, Oct 27, 2023 at 9:46 PM Jonathan Gallimore < > > > jonathan.gallim...@gmail.com> wrote: > > > > > > > Thanks. That commit is incoming in about 1 minute. > > > > > > > > Jon > > > > > > > > On Fri, Oct 27, 2023 at 9:43 PM Jonathan S. Fisher > > > > > > wrote: > > > > > > > >> No problemo. I'll cancel, do the pr two step, and rebuild > > > >> > > > >> On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore > > > >> wrote: > > > >> > > > > >> > I was about to ask the same. Happy to push the update to the branch > > > >> before > > > >> > a release is kicked off. > > > >> > > > > >> > Jon > > > >> > > > > >> > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, > > > >> wrote: > > > >> > > > > >> > > Hi > > > >> > > > > > >> > > Before it's too late, can 8.0.16 release include (if not already > > done) > > > >> > > the dependency update to ActiveMQ version fixing CVE-2023-46604 > > (which > > > >> > > has High 8.8 score by > > > >> > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's > > enabling > > > >> > > remote code execution ? > > > >> > > > > > >> > > As a reminder, ActiveMQ is embedded in TomEE+. > > > >> > > > > > >> > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version 5.16.6, > > and > > > >> > > according to > > > >> > > > > > >> > > https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt > > > >> > > , > > > >> > > we need at least 5.16.7 > > > >> > > > > > >> > > I hope this dependency update can make it in 8.0.16 before it's > > > >> > > released (or maybe it's already in the about-to-be voted 8.0.16 ?) > > > >> > > > > > >> > > Thanks, > > > >> > > Alex > > > >> > > > > > >> > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher < > > exabr...@gmail.com> > > > >> a > > > >> > > écrit : > > > >> > > > > > > >> > > > Alright, I have the build completed, signed, and uploaded the > > the > > > >> > > > Nexus staging repository: orgapachetomee-1221 > > > >> > > > > > > >> > > > What's next? I'm a little apprehensive to close out the staging > > repo > > > >> > > > for fear of prematurely publishing a release... > > > >> > > > > > > >> > > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher < > > > >> exabr...@gmail.com> > > > >> > > wrote: > > > >> > > > > > > > >> > > > > I got another good build locally and CI is happy too. I'm > > going to > > > >> > > > > stage the release! > > > >> > > > > > > > >> > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher < > > > >> exabr...@gmail.com> > > > >> > > wrote: > > > >> > > > > > > > > >> > > > > > Yep! I just logged that one and pushed a PR. Waiting on CI > > > >> > > > > > > > > >> > > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson < > > > >> jej2...@gmail.com> > > > >> > > wrote: > > > >> > > > > > > > > > >> > > > > > > Should this be included? > > > >> > > > > > > > > > >> > > > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2 > > > >> (xmlsec) to > > > >> > > > > > > mitigate CVE-2023-4448 > > > >> > > > > > > > > > >> > > > > > > Not sure how to find the others without going through > > commit > > > >> > > history. > > > >> > > > > > > > > > >> > > > > > > Jamie > > > >> > > > > > > > > > >> > > > > > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher < > > > >> > > exabr...@gmail.com> > > > >> > > > > > > wrote: > > > >> > > > > > > > > > >> > > > > > > > Richard, thank you sir; I assigned that ticket to > > myself. If > > > >> > > anyone > > > >> > > > > > > > else is aware of anything else I can upgrade before > > release, > > > >> > > please > > > >> > > > > > > > speak up :) > > > >> > > > > > > > > > > >> > > > > > > > Also good news: for whatever reason, I'm able to build > > > >> > > > > > > > tomee-release-tools now. The atlassian maven repository > > hit > > > >> me > > > >> > > with a > > > >> > > > > > > > rate limit briefly but it seems to have lifted. > > > >> > > > > > > > > > > >> > > > > > > > I have three questions at this point in time: > > > >> > > > > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before > > release for > > > >> > > CVE's? > > > >> > > > > > > > 2. Are there CVEs we ignore? (basically ones that are > > > >> present but > > > >> > > > > > > > don't apply to us) > > > >> > > > > > > > 3. I ran a build locally and got two test failures. > > Looks
Re: 8.0.16 release
Those should be there for 8.0.x, 9.1.x and 10.0.x (I think you merged the PR for 8.0.x yourself :-) ) Jon On Fri, Oct 27, 2023 at 9:56 PM Jonathan Gallimore < jonathan.gallim...@gmail.com> wrote: > It should be done by the build, but I can do that and push it as well. > > Jon > > On Fri, Oct 27, 2023 at 9:55 PM Jonathan S. Fisher > wrote: > >> Thanks, do we need to do the bom thing? >> >> On Fri, Oct 27, 2023 at 3:53 PM Jonathan Gallimore >> wrote: >> > >> > Done: >> > >> https://github.com/apache/tomee/commit/c63eacac4956c29454a0efc3e75e933dd4316b26 >> > >> > On Fri, Oct 27, 2023 at 9:46 PM Jonathan Gallimore < >> > jonathan.gallim...@gmail.com> wrote: >> > >> > > Thanks. That commit is incoming in about 1 minute. >> > > >> > > Jon >> > > >> > > On Fri, Oct 27, 2023 at 9:43 PM Jonathan S. Fisher < >> exabr...@gmail.com> >> > > wrote: >> > > >> > >> No problemo. I'll cancel, do the pr two step, and rebuild >> > >> >> > >> On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore >> > >> wrote: >> > >> > >> > >> > I was about to ask the same. Happy to push the update to the branch >> > >> before >> > >> > a release is kicked off. >> > >> > >> > >> > Jon >> > >> > >> > >> > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, >> > >> wrote: >> > >> > >> > >> > > Hi >> > >> > > >> > >> > > Before it's too late, can 8.0.16 release include (if not already >> done) >> > >> > > the dependency update to ActiveMQ version fixing CVE-2023-46604 >> (which >> > >> > > has High 8.8 score by >> > >> > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's >> enabling >> > >> > > remote code execution ? >> > >> > > >> > >> > > As a reminder, ActiveMQ is embedded in TomEE+. >> > >> > > >> > >> > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version >> 5.16.6, and >> > >> > > according to >> > >> > > >> > >> >> https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt >> > >> > > , >> > >> > > we need at least 5.16.7 >> > >> > > >> > >> > > I hope this dependency update can make it in 8.0.16 before it's >> > >> > > released (or maybe it's already in the about-to-be voted 8.0.16 >> ?) >> > >> > > >> > >> > > Thanks, >> > >> > > Alex >> > >> > > >> > >> > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher < >> exabr...@gmail.com> >> > >> a >> > >> > > écrit : >> > >> > > > >> > >> > > > Alright, I have the build completed, signed, and uploaded the >> the >> > >> > > > Nexus staging repository: orgapachetomee-1221 >> > >> > > > >> > >> > > > What's next? I'm a little apprehensive to close out the >> staging repo >> > >> > > > for fear of prematurely publishing a release... >> > >> > > > >> > >> > > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher < >> > >> exabr...@gmail.com> >> > >> > > wrote: >> > >> > > > > >> > >> > > > > I got another good build locally and CI is happy too. I'm >> going to >> > >> > > > > stage the release! >> > >> > > > > >> > >> > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher < >> > >> exabr...@gmail.com> >> > >> > > wrote: >> > >> > > > > > >> > >> > > > > > Yep! I just logged that one and pushed a PR. Waiting on CI >> > >> > > > > > >> > >> > > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson < >> > >> jej2...@gmail.com> >> > >> > > wrote: >> > >> > > > > > > >> > >> > > > > > > Should this be included? >> > >> > > > > > > >> > >> > > > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2 >> > >> (xmlsec) to >> > >> > > > > > > mitigate CVE-2023-4448 >> > >> > > > > > > >> > >> > > > > > > Not sure how to find the others without going through >> commit >> > >> > > history. >> > >> > > > > > > >> > >> > > > > > > Jamie >> > >> > > > > > > >> > >> > > > > > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher < >> > >> > > exabr...@gmail.com> >> > >> > > > > > > wrote: >> > >> > > > > > > >> > >> > > > > > > > Richard, thank you sir; I assigned that ticket to >> myself. If >> > >> > > anyone >> > >> > > > > > > > else is aware of anything else I can upgrade before >> release, >> > >> > > please >> > >> > > > > > > > speak up :) >> > >> > > > > > > > >> > >> > > > > > > > Also good news: for whatever reason, I'm able to build >> > >> > > > > > > > tomee-release-tools now. The atlassian maven >> repository hit >> > >> me >> > >> > > with a >> > >> > > > > > > > rate limit briefly but it seems to have lifted. >> > >> > > > > > > > >> > >> > > > > > > > I have three questions at this point in time: >> > >> > > > > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before >> release for >> > >> > > CVE's? >> > >> > > > > > > > 2. Are there CVEs we ignore? (basically ones that are >> > >> present but >> > >> > > > > > > > don't apply to us) >> > >> > > > > > > > 3. I ran a build locally and got two test failures. >> Looks >> > >> like >> > >> > > CI did >> > >> > > > > > > > too: >> > >> > > > > > > > >> > >> > > >> > >> >> https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ >> > >> > > > > > > > >> > >> > > > > > > >
Re: 8.0.16 release
It should be done by the build, but I can do that and push it as well. Jon On Fri, Oct 27, 2023 at 9:55 PM Jonathan S. Fisher wrote: > Thanks, do we need to do the bom thing? > > On Fri, Oct 27, 2023 at 3:53 PM Jonathan Gallimore > wrote: > > > > Done: > > > https://github.com/apache/tomee/commit/c63eacac4956c29454a0efc3e75e933dd4316b26 > > > > On Fri, Oct 27, 2023 at 9:46 PM Jonathan Gallimore < > > jonathan.gallim...@gmail.com> wrote: > > > > > Thanks. That commit is incoming in about 1 minute. > > > > > > Jon > > > > > > On Fri, Oct 27, 2023 at 9:43 PM Jonathan S. Fisher > > > > wrote: > > > > > >> No problemo. I'll cancel, do the pr two step, and rebuild > > >> > > >> On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore > > >> wrote: > > >> > > > >> > I was about to ask the same. Happy to push the update to the branch > > >> before > > >> > a release is kicked off. > > >> > > > >> > Jon > > >> > > > >> > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, > > >> wrote: > > >> > > > >> > > Hi > > >> > > > > >> > > Before it's too late, can 8.0.16 release include (if not already > done) > > >> > > the dependency update to ActiveMQ version fixing CVE-2023-46604 > (which > > >> > > has High 8.8 score by > > >> > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's > enabling > > >> > > remote code execution ? > > >> > > > > >> > > As a reminder, ActiveMQ is embedded in TomEE+. > > >> > > > > >> > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version 5.16.6, > and > > >> > > according to > > >> > > > > >> > https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt > > >> > > , > > >> > > we need at least 5.16.7 > > >> > > > > >> > > I hope this dependency update can make it in 8.0.16 before it's > > >> > > released (or maybe it's already in the about-to-be voted 8.0.16 ?) > > >> > > > > >> > > Thanks, > > >> > > Alex > > >> > > > > >> > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher < > exabr...@gmail.com> > > >> a > > >> > > écrit : > > >> > > > > > >> > > > Alright, I have the build completed, signed, and uploaded the > the > > >> > > > Nexus staging repository: orgapachetomee-1221 > > >> > > > > > >> > > > What's next? I'm a little apprehensive to close out the staging > repo > > >> > > > for fear of prematurely publishing a release... > > >> > > > > > >> > > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher < > > >> exabr...@gmail.com> > > >> > > wrote: > > >> > > > > > > >> > > > > I got another good build locally and CI is happy too. I'm > going to > > >> > > > > stage the release! > > >> > > > > > > >> > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher < > > >> exabr...@gmail.com> > > >> > > wrote: > > >> > > > > > > > >> > > > > > Yep! I just logged that one and pushed a PR. Waiting on CI > > >> > > > > > > > >> > > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson < > > >> jej2...@gmail.com> > > >> > > wrote: > > >> > > > > > > > > >> > > > > > > Should this be included? > > >> > > > > > > > > >> > > > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2 > > >> (xmlsec) to > > >> > > > > > > mitigate CVE-2023-4448 > > >> > > > > > > > > >> > > > > > > Not sure how to find the others without going through > commit > > >> > > history. > > >> > > > > > > > > >> > > > > > > Jamie > > >> > > > > > > > > >> > > > > > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher < > > >> > > exabr...@gmail.com> > > >> > > > > > > wrote: > > >> > > > > > > > > >> > > > > > > > Richard, thank you sir; I assigned that ticket to > myself. If > > >> > > anyone > > >> > > > > > > > else is aware of anything else I can upgrade before > release, > > >> > > please > > >> > > > > > > > speak up :) > > >> > > > > > > > > > >> > > > > > > > Also good news: for whatever reason, I'm able to build > > >> > > > > > > > tomee-release-tools now. The atlassian maven repository > hit > > >> me > > >> > > with a > > >> > > > > > > > rate limit briefly but it seems to have lifted. > > >> > > > > > > > > > >> > > > > > > > I have three questions at this point in time: > > >> > > > > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before > release for > > >> > > CVE's? > > >> > > > > > > > 2. Are there CVEs we ignore? (basically ones that are > > >> present but > > >> > > > > > > > don't apply to us) > > >> > > > > > > > 3. I ran a build locally and got two test failures. > Looks > > >> like > > >> > > CI did > > >> > > > > > > > too: > > >> > > > > > > > > > >> > > > > >> > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ > > >> > > > > > > > > > >> > > > > > > > It doesn't look related to the EclipseLink change > unless I > > >> > > screwed the > > >> > > > > > > > pooch on something. Are these known issues by chance? > > >> > > > > > > > > > >> > > > > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla < > > >> > > rich...@zowalla.com> > > >> > > > > > > > wrote: > > >> > > > > > > > > > > >> > > > > > > > > Might be relevant
Re: 8.0.16 release
Thanks, do we need to do the bom thing? On Fri, Oct 27, 2023 at 3:53 PM Jonathan Gallimore wrote: > > Done: > https://github.com/apache/tomee/commit/c63eacac4956c29454a0efc3e75e933dd4316b26 > > On Fri, Oct 27, 2023 at 9:46 PM Jonathan Gallimore < > jonathan.gallim...@gmail.com> wrote: > > > Thanks. That commit is incoming in about 1 minute. > > > > Jon > > > > On Fri, Oct 27, 2023 at 9:43 PM Jonathan S. Fisher > > wrote: > > > >> No problemo. I'll cancel, do the pr two step, and rebuild > >> > >> On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore > >> wrote: > >> > > >> > I was about to ask the same. Happy to push the update to the branch > >> before > >> > a release is kicked off. > >> > > >> > Jon > >> > > >> > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, > >> wrote: > >> > > >> > > Hi > >> > > > >> > > Before it's too late, can 8.0.16 release include (if not already done) > >> > > the dependency update to ActiveMQ version fixing CVE-2023-46604 (which > >> > > has High 8.8 score by > >> > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's enabling > >> > > remote code execution ? > >> > > > >> > > As a reminder, ActiveMQ is embedded in TomEE+. > >> > > > >> > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version 5.16.6, and > >> > > according to > >> > > > >> https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt > >> > > , > >> > > we need at least 5.16.7 > >> > > > >> > > I hope this dependency update can make it in 8.0.16 before it's > >> > > released (or maybe it's already in the about-to-be voted 8.0.16 ?) > >> > > > >> > > Thanks, > >> > > Alex > >> > > > >> > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher > >> a > >> > > écrit : > >> > > > > >> > > > Alright, I have the build completed, signed, and uploaded the the > >> > > > Nexus staging repository: orgapachetomee-1221 > >> > > > > >> > > > What's next? I'm a little apprehensive to close out the staging repo > >> > > > for fear of prematurely publishing a release... > >> > > > > >> > > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher < > >> exabr...@gmail.com> > >> > > wrote: > >> > > > > > >> > > > > I got another good build locally and CI is happy too. I'm going to > >> > > > > stage the release! > >> > > > > > >> > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher < > >> exabr...@gmail.com> > >> > > wrote: > >> > > > > > > >> > > > > > Yep! I just logged that one and pushed a PR. Waiting on CI > >> > > > > > > >> > > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson < > >> jej2...@gmail.com> > >> > > wrote: > >> > > > > > > > >> > > > > > > Should this be included? > >> > > > > > > > >> > > > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2 > >> (xmlsec) to > >> > > > > > > mitigate CVE-2023-4448 > >> > > > > > > > >> > > > > > > Not sure how to find the others without going through commit > >> > > history. > >> > > > > > > > >> > > > > > > Jamie > >> > > > > > > > >> > > > > > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher < > >> > > exabr...@gmail.com> > >> > > > > > > wrote: > >> > > > > > > > >> > > > > > > > Richard, thank you sir; I assigned that ticket to myself. If > >> > > anyone > >> > > > > > > > else is aware of anything else I can upgrade before release, > >> > > please > >> > > > > > > > speak up :) > >> > > > > > > > > >> > > > > > > > Also good news: for whatever reason, I'm able to build > >> > > > > > > > tomee-release-tools now. The atlassian maven repository hit > >> me > >> > > with a > >> > > > > > > > rate limit briefly but it seems to have lifted. > >> > > > > > > > > >> > > > > > > > I have three questions at this point in time: > >> > > > > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for > >> > > CVE's? > >> > > > > > > > 2. Are there CVEs we ignore? (basically ones that are > >> present but > >> > > > > > > > don't apply to us) > >> > > > > > > > 3. I ran a build locally and got two test failures. Looks > >> like > >> > > CI did > >> > > > > > > > too: > >> > > > > > > > > >> > > > >> https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ > >> > > > > > > > > >> > > > > > > > It doesn't look related to the EclipseLink change unless I > >> > > screwed the > >> > > > > > > > pooch on something. Are these known issues by chance? > >> > > > > > > > > >> > > > > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla < > >> > > rich...@zowalla.com> > >> > > > > > > > wrote: > >> > > > > > > > > > >> > > > > > > > > Might be relevant for your release preperations: > >> > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4263 > >> > > > > > > > > > >> > > > > > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. > >> Fisher" > >> > > < > >> > > > > > > > exabr...@gmail.com>: > >> > > > > > > > > >Thank you, eclipselink has been updated and boms also > >> updated. > >> > > > > > > > > > > >> > > > > > > > > >Are the tomee release tools still needed? > >> > > > > > > > > >
Re: 8.0.16 release
Done: https://github.com/apache/tomee/commit/c63eacac4956c29454a0efc3e75e933dd4316b26 On Fri, Oct 27, 2023 at 9:46 PM Jonathan Gallimore < jonathan.gallim...@gmail.com> wrote: > Thanks. That commit is incoming in about 1 minute. > > Jon > > On Fri, Oct 27, 2023 at 9:43 PM Jonathan S. Fisher > wrote: > >> No problemo. I'll cancel, do the pr two step, and rebuild >> >> On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore >> wrote: >> > >> > I was about to ask the same. Happy to push the update to the branch >> before >> > a release is kicked off. >> > >> > Jon >> > >> > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, >> wrote: >> > >> > > Hi >> > > >> > > Before it's too late, can 8.0.16 release include (if not already done) >> > > the dependency update to ActiveMQ version fixing CVE-2023-46604 (which >> > > has High 8.8 score by >> > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's enabling >> > > remote code execution ? >> > > >> > > As a reminder, ActiveMQ is embedded in TomEE+. >> > > >> > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version 5.16.6, and >> > > according to >> > > >> https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt >> > > , >> > > we need at least 5.16.7 >> > > >> > > I hope this dependency update can make it in 8.0.16 before it's >> > > released (or maybe it's already in the about-to-be voted 8.0.16 ?) >> > > >> > > Thanks, >> > > Alex >> > > >> > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher >> a >> > > écrit : >> > > > >> > > > Alright, I have the build completed, signed, and uploaded the the >> > > > Nexus staging repository: orgapachetomee-1221 >> > > > >> > > > What's next? I'm a little apprehensive to close out the staging repo >> > > > for fear of prematurely publishing a release... >> > > > >> > > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher < >> exabr...@gmail.com> >> > > wrote: >> > > > > >> > > > > I got another good build locally and CI is happy too. I'm going to >> > > > > stage the release! >> > > > > >> > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher < >> exabr...@gmail.com> >> > > wrote: >> > > > > > >> > > > > > Yep! I just logged that one and pushed a PR. Waiting on CI >> > > > > > >> > > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson < >> jej2...@gmail.com> >> > > wrote: >> > > > > > > >> > > > > > > Should this be included? >> > > > > > > >> > > > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2 >> (xmlsec) to >> > > > > > > mitigate CVE-2023-4448 >> > > > > > > >> > > > > > > Not sure how to find the others without going through commit >> > > history. >> > > > > > > >> > > > > > > Jamie >> > > > > > > >> > > > > > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher < >> > > exabr...@gmail.com> >> > > > > > > wrote: >> > > > > > > >> > > > > > > > Richard, thank you sir; I assigned that ticket to myself. If >> > > anyone >> > > > > > > > else is aware of anything else I can upgrade before release, >> > > please >> > > > > > > > speak up :) >> > > > > > > > >> > > > > > > > Also good news: for whatever reason, I'm able to build >> > > > > > > > tomee-release-tools now. The atlassian maven repository hit >> me >> > > with a >> > > > > > > > rate limit briefly but it seems to have lifted. >> > > > > > > > >> > > > > > > > I have three questions at this point in time: >> > > > > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for >> > > CVE's? >> > > > > > > > 2. Are there CVEs we ignore? (basically ones that are >> present but >> > > > > > > > don't apply to us) >> > > > > > > > 3. I ran a build locally and got two test failures. Looks >> like >> > > CI did >> > > > > > > > too: >> > > > > > > > >> > > >> https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ >> > > > > > > > >> > > > > > > > It doesn't look related to the EclipseLink change unless I >> > > screwed the >> > > > > > > > pooch on something. Are these known issues by chance? >> > > > > > > > >> > > > > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla < >> > > rich...@zowalla.com> >> > > > > > > > wrote: >> > > > > > > > > >> > > > > > > > > Might be relevant for your release preperations: >> > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4263 >> > > > > > > > > >> > > > > > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. >> Fisher" >> > > < >> > > > > > > > exabr...@gmail.com>: >> > > > > > > > > >Thank you, eclipselink has been updated and boms also >> updated. >> > > > > > > > > > >> > > > > > > > > >Are the tomee release tools still needed? >> > > > > > > > > > >> > > > > > > > > >[ERROR] Failed to execute goal on project release-tools: >> > > Could not >> > > > > > > > > >resolve dependencies for project >> > > > > > > > > >org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: >> > > Failed to >> > > > > > > > > >collect dependencies at >> > > org.tomitribe.jamira:jamira-core:jar:0.4 -> >> > > > > > > > >
Re: 8.0.16 release
Thanks. That commit is incoming in about 1 minute. Jon On Fri, Oct 27, 2023 at 9:43 PM Jonathan S. Fisher wrote: > No problemo. I'll cancel, do the pr two step, and rebuild > > On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore > wrote: > > > > I was about to ask the same. Happy to push the update to the branch > before > > a release is kicked off. > > > > Jon > > > > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, > wrote: > > > > > Hi > > > > > > Before it's too late, can 8.0.16 release include (if not already done) > > > the dependency update to ActiveMQ version fixing CVE-2023-46604 (which > > > has High 8.8 score by > > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's enabling > > > remote code execution ? > > > > > > As a reminder, ActiveMQ is embedded in TomEE+. > > > > > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version 5.16.6, and > > > according to > > > > https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt > > > , > > > we need at least 5.16.7 > > > > > > I hope this dependency update can make it in 8.0.16 before it's > > > released (or maybe it's already in the about-to-be voted 8.0.16 ?) > > > > > > Thanks, > > > Alex > > > > > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher > a > > > écrit : > > > > > > > > Alright, I have the build completed, signed, and uploaded the the > > > > Nexus staging repository: orgapachetomee-1221 > > > > > > > > What's next? I'm a little apprehensive to close out the staging repo > > > > for fear of prematurely publishing a release... > > > > > > > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher < > exabr...@gmail.com> > > > wrote: > > > > > > > > > > I got another good build locally and CI is happy too. I'm going to > > > > > stage the release! > > > > > > > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher < > exabr...@gmail.com> > > > wrote: > > > > > > > > > > > > Yep! I just logged that one and pushed a PR. Waiting on CI > > > > > > > > > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson > > > > wrote: > > > > > > > > > > > > > > Should this be included? > > > > > > > > > > > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2 > (xmlsec) to > > > > > > > mitigate CVE-2023-4448 > > > > > > > > > > > > > > Not sure how to find the others without going through commit > > > history. > > > > > > > > > > > > > > Jamie > > > > > > > > > > > > > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher < > > > exabr...@gmail.com> > > > > > > > wrote: > > > > > > > > > > > > > > > Richard, thank you sir; I assigned that ticket to myself. If > > > anyone > > > > > > > > else is aware of anything else I can upgrade before release, > > > please > > > > > > > > speak up :) > > > > > > > > > > > > > > > > Also good news: for whatever reason, I'm able to build > > > > > > > > tomee-release-tools now. The atlassian maven repository hit > me > > > with a > > > > > > > > rate limit briefly but it seems to have lifted. > > > > > > > > > > > > > > > > I have three questions at this point in time: > > > > > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for > > > CVE's? > > > > > > > > 2. Are there CVEs we ignore? (basically ones that are > present but > > > > > > > > don't apply to us) > > > > > > > > 3. I ran a build locally and got two test failures. Looks > like > > > CI did > > > > > > > > too: > > > > > > > > > > > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ > > > > > > > > > > > > > > > > It doesn't look related to the EclipseLink change unless I > > > screwed the > > > > > > > > pooch on something. Are these known issues by chance? > > > > > > > > > > > > > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla < > > > rich...@zowalla.com> > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > Might be relevant for your release preperations: > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4263 > > > > > > > > > > > > > > > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. > Fisher" > > > < > > > > > > > > exabr...@gmail.com>: > > > > > > > > > >Thank you, eclipselink has been updated and boms also > updated. > > > > > > > > > > > > > > > > > > > >Are the tomee release tools still needed? > > > > > > > > > > > > > > > > > > > >[ERROR] Failed to execute goal on project release-tools: > > > Could not > > > > > > > > > >resolve dependencies for project > > > > > > > > > >org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: > > > Failed to > > > > > > > > > >collect dependencies at > > > org.tomitribe.jamira:jamira-core:jar:0.4 -> > > > > > > > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: > > > Failed to read > > > > > > > > > >artifact descriptor for > > > > > > > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: > The > > > following > > > > > > > > > >artifacts could not be resolved: > > > > > > > > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 > > > (absent):
Re: 8.0.16 release
No problemo. I'll cancel, do the pr two step, and rebuild On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore wrote: > > I was about to ask the same. Happy to push the update to the branch before > a release is kicked off. > > Jon > > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, wrote: > > > Hi > > > > Before it's too late, can 8.0.16 release include (if not already done) > > the dependency update to ActiveMQ version fixing CVE-2023-46604 (which > > has High 8.8 score by > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's enabling > > remote code execution ? > > > > As a reminder, ActiveMQ is embedded in TomEE+. > > > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version 5.16.6, and > > according to > > https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt > > , > > we need at least 5.16.7 > > > > I hope this dependency update can make it in 8.0.16 before it's > > released (or maybe it's already in the about-to-be voted 8.0.16 ?) > > > > Thanks, > > Alex > > > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher a > > écrit : > > > > > > Alright, I have the build completed, signed, and uploaded the the > > > Nexus staging repository: orgapachetomee-1221 > > > > > > What's next? I'm a little apprehensive to close out the staging repo > > > for fear of prematurely publishing a release... > > > > > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher > > wrote: > > > > > > > > I got another good build locally and CI is happy too. I'm going to > > > > stage the release! > > > > > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher > > wrote: > > > > > > > > > > Yep! I just logged that one and pushed a PR. Waiting on CI > > > > > > > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson > > wrote: > > > > > > > > > > > > Should this be included? > > > > > > > > > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2 (xmlsec) to > > > > > > mitigate CVE-2023-4448 > > > > > > > > > > > > Not sure how to find the others without going through commit > > history. > > > > > > > > > > > > Jamie > > > > > > > > > > > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher < > > exabr...@gmail.com> > > > > > > wrote: > > > > > > > > > > > > > Richard, thank you sir; I assigned that ticket to myself. If > > anyone > > > > > > > else is aware of anything else I can upgrade before release, > > please > > > > > > > speak up :) > > > > > > > > > > > > > > Also good news: for whatever reason, I'm able to build > > > > > > > tomee-release-tools now. The atlassian maven repository hit me > > with a > > > > > > > rate limit briefly but it seems to have lifted. > > > > > > > > > > > > > > I have three questions at this point in time: > > > > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for > > CVE's? > > > > > > > 2. Are there CVEs we ignore? (basically ones that are present but > > > > > > > don't apply to us) > > > > > > > 3. I ran a build locally and got two test failures. Looks like > > CI did > > > > > > > too: > > > > > > > > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ > > > > > > > > > > > > > > It doesn't look related to the EclipseLink change unless I > > screwed the > > > > > > > pooch on something. Are these known issues by chance? > > > > > > > > > > > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla < > > rich...@zowalla.com> > > > > > > > wrote: > > > > > > > > > > > > > > > > Might be relevant for your release preperations: > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4263 > > > > > > > > > > > > > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. Fisher" > > < > > > > > > > exabr...@gmail.com>: > > > > > > > > >Thank you, eclipselink has been updated and boms also updated. > > > > > > > > > > > > > > > > > >Are the tomee release tools still needed? > > > > > > > > > > > > > > > > > >[ERROR] Failed to execute goal on project release-tools: > > Could not > > > > > > > > >resolve dependencies for project > > > > > > > > >org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: > > Failed to > > > > > > > > >collect dependencies at > > org.tomitribe.jamira:jamira-core:jar:0.4 -> > > > > > > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: > > Failed to read > > > > > > > > >artifact descriptor for > > > > > > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: The > > following > > > > > > > > >artifacts could not be resolved: > > > > > > > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 > > (absent): Could > > > > > > > > >not transfer artifact > > > > > > > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 from/to > > > > > > > > >atlassian ( > > > > > > > > > https://maven.atlassian.com/content/repositories/atlassian-public/): > > > > > > > > >status code: 429, reason phrase: Too Many Requests (429) -> > > [Help 1] > > > > > > > > > > > > > > > > > >I can't seem to get the artifacts from their Maven repository > > due to > >
Re: 8.0.16 release
I was about to ask the same. Happy to push the update to the branch before a release is kicked off. Jon On Fri, 27 Oct 2023, 21:23 Alex The Rocker, wrote: > Hi > > Before it's too late, can 8.0.16 release include (if not already done) > the dependency update to ActiveMQ version fixing CVE-2023-46604 (which > has High 8.8 score by > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's enabling > remote code execution ? > > As a reminder, ActiveMQ is embedded in TomEE+. > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version 5.16.6, and > according to > https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt > , > we need at least 5.16.7 > > I hope this dependency update can make it in 8.0.16 before it's > released (or maybe it's already in the about-to-be voted 8.0.16 ?) > > Thanks, > Alex > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher a > écrit : > > > > Alright, I have the build completed, signed, and uploaded the the > > Nexus staging repository: orgapachetomee-1221 > > > > What's next? I'm a little apprehensive to close out the staging repo > > for fear of prematurely publishing a release... > > > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher > wrote: > > > > > > I got another good build locally and CI is happy too. I'm going to > > > stage the release! > > > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher > wrote: > > > > > > > > Yep! I just logged that one and pushed a PR. Waiting on CI > > > > > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson > wrote: > > > > > > > > > > Should this be included? > > > > > > > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2 (xmlsec) to > > > > > mitigate CVE-2023-4448 > > > > > > > > > > Not sure how to find the others without going through commit > history. > > > > > > > > > > Jamie > > > > > > > > > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher < > exabr...@gmail.com> > > > > > wrote: > > > > > > > > > > > Richard, thank you sir; I assigned that ticket to myself. If > anyone > > > > > > else is aware of anything else I can upgrade before release, > please > > > > > > speak up :) > > > > > > > > > > > > Also good news: for whatever reason, I'm able to build > > > > > > tomee-release-tools now. The atlassian maven repository hit me > with a > > > > > > rate limit briefly but it seems to have lifted. > > > > > > > > > > > > I have three questions at this point in time: > > > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for > CVE's? > > > > > > 2. Are there CVEs we ignore? (basically ones that are present but > > > > > > don't apply to us) > > > > > > 3. I ran a build locally and got two test failures. Looks like > CI did > > > > > > too: > > > > > > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ > > > > > > > > > > > > It doesn't look related to the EclipseLink change unless I > screwed the > > > > > > pooch on something. Are these known issues by chance? > > > > > > > > > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla < > rich...@zowalla.com> > > > > > > wrote: > > > > > > > > > > > > > > Might be relevant for your release preperations: > > > > > > https://issues.apache.org/jira/browse/TOMEE-4263 > > > > > > > > > > > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. Fisher" > < > > > > > > exabr...@gmail.com>: > > > > > > > >Thank you, eclipselink has been updated and boms also updated. > > > > > > > > > > > > > > > >Are the tomee release tools still needed? > > > > > > > > > > > > > > > >[ERROR] Failed to execute goal on project release-tools: > Could not > > > > > > > >resolve dependencies for project > > > > > > > >org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: > Failed to > > > > > > > >collect dependencies at > org.tomitribe.jamira:jamira-core:jar:0.4 -> > > > > > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: > Failed to read > > > > > > > >artifact descriptor for > > > > > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: The > following > > > > > > > >artifacts could not be resolved: > > > > > > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 > (absent): Could > > > > > > > >not transfer artifact > > > > > > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 from/to > > > > > > > >atlassian ( > > > > > > > https://maven.atlassian.com/content/repositories/atlassian-public/): > > > > > > > >status code: 429, reason phrase: Too Many Requests (429) -> > [Help 1] > > > > > > > > > > > > > > > >I can't seem to get the artifacts from their Maven repository > due to > > > > > > > >rate limiting unfortunately. > > > > > > > > > > > > > > > > > > > > > > > >On Wed, Oct 25, 2023 at 8:50 AM Richard Zowalla < > r...@apache.org> > > > > > > wrote: > > > > > > > >> > > > > > > > >> Feel free to update 3rd party dependencies (make sure to > create a > > > > > > Jira, > > > > > > > >> so it gets into the release notes). To update the BOMs you > can
Re: 8.0.16 release
Hi Before it's too late, can 8.0.16 release include (if not already done) the dependency update to ActiveMQ version fixing CVE-2023-46604 (which has High 8.8 score by https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's enabling remote code execution ? As a reminder, ActiveMQ is embedded in TomEE+. With TomEE+ 8.0.15, we have ActiveMQ artifacts at version 5.16.6, and according to https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt, we need at least 5.16.7 I hope this dependency update can make it in 8.0.16 before it's released (or maybe it's already in the about-to-be voted 8.0.16 ?) Thanks, Alex Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher a écrit : > > Alright, I have the build completed, signed, and uploaded the the > Nexus staging repository: orgapachetomee-1221 > > What's next? I'm a little apprehensive to close out the staging repo > for fear of prematurely publishing a release... > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher wrote: > > > > I got another good build locally and CI is happy too. I'm going to > > stage the release! > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher > > wrote: > > > > > > Yep! I just logged that one and pushed a PR. Waiting on CI > > > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson wrote: > > > > > > > > Should this be included? > > > > > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2 (xmlsec) to > > > > mitigate CVE-2023-4448 > > > > > > > > Not sure how to find the others without going through commit history. > > > > > > > > Jamie > > > > > > > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher > > > > wrote: > > > > > > > > > Richard, thank you sir; I assigned that ticket to myself. If anyone > > > > > else is aware of anything else I can upgrade before release, please > > > > > speak up :) > > > > > > > > > > Also good news: for whatever reason, I'm able to build > > > > > tomee-release-tools now. The atlassian maven repository hit me with a > > > > > rate limit briefly but it seems to have lifted. > > > > > > > > > > I have three questions at this point in time: > > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for CVE's? > > > > > 2. Are there CVEs we ignore? (basically ones that are present but > > > > > don't apply to us) > > > > > 3. I ran a build locally and got two test failures. Looks like CI did > > > > > too: > > > > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ > > > > > > > > > > It doesn't look related to the EclipseLink change unless I screwed the > > > > > pooch on something. Are these known issues by chance? > > > > > > > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla > > > > > wrote: > > > > > > > > > > > > Might be relevant for your release preperations: > > > > > https://issues.apache.org/jira/browse/TOMEE-4263 > > > > > > > > > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. Fisher" < > > > > > exabr...@gmail.com>: > > > > > > >Thank you, eclipselink has been updated and boms also updated. > > > > > > > > > > > > > >Are the tomee release tools still needed? > > > > > > > > > > > > > >[ERROR] Failed to execute goal on project release-tools: Could not > > > > > > >resolve dependencies for project > > > > > > >org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: Failed to > > > > > > >collect dependencies at org.tomitribe.jamira:jamira-core:jar:0.4 -> > > > > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: Failed to > > > > > > >read > > > > > > >artifact descriptor for > > > > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: The > > > > > > >following > > > > > > >artifacts could not be resolved: > > > > > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 (absent): > > > > > > >Could > > > > > > >not transfer artifact > > > > > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 from/to > > > > > > >atlassian ( > > > > > https://maven.atlassian.com/content/repositories/atlassian-public/): > > > > > > >status code: 429, reason phrase: Too Many Requests (429) -> [Help > > > > > > >1] > > > > > > > > > > > > > >I can't seem to get the artifacts from their Maven repository due > > > > > > >to > > > > > > >rate limiting unfortunately. > > > > > > > > > > > > > > > > > > > > >On Wed, Oct 25, 2023 at 8:50 AM Richard Zowalla > > > > > wrote: > > > > > > >> > > > > > > >> Feel free to update 3rd party dependencies (make sure to create a > > > > > Jira, > > > > > > >> so it gets into the release notes). To update the BOMs you can > > > > > > >> either > > > > > > >> rely on the related GitHub action (will do it automatically via > > > > > > >> a PR) > > > > > > >> or just run a quick build. > > > > > > >> > > > > > > >> > > > > > > >> Am Mittwoch, dem 25.10.2023 um 08:40 -0500 schrieb Jonathan S. > > > > > > >> Fisher: > > > > > > >> > Richard: thank you sir, I see my key in there. > > > > > > >> > Rod: Are the docker images part of
Re: 8.0.16 release
Alright, I have the build completed, signed, and uploaded the the Nexus staging repository: orgapachetomee-1221 What's next? I'm a little apprehensive to close out the staging repo for fear of prematurely publishing a release... On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher wrote: > > I got another good build locally and CI is happy too. I'm going to > stage the release! > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher wrote: > > > > Yep! I just logged that one and pushed a PR. Waiting on CI > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson wrote: > > > > > > Should this be included? > > > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2 (xmlsec) to > > > mitigate CVE-2023-4448 > > > > > > Not sure how to find the others without going through commit history. > > > > > > Jamie > > > > > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher > > > wrote: > > > > > > > Richard, thank you sir; I assigned that ticket to myself. If anyone > > > > else is aware of anything else I can upgrade before release, please > > > > speak up :) > > > > > > > > Also good news: for whatever reason, I'm able to build > > > > tomee-release-tools now. The atlassian maven repository hit me with a > > > > rate limit briefly but it seems to have lifted. > > > > > > > > I have three questions at this point in time: > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for CVE's? > > > > 2. Are there CVEs we ignore? (basically ones that are present but > > > > don't apply to us) > > > > 3. I ran a build locally and got two test failures. Looks like CI did > > > > too: > > > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ > > > > > > > > It doesn't look related to the EclipseLink change unless I screwed the > > > > pooch on something. Are these known issues by chance? > > > > > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla > > > > wrote: > > > > > > > > > > Might be relevant for your release preperations: > > > > https://issues.apache.org/jira/browse/TOMEE-4263 > > > > > > > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. Fisher" < > > > > exabr...@gmail.com>: > > > > > >Thank you, eclipselink has been updated and boms also updated. > > > > > > > > > > > >Are the tomee release tools still needed? > > > > > > > > > > > >[ERROR] Failed to execute goal on project release-tools: Could not > > > > > >resolve dependencies for project > > > > > >org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: Failed to > > > > > >collect dependencies at org.tomitribe.jamira:jamira-core:jar:0.4 -> > > > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: Failed to > > > > > >read > > > > > >artifact descriptor for > > > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: The following > > > > > >artifacts could not be resolved: > > > > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 (absent): > > > > > >Could > > > > > >not transfer artifact > > > > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 from/to > > > > > >atlassian ( > > > > https://maven.atlassian.com/content/repositories/atlassian-public/): > > > > > >status code: 429, reason phrase: Too Many Requests (429) -> [Help 1] > > > > > > > > > > > >I can't seem to get the artifacts from their Maven repository due to > > > > > >rate limiting unfortunately. > > > > > > > > > > > > > > > > > >On Wed, Oct 25, 2023 at 8:50 AM Richard Zowalla > > > > wrote: > > > > > >> > > > > > >> Feel free to update 3rd party dependencies (make sure to create a > > > > Jira, > > > > > >> so it gets into the release notes). To update the BOMs you can > > > > > >> either > > > > > >> rely on the related GitHub action (will do it automatically via a > > > > > >> PR) > > > > > >> or just run a quick build. > > > > > >> > > > > > >> > > > > > >> Am Mittwoch, dem 25.10.2023 um 08:40 -0500 schrieb Jonathan S. > > > > > >> Fisher: > > > > > >> > Richard: thank you sir, I see my key in there. > > > > > >> > Rod: Are the docker images part of the main build? I don't use > > > > Docker > > > > > >> > professionally, so I'm not very familiar with the whole process. > > > > > >> > > > > > > >> > I see Tomcat 9.0.82 in tomee-8.x. Yeehaw! > > > > > >> > > > > > > >> > Does anyone have an issue with me updating to eclipselink 2.7.13? > > > > > >> > https://github.com/eclipse-ee4j/eclipselink/releases/tag/2.7.13 > > > > We've > > > > > >> > been running TomEE 8.0.15 with 2.7.13 in production for a few > > > > > >> > weeks > > > > > >> > and haven't seen any issues. > > > > > >> > > > > > > >> > > > > > > >> > On Tue, Oct 24, 2023 at 10:18 AM Rod Jenkins > > > > > >> > wrote: > > > > > >> > > > > > > > >> > > Is there anyway to test the keys before we deploy? We have > > > > > >> > > issues > > > > > >> > > in the past with new keys and verifying the packages when the > > > > > >> > > docker images are built. > > > > > >> > > > > > > > >> > > Thanks, > > > > > >> > > Rod. > > >
Re: 8.0.16 release
I got another good build locally and CI is happy too. I'm going to stage the release! On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher wrote: > > Yep! I just logged that one and pushed a PR. Waiting on CI > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson wrote: > > > > Should this be included? > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2 (xmlsec) to > > mitigate CVE-2023-4448 > > > > Not sure how to find the others without going through commit history. > > > > Jamie > > > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher > > wrote: > > > > > Richard, thank you sir; I assigned that ticket to myself. If anyone > > > else is aware of anything else I can upgrade before release, please > > > speak up :) > > > > > > Also good news: for whatever reason, I'm able to build > > > tomee-release-tools now. The atlassian maven repository hit me with a > > > rate limit briefly but it seems to have lifted. > > > > > > I have three questions at this point in time: > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for CVE's? > > > 2. Are there CVEs we ignore? (basically ones that are present but > > > don't apply to us) > > > 3. I ran a build locally and got two test failures. Looks like CI did > > > too: > > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ > > > > > > It doesn't look related to the EclipseLink change unless I screwed the > > > pooch on something. Are these known issues by chance? > > > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla > > > wrote: > > > > > > > > Might be relevant for your release preperations: > > > https://issues.apache.org/jira/browse/TOMEE-4263 > > > > > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. Fisher" < > > > exabr...@gmail.com>: > > > > >Thank you, eclipselink has been updated and boms also updated. > > > > > > > > > >Are the tomee release tools still needed? > > > > > > > > > >[ERROR] Failed to execute goal on project release-tools: Could not > > > > >resolve dependencies for project > > > > >org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: Failed to > > > > >collect dependencies at org.tomitribe.jamira:jamira-core:jar:0.4 -> > > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: Failed to read > > > > >artifact descriptor for > > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: The following > > > > >artifacts could not be resolved: > > > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 (absent): Could > > > > >not transfer artifact > > > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 from/to > > > > >atlassian ( > > > https://maven.atlassian.com/content/repositories/atlassian-public/): > > > > >status code: 429, reason phrase: Too Many Requests (429) -> [Help 1] > > > > > > > > > >I can't seem to get the artifacts from their Maven repository due to > > > > >rate limiting unfortunately. > > > > > > > > > > > > > > >On Wed, Oct 25, 2023 at 8:50 AM Richard Zowalla > > > wrote: > > > > >> > > > > >> Feel free to update 3rd party dependencies (make sure to create a > > > Jira, > > > > >> so it gets into the release notes). To update the BOMs you can either > > > > >> rely on the related GitHub action (will do it automatically via a PR) > > > > >> or just run a quick build. > > > > >> > > > > >> > > > > >> Am Mittwoch, dem 25.10.2023 um 08:40 -0500 schrieb Jonathan S. > > > > >> Fisher: > > > > >> > Richard: thank you sir, I see my key in there. > > > > >> > Rod: Are the docker images part of the main build? I don't use > > > Docker > > > > >> > professionally, so I'm not very familiar with the whole process. > > > > >> > > > > > >> > I see Tomcat 9.0.82 in tomee-8.x. Yeehaw! > > > > >> > > > > > >> > Does anyone have an issue with me updating to eclipselink 2.7.13? > > > > >> > https://github.com/eclipse-ee4j/eclipselink/releases/tag/2.7.13 > > > We've > > > > >> > been running TomEE 8.0.15 with 2.7.13 in production for a few weeks > > > > >> > and haven't seen any issues. > > > > >> > > > > > >> > > > > > >> > On Tue, Oct 24, 2023 at 10:18 AM Rod Jenkins > > > > >> > wrote: > > > > >> > > > > > > >> > > Is there anyway to test the keys before we deploy? We have > > > > >> > > issues > > > > >> > > in the past with new keys and verifying the packages when the > > > > >> > > docker images are built. > > > > >> > > > > > > >> > > Thanks, > > > > >> > > Rod. > > > > >> > > > > > > >> > > > > > > > >> > > > On Oct 24, 2023, at 9:06 AM, Richard Zowalla > > > > >> > > > wrote: > > > > >> > > > > > > > >> > > > Added to https://dist.apache.org/repos/dist/release/tomee/KEYS > > > > >> > > > > > > > >> > > > > Am Dienstag, dem 24.10.2023 um 08:54 -0500 schrieb Jonathan > > > > >> > > > > S. > > > > >> > > > > Fisher: > > > > >> > > > > pasted here: > > > > >> > > > > > > > > >> > > > > -BEGIN PGP PUBLIC KEY BLOCK- > > > > >> > > > > > > > > >> > > > > > > > mJMEV5tUvhMFK4EEACMEIwQBDFKWRWNFys17LQRo18NBQ0cJk9HitooLx1k3dGT
Re: 8.0.16 release
Yep! I just logged that one and pushed a PR. Waiting on CI On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson wrote: > > Should this be included? > > TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2 (xmlsec) to > mitigate CVE-2023-4448 > > Not sure how to find the others without going through commit history. > > Jamie > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher > wrote: > > > Richard, thank you sir; I assigned that ticket to myself. If anyone > > else is aware of anything else I can upgrade before release, please > > speak up :) > > > > Also good news: for whatever reason, I'm able to build > > tomee-release-tools now. The atlassian maven repository hit me with a > > rate limit briefly but it seems to have lifted. > > > > I have three questions at this point in time: > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for CVE's? > > 2. Are there CVEs we ignore? (basically ones that are present but > > don't apply to us) > > 3. I ran a build locally and got two test failures. Looks like CI did > > too: > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ > > > > It doesn't look related to the EclipseLink change unless I screwed the > > pooch on something. Are these known issues by chance? > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla > > wrote: > > > > > > Might be relevant for your release preperations: > > https://issues.apache.org/jira/browse/TOMEE-4263 > > > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. Fisher" < > > exabr...@gmail.com>: > > > >Thank you, eclipselink has been updated and boms also updated. > > > > > > > >Are the tomee release tools still needed? > > > > > > > >[ERROR] Failed to execute goal on project release-tools: Could not > > > >resolve dependencies for project > > > >org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: Failed to > > > >collect dependencies at org.tomitribe.jamira:jamira-core:jar:0.4 -> > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: Failed to read > > > >artifact descriptor for > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: The following > > > >artifacts could not be resolved: > > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 (absent): Could > > > >not transfer artifact > > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 from/to > > > >atlassian ( > > https://maven.atlassian.com/content/repositories/atlassian-public/): > > > >status code: 429, reason phrase: Too Many Requests (429) -> [Help 1] > > > > > > > >I can't seem to get the artifacts from their Maven repository due to > > > >rate limiting unfortunately. > > > > > > > > > > > >On Wed, Oct 25, 2023 at 8:50 AM Richard Zowalla > > wrote: > > > >> > > > >> Feel free to update 3rd party dependencies (make sure to create a > > Jira, > > > >> so it gets into the release notes). To update the BOMs you can either > > > >> rely on the related GitHub action (will do it automatically via a PR) > > > >> or just run a quick build. > > > >> > > > >> > > > >> Am Mittwoch, dem 25.10.2023 um 08:40 -0500 schrieb Jonathan S. Fisher: > > > >> > Richard: thank you sir, I see my key in there. > > > >> > Rod: Are the docker images part of the main build? I don't use > > Docker > > > >> > professionally, so I'm not very familiar with the whole process. > > > >> > > > > >> > I see Tomcat 9.0.82 in tomee-8.x. Yeehaw! > > > >> > > > > >> > Does anyone have an issue with me updating to eclipselink 2.7.13? > > > >> > https://github.com/eclipse-ee4j/eclipselink/releases/tag/2.7.13 > > We've > > > >> > been running TomEE 8.0.15 with 2.7.13 in production for a few weeks > > > >> > and haven't seen any issues. > > > >> > > > > >> > > > > >> > On Tue, Oct 24, 2023 at 10:18 AM Rod Jenkins > > > >> > wrote: > > > >> > > > > > >> > > Is there anyway to test the keys before we deploy? We have issues > > > >> > > in the past with new keys and verifying the packages when the > > > >> > > docker images are built. > > > >> > > > > > >> > > Thanks, > > > >> > > Rod. > > > >> > > > > > >> > > > > > > >> > > > On Oct 24, 2023, at 9:06 AM, Richard Zowalla > > > >> > > > wrote: > > > >> > > > > > > >> > > > Added to https://dist.apache.org/repos/dist/release/tomee/KEYS > > > >> > > > > > > >> > > > > Am Dienstag, dem 24.10.2023 um 08:54 -0500 schrieb Jonathan S. > > > >> > > > > Fisher: > > > >> > > > > pasted here: > > > >> > > > > > > > >> > > > > -BEGIN PGP PUBLIC KEY BLOCK- > > > >> > > > > > > > >> > > > > > > mJMEV5tUvhMFK4EEACMEIwQBDFKWRWNFys17LQRo18NBQ0cJk9HitooLx1k3dGT > > > >> > > > > A > > > >> > > > > > > G2By4TUnNYaR/ranOPJ47IRVr/1E0DBy9RKayUDNFElly6kAfhn/ALMmdv68cet > > > >> > > > > 9 > > > >> > > > > > > GWkNjV/DwEGmtdXnhuGxXioxN1XkoJJNbjDCBEzx/mDDIna7w3jE2v28bXYP9kf > > > >> > > > > v > > > >> > > > > > > aLgvUdK0J0pvbmF0aGFuIFMuIEZpc2hlciA8ZXhhYnJpYWxAZ21haWwuY29tPoj > > > >> > > > > a > > > >> > > > > > > BBMTCgA+AhsBBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEEhxY4ohp/LDgGZHF > > > >>
Re: 8.0.16 release
Should this be included? TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2 (xmlsec) to mitigate CVE-2023-4448 Not sure how to find the others without going through commit history. Jamie On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher wrote: > Richard, thank you sir; I assigned that ticket to myself. If anyone > else is aware of anything else I can upgrade before release, please > speak up :) > > Also good news: for whatever reason, I'm able to build > tomee-release-tools now. The atlassian maven repository hit me with a > rate limit briefly but it seems to have lifted. > > I have three questions at this point in time: > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for CVE's? > 2. Are there CVEs we ignore? (basically ones that are present but > don't apply to us) > 3. I ran a build locally and got two test failures. Looks like CI did > too: > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ > > It doesn't look related to the EclipseLink change unless I screwed the > pooch on something. Are these known issues by chance? > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla > wrote: > > > > Might be relevant for your release preperations: > https://issues.apache.org/jira/browse/TOMEE-4263 > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. Fisher" < > exabr...@gmail.com>: > > >Thank you, eclipselink has been updated and boms also updated. > > > > > >Are the tomee release tools still needed? > > > > > >[ERROR] Failed to execute goal on project release-tools: Could not > > >resolve dependencies for project > > >org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: Failed to > > >collect dependencies at org.tomitribe.jamira:jamira-core:jar:0.4 -> > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: Failed to read > > >artifact descriptor for > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: The following > > >artifacts could not be resolved: > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 (absent): Could > > >not transfer artifact > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 from/to > > >atlassian ( > https://maven.atlassian.com/content/repositories/atlassian-public/): > > >status code: 429, reason phrase: Too Many Requests (429) -> [Help 1] > > > > > >I can't seem to get the artifacts from their Maven repository due to > > >rate limiting unfortunately. > > > > > > > > >On Wed, Oct 25, 2023 at 8:50 AM Richard Zowalla > wrote: > > >> > > >> Feel free to update 3rd party dependencies (make sure to create a > Jira, > > >> so it gets into the release notes). To update the BOMs you can either > > >> rely on the related GitHub action (will do it automatically via a PR) > > >> or just run a quick build. > > >> > > >> > > >> Am Mittwoch, dem 25.10.2023 um 08:40 -0500 schrieb Jonathan S. Fisher: > > >> > Richard: thank you sir, I see my key in there. > > >> > Rod: Are the docker images part of the main build? I don't use > Docker > > >> > professionally, so I'm not very familiar with the whole process. > > >> > > > >> > I see Tomcat 9.0.82 in tomee-8.x. Yeehaw! > > >> > > > >> > Does anyone have an issue with me updating to eclipselink 2.7.13? > > >> > https://github.com/eclipse-ee4j/eclipselink/releases/tag/2.7.13 > We've > > >> > been running TomEE 8.0.15 with 2.7.13 in production for a few weeks > > >> > and haven't seen any issues. > > >> > > > >> > > > >> > On Tue, Oct 24, 2023 at 10:18 AM Rod Jenkins > > >> > wrote: > > >> > > > > >> > > Is there anyway to test the keys before we deploy? We have issues > > >> > > in the past with new keys and verifying the packages when the > > >> > > docker images are built. > > >> > > > > >> > > Thanks, > > >> > > Rod. > > >> > > > > >> > > > > > >> > > > On Oct 24, 2023, at 9:06 AM, Richard Zowalla > > >> > > > wrote: > > >> > > > > > >> > > > Added to https://dist.apache.org/repos/dist/release/tomee/KEYS > > >> > > > > > >> > > > > Am Dienstag, dem 24.10.2023 um 08:54 -0500 schrieb Jonathan S. > > >> > > > > Fisher: > > >> > > > > pasted here: > > >> > > > > > > >> > > > > -BEGIN PGP PUBLIC KEY BLOCK- > > >> > > > > > > >> > > > > > mJMEV5tUvhMFK4EEACMEIwQBDFKWRWNFys17LQRo18NBQ0cJk9HitooLx1k3dGT > > >> > > > > A > > >> > > > > > G2By4TUnNYaR/ranOPJ47IRVr/1E0DBy9RKayUDNFElly6kAfhn/ALMmdv68cet > > >> > > > > 9 > > >> > > > > > GWkNjV/DwEGmtdXnhuGxXioxN1XkoJJNbjDCBEzx/mDDIna7w3jE2v28bXYP9kf > > >> > > > > v > > >> > > > > > aLgvUdK0J0pvbmF0aGFuIFMuIEZpc2hlciA8ZXhhYnJpYWxAZ21haWwuY29tPoj > > >> > > > > a > > >> > > > > > BBMTCgA+AhsBBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEEhxY4ohp/LDgGZHF > > >> > > > > C > > >> > > > > > AwajVDNrTw0FAloq3hgFCQWj6loACgkQAwajVDNrTw2uBwIJASDBvmAQDW59SVM > > >> > > > > f > > >> > > > > > HZ27HF6CeH1OQM6fdKxfSGZmwZXBp45MsZjzO5cXh1cuJgA1jm72Wblh7PNjAxz > > >> > > > > l > > >> > > > > > 9lD4Q2o0AgkBJYXTSjXnH395kY//RPzsuibRj4Xzdx2Riwa22h6Nl/TFf1xoFDD > > >> > > > > Z > > >> > > > > >
Re: 8.0.16 release
Richard, thank you sir; I assigned that ticket to myself. If anyone else is aware of anything else I can upgrade before release, please speak up :) Also good news: for whatever reason, I'm able to build tomee-release-tools now. The atlassian maven repository hit me with a rate limit briefly but it seems to have lifted. I have three questions at this point in time: 1. Is there a way to scan 8.0.16-SNAPHSOT before release for CVE's? 2. Are there CVEs we ignore? (basically ones that are present but don't apply to us) 3. I ran a build locally and got two test failures. Looks like CI did too: https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ It doesn't look related to the EclipseLink change unless I screwed the pooch on something. Are these known issues by chance? On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla wrote: > > Might be relevant for your release preperations: > https://issues.apache.org/jira/browse/TOMEE-4263 > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. Fisher" > : > >Thank you, eclipselink has been updated and boms also updated. > > > >Are the tomee release tools still needed? > > > >[ERROR] Failed to execute goal on project release-tools: Could not > >resolve dependencies for project > >org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: Failed to > >collect dependencies at org.tomitribe.jamira:jamira-core:jar:0.4 -> > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: Failed to read > >artifact descriptor for > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: The following > >artifacts could not be resolved: > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 (absent): Could > >not transfer artifact > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 from/to > >atlassian > >(https://maven.atlassian.com/content/repositories/atlassian-public/): > >status code: 429, reason phrase: Too Many Requests (429) -> [Help 1] > > > >I can't seem to get the artifacts from their Maven repository due to > >rate limiting unfortunately. > > > > > >On Wed, Oct 25, 2023 at 8:50 AM Richard Zowalla wrote: > >> > >> Feel free to update 3rd party dependencies (make sure to create a Jira, > >> so it gets into the release notes). To update the BOMs you can either > >> rely on the related GitHub action (will do it automatically via a PR) > >> or just run a quick build. > >> > >> > >> Am Mittwoch, dem 25.10.2023 um 08:40 -0500 schrieb Jonathan S. Fisher: > >> > Richard: thank you sir, I see my key in there. > >> > Rod: Are the docker images part of the main build? I don't use Docker > >> > professionally, so I'm not very familiar with the whole process. > >> > > >> > I see Tomcat 9.0.82 in tomee-8.x. Yeehaw! > >> > > >> > Does anyone have an issue with me updating to eclipselink 2.7.13? > >> > https://github.com/eclipse-ee4j/eclipselink/releases/tag/2.7.13 We've > >> > been running TomEE 8.0.15 with 2.7.13 in production for a few weeks > >> > and haven't seen any issues. > >> > > >> > > >> > On Tue, Oct 24, 2023 at 10:18 AM Rod Jenkins > >> > wrote: > >> > > > >> > > Is there anyway to test the keys before we deploy? We have issues > >> > > in the past with new keys and verifying the packages when the > >> > > docker images are built. > >> > > > >> > > Thanks, > >> > > Rod. > >> > > > >> > > > > >> > > > On Oct 24, 2023, at 9:06 AM, Richard Zowalla > >> > > > wrote: > >> > > > > >> > > > Added to https://dist.apache.org/repos/dist/release/tomee/KEYS > >> > > > > >> > > > > Am Dienstag, dem 24.10.2023 um 08:54 -0500 schrieb Jonathan S. > >> > > > > Fisher: > >> > > > > pasted here: > >> > > > > > >> > > > > -BEGIN PGP PUBLIC KEY BLOCK- > >> > > > > > >> > > > > mJMEV5tUvhMFK4EEACMEIwQBDFKWRWNFys17LQRo18NBQ0cJk9HitooLx1k3dGT > >> > > > > A > >> > > > > G2By4TUnNYaR/ranOPJ47IRVr/1E0DBy9RKayUDNFElly6kAfhn/ALMmdv68cet > >> > > > > 9 > >> > > > > GWkNjV/DwEGmtdXnhuGxXioxN1XkoJJNbjDCBEzx/mDDIna7w3jE2v28bXYP9kf > >> > > > > v > >> > > > > aLgvUdK0J0pvbmF0aGFuIFMuIEZpc2hlciA8ZXhhYnJpYWxAZ21haWwuY29tPoj > >> > > > > a > >> > > > > BBMTCgA+AhsBBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEEhxY4ohp/LDgGZHF > >> > > > > C > >> > > > > AwajVDNrTw0FAloq3hgFCQWj6loACgkQAwajVDNrTw2uBwIJASDBvmAQDW59SVM > >> > > > > f > >> > > > > HZ27HF6CeH1OQM6fdKxfSGZmwZXBp45MsZjzO5cXh1cuJgA1jm72Wblh7PNjAxz > >> > > > > l > >> > > > > 9lD4Q2o0AgkBJYXTSjXnH395kY//RPzsuibRj4Xzdx2Riwa22h6Nl/TFf1xoFDD > >> > > > > Z > >> > > > > /9CBP7sNvBpSh4ZohSwr5aYCLxObxvsF/B+I2gQTEwoAPgULCQgHAgYVCAkKCwI > >> > > > > E > >> > > > > FgIDAQIeAQIXgAUJDxWK5RYhBIcWOKIafyw4BmRxQgMGo1Qza08NBQJi12J8Ahs > >> > > > > D > >> > > > > AAoJEAMGo1Qza08N2hoCCQGJD79oA4k1FDY+cStkLQS8QkvTpS8xZScNRKwIW1l > >> > > > > v > >> > > > > uBKrHpfzYa7RHFh6rdbW5D+07+pNvNBg8o03+h+vr4ezqQIJAUwYTOJZlBIXeuj > >> > > > > f > >> > > > > 4LngH6C0Hc6bb0FtdMh9bHC82Iv7KSIlXcq8PZgrkWMADUu0yeJhLPXQXBzvnej > >> > > > > C > >> > > > > z6dlmR9uiNgEExMKAD4CGwEFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AWIQSHFji > >> > > > > i > >> > >
Re: 8.0.16 release
Might be relevant for your release preperations: https://issues.apache.org/jira/browse/TOMEE-4263 Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. Fisher" : >Thank you, eclipselink has been updated and boms also updated. > >Are the tomee release tools still needed? > >[ERROR] Failed to execute goal on project release-tools: Could not >resolve dependencies for project >org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: Failed to >collect dependencies at org.tomitribe.jamira:jamira-core:jar:0.4 -> >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: Failed to read >artifact descriptor for >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: The following >artifacts could not be resolved: >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 (absent): Could >not transfer artifact >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 from/to >atlassian (https://maven.atlassian.com/content/repositories/atlassian-public/): >status code: 429, reason phrase: Too Many Requests (429) -> [Help 1] > >I can't seem to get the artifacts from their Maven repository due to >rate limiting unfortunately. > > >On Wed, Oct 25, 2023 at 8:50 AM Richard Zowalla wrote: >> >> Feel free to update 3rd party dependencies (make sure to create a Jira, >> so it gets into the release notes). To update the BOMs you can either >> rely on the related GitHub action (will do it automatically via a PR) >> or just run a quick build. >> >> >> Am Mittwoch, dem 25.10.2023 um 08:40 -0500 schrieb Jonathan S. Fisher: >> > Richard: thank you sir, I see my key in there. >> > Rod: Are the docker images part of the main build? I don't use Docker >> > professionally, so I'm not very familiar with the whole process. >> > >> > I see Tomcat 9.0.82 in tomee-8.x. Yeehaw! >> > >> > Does anyone have an issue with me updating to eclipselink 2.7.13? >> > https://github.com/eclipse-ee4j/eclipselink/releases/tag/2.7.13 We've >> > been running TomEE 8.0.15 with 2.7.13 in production for a few weeks >> > and haven't seen any issues. >> > >> > >> > On Tue, Oct 24, 2023 at 10:18 AM Rod Jenkins >> > wrote: >> > > >> > > Is there anyway to test the keys before we deploy? We have issues >> > > in the past with new keys and verifying the packages when the >> > > docker images are built. >> > > >> > > Thanks, >> > > Rod. >> > > >> > > > >> > > > On Oct 24, 2023, at 9:06 AM, Richard Zowalla >> > > > wrote: >> > > > >> > > > Added to https://dist.apache.org/repos/dist/release/tomee/KEYS >> > > > >> > > > > Am Dienstag, dem 24.10.2023 um 08:54 -0500 schrieb Jonathan S. >> > > > > Fisher: >> > > > > pasted here: >> > > > > >> > > > > -BEGIN PGP PUBLIC KEY BLOCK- >> > > > > >> > > > > mJMEV5tUvhMFK4EEACMEIwQBDFKWRWNFys17LQRo18NBQ0cJk9HitooLx1k3dGT >> > > > > A >> > > > > G2By4TUnNYaR/ranOPJ47IRVr/1E0DBy9RKayUDNFElly6kAfhn/ALMmdv68cet >> > > > > 9 >> > > > > GWkNjV/DwEGmtdXnhuGxXioxN1XkoJJNbjDCBEzx/mDDIna7w3jE2v28bXYP9kf >> > > > > v >> > > > > aLgvUdK0J0pvbmF0aGFuIFMuIEZpc2hlciA8ZXhhYnJpYWxAZ21haWwuY29tPoj >> > > > > a >> > > > > BBMTCgA+AhsBBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEEhxY4ohp/LDgGZHF >> > > > > C >> > > > > AwajVDNrTw0FAloq3hgFCQWj6loACgkQAwajVDNrTw2uBwIJASDBvmAQDW59SVM >> > > > > f >> > > > > HZ27HF6CeH1OQM6fdKxfSGZmwZXBp45MsZjzO5cXh1cuJgA1jm72Wblh7PNjAxz >> > > > > l >> > > > > 9lD4Q2o0AgkBJYXTSjXnH395kY//RPzsuibRj4Xzdx2Riwa22h6Nl/TFf1xoFDD >> > > > > Z >> > > > > /9CBP7sNvBpSh4ZohSwr5aYCLxObxvsF/B+I2gQTEwoAPgULCQgHAgYVCAkKCwI >> > > > > E >> > > > > FgIDAQIeAQIXgAUJDxWK5RYhBIcWOKIafyw4BmRxQgMGo1Qza08NBQJi12J8Ahs >> > > > > D >> > > > > AAoJEAMGo1Qza08N2hoCCQGJD79oA4k1FDY+cStkLQS8QkvTpS8xZScNRKwIW1l >> > > > > v >> > > > > uBKrHpfzYa7RHFh6rdbW5D+07+pNvNBg8o03+h+vr4ezqQIJAUwYTOJZlBIXeuj >> > > > > f >> > > > > 4LngH6C0Hc6bb0FtdMh9bHC82Iv7KSIlXcq8PZgrkWMADUu0yeJhLPXQXBzvnej >> > > > > C >> > > > > z6dlmR9uiNgEExMKAD4CGwEFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AWIQSHFji >> > > > > i >> > > > > Gn8sOAZkcUIDBqNUM2tPDQUCYtdhegUJDxWK5QAKCRADBqNUM2tPDXbsAgjQhVz >> > > > > d >> > > > > OuT6ZSo+3wXUQjl3scKnSPrzFDimknaZw6Zo0MYpnClY8wSTiYKrmgyUgQ8aQVl >> > > > > B >> > > > > +A3R1NUa/BfhRWyB3QIIjd1IFc8MosTtO3odKhbfmBWsLjKPjupRm6buZWBVNmt >> > > > > E >> > > > > mkY86nmp+vbrjFFYR5gQYa5pY045gXikw86aGUSpv3iI2AQTEwoAPgIbAQULCQg >> > > > > H >> > > > > AgYVCAkKCwIEFgIDAQIeAQIXgBYhBIcWOKIafyw4BmRxQgMGo1Qza08NBQJhC/O >> > > > > j >> > > > > BQkNMwXlAAoJEAMGo1Qza08N994CB1IAohe6KsGMKJx6ucfvv7bKfqU+BUaS0m6 >> > > > > c >> > > > > CsSDea7wNFFuqK7+21QcJqTyAgIcIsgtkizDqTWQRr5az/l98Q2AAgifl3v+6sJ >> > > > > H >> > > > > zisMQffJ9S7C0BKN7vbkmyg+2PxW0Mnvsvr2s34NOmdOTav+jdK4RFrH9bO4UI2 >> > > > > H >> > > > > uqb5oBWOCmaf2IjZBBMTCgA+BQsJCAcCBhUICQoLAgQWAgMBAh4BAheABQkJZTv >> > > > > o >> > > > > FiEEhxY4ohp/LDgGZHFCAwajVDNrTw0FAl1eDRACGwMACgkQAwajVDNrTw10zQI >> > > > > I >> > > > > yVoClrNxQ/D4szu3XhJ9PXPyVelg3TPWpngxPLSvtPcBTrmM88nYCjsYr2YkZm7 >> > > > > F >> > > > > KVn0TfxpafDCp3+c0vmXrdwCCQEA3lZ0TMbS6g1qVjr8tP/LcclUl9EcTQBhwrM >> > > > > z >> > > > >
Re: 8.0.16 release
No, you can also do the sha512 gen + svn upload manually. Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. Fisher" : >Thank you, eclipselink has been updated and boms also updated. > >Are the tomee release tools still needed? > >[ERROR] Failed to execute goal on project release-tools: Could not >resolve dependencies for project >org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: Failed to >collect dependencies at org.tomitribe.jamira:jamira-core:jar:0.4 -> >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: Failed to read >artifact descriptor for >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: The following >artifacts could not be resolved: >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 (absent): Could >not transfer artifact >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 from/to >atlassian (https://maven.atlassian.com/content/repositories/atlassian-public/): >status code: 429, reason phrase: Too Many Requests (429) -> [Help 1] > >I can't seem to get the artifacts from their Maven repository due to >rate limiting unfortunately. > > >On Wed, Oct 25, 2023 at 8:50 AM Richard Zowalla wrote: >> >> Feel free to update 3rd party dependencies (make sure to create a Jira, >> so it gets into the release notes). To update the BOMs you can either >> rely on the related GitHub action (will do it automatically via a PR) >> or just run a quick build. >> >> >> Am Mittwoch, dem 25.10.2023 um 08:40 -0500 schrieb Jonathan S. Fisher: >> > Richard: thank you sir, I see my key in there. >> > Rod: Are the docker images part of the main build? I don't use Docker >> > professionally, so I'm not very familiar with the whole process. >> > >> > I see Tomcat 9.0.82 in tomee-8.x. Yeehaw! >> > >> > Does anyone have an issue with me updating to eclipselink 2.7.13? >> > https://github.com/eclipse-ee4j/eclipselink/releases/tag/2.7.13 We've >> > been running TomEE 8.0.15 with 2.7.13 in production for a few weeks >> > and haven't seen any issues. >> > >> > >> > On Tue, Oct 24, 2023 at 10:18 AM Rod Jenkins >> > wrote: >> > > >> > > Is there anyway to test the keys before we deploy? We have issues >> > > in the past with new keys and verifying the packages when the >> > > docker images are built. >> > > >> > > Thanks, >> > > Rod. >> > > >> > > > >> > > > On Oct 24, 2023, at 9:06 AM, Richard Zowalla >> > > > wrote: >> > > > >> > > > Added to https://dist.apache.org/repos/dist/release/tomee/KEYS >> > > > >> > > > > Am Dienstag, dem 24.10.2023 um 08:54 -0500 schrieb Jonathan S. >> > > > > Fisher: >> > > > > pasted here: >> > > > > >> > > > > -BEGIN PGP PUBLIC KEY BLOCK- >> > > > > >> > > > > mJMEV5tUvhMFK4EEACMEIwQBDFKWRWNFys17LQRo18NBQ0cJk9HitooLx1k3dGT >> > > > > A >> > > > > G2By4TUnNYaR/ranOPJ47IRVr/1E0DBy9RKayUDNFElly6kAfhn/ALMmdv68cet >> > > > > 9 >> > > > > GWkNjV/DwEGmtdXnhuGxXioxN1XkoJJNbjDCBEzx/mDDIna7w3jE2v28bXYP9kf >> > > > > v >> > > > > aLgvUdK0J0pvbmF0aGFuIFMuIEZpc2hlciA8ZXhhYnJpYWxAZ21haWwuY29tPoj >> > > > > a >> > > > > BBMTCgA+AhsBBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEEhxY4ohp/LDgGZHF >> > > > > C >> > > > > AwajVDNrTw0FAloq3hgFCQWj6loACgkQAwajVDNrTw2uBwIJASDBvmAQDW59SVM >> > > > > f >> > > > > HZ27HF6CeH1OQM6fdKxfSGZmwZXBp45MsZjzO5cXh1cuJgA1jm72Wblh7PNjAxz >> > > > > l >> > > > > 9lD4Q2o0AgkBJYXTSjXnH395kY//RPzsuibRj4Xzdx2Riwa22h6Nl/TFf1xoFDD >> > > > > Z >> > > > > /9CBP7sNvBpSh4ZohSwr5aYCLxObxvsF/B+I2gQTEwoAPgULCQgHAgYVCAkKCwI >> > > > > E >> > > > > FgIDAQIeAQIXgAUJDxWK5RYhBIcWOKIafyw4BmRxQgMGo1Qza08NBQJi12J8Ahs >> > > > > D >> > > > > AAoJEAMGo1Qza08N2hoCCQGJD79oA4k1FDY+cStkLQS8QkvTpS8xZScNRKwIW1l >> > > > > v >> > > > > uBKrHpfzYa7RHFh6rdbW5D+07+pNvNBg8o03+h+vr4ezqQIJAUwYTOJZlBIXeuj >> > > > > f >> > > > > 4LngH6C0Hc6bb0FtdMh9bHC82Iv7KSIlXcq8PZgrkWMADUu0yeJhLPXQXBzvnej >> > > > > C >> > > > > z6dlmR9uiNgEExMKAD4CGwEFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AWIQSHFji >> > > > > i >> > > > > Gn8sOAZkcUIDBqNUM2tPDQUCYtdhegUJDxWK5QAKCRADBqNUM2tPDXbsAgjQhVz >> > > > > d >> > > > > OuT6ZSo+3wXUQjl3scKnSPrzFDimknaZw6Zo0MYpnClY8wSTiYKrmgyUgQ8aQVl >> > > > > B >> > > > > +A3R1NUa/BfhRWyB3QIIjd1IFc8MosTtO3odKhbfmBWsLjKPjupRm6buZWBVNmt >> > > > > E >> > > > > mkY86nmp+vbrjFFYR5gQYa5pY045gXikw86aGUSpv3iI2AQTEwoAPgIbAQULCQg >> > > > > H >> > > > > AgYVCAkKCwIEFgIDAQIeAQIXgBYhBIcWOKIafyw4BmRxQgMGo1Qza08NBQJhC/O >> > > > > j >> > > > > BQkNMwXlAAoJEAMGo1Qza08N994CB1IAohe6KsGMKJx6ucfvv7bKfqU+BUaS0m6 >> > > > > c >> > > > > CsSDea7wNFFuqK7+21QcJqTyAgIcIsgtkizDqTWQRr5az/l98Q2AAgifl3v+6sJ >> > > > > H >> > > > > zisMQffJ9S7C0BKN7vbkmyg+2PxW0Mnvsvr2s34NOmdOTav+jdK4RFrH9bO4UI2 >> > > > > H >> > > > > uqb5oBWOCmaf2IjZBBMTCgA+BQsJCAcCBhUICQoLAgQWAgMBAh4BAheABQkJZTv >> > > > > o >> > > > > FiEEhxY4ohp/LDgGZHFCAwajVDNrTw0FAl1eDRACGwMACgkQAwajVDNrTw10zQI >> > > > > I >> > > > > yVoClrNxQ/D4szu3XhJ9PXPyVelg3TPWpngxPLSvtPcBTrmM88nYCjsYr2YkZm7 >> > > > > F >> > > > > KVn0TfxpafDCp3+c0vmXrdwCCQEA3lZ0TMbS6g1qVjr8tP/LcclUl9EcTQBhwrM >> > > > > z >> > > > >
Re: 8.0.16 release
Thank you, eclipselink has been updated and boms also updated. Are the tomee release tools still needed? [ERROR] Failed to execute goal on project release-tools: Could not resolve dependencies for project org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: Failed to collect dependencies at org.tomitribe.jamira:jamira-core:jar:0.4 -> com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: Failed to read artifact descriptor for com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: The following artifacts could not be resolved: com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 (absent): Could not transfer artifact com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 from/to atlassian (https://maven.atlassian.com/content/repositories/atlassian-public/): status code: 429, reason phrase: Too Many Requests (429) -> [Help 1] I can't seem to get the artifacts from their Maven repository due to rate limiting unfortunately. On Wed, Oct 25, 2023 at 8:50 AM Richard Zowalla wrote: > > Feel free to update 3rd party dependencies (make sure to create a Jira, > so it gets into the release notes). To update the BOMs you can either > rely on the related GitHub action (will do it automatically via a PR) > or just run a quick build. > > > Am Mittwoch, dem 25.10.2023 um 08:40 -0500 schrieb Jonathan S. Fisher: > > Richard: thank you sir, I see my key in there. > > Rod: Are the docker images part of the main build? I don't use Docker > > professionally, so I'm not very familiar with the whole process. > > > > I see Tomcat 9.0.82 in tomee-8.x. Yeehaw! > > > > Does anyone have an issue with me updating to eclipselink 2.7.13? > > https://github.com/eclipse-ee4j/eclipselink/releases/tag/2.7.13 We've > > been running TomEE 8.0.15 with 2.7.13 in production for a few weeks > > and haven't seen any issues. > > > > > > On Tue, Oct 24, 2023 at 10:18 AM Rod Jenkins > > wrote: > > > > > > Is there anyway to test the keys before we deploy? We have issues > > > in the past with new keys and verifying the packages when the > > > docker images are built. > > > > > > Thanks, > > > Rod. > > > > > > > > > > > On Oct 24, 2023, at 9:06 AM, Richard Zowalla > > > > wrote: > > > > > > > > Added to https://dist.apache.org/repos/dist/release/tomee/KEYS > > > > > > > > > Am Dienstag, dem 24.10.2023 um 08:54 -0500 schrieb Jonathan S. > > > > > Fisher: > > > > > pasted here: > > > > > > > > > > -BEGIN PGP PUBLIC KEY BLOCK- > > > > > > > > > > mJMEV5tUvhMFK4EEACMEIwQBDFKWRWNFys17LQRo18NBQ0cJk9HitooLx1k3dGT > > > > > A > > > > > G2By4TUnNYaR/ranOPJ47IRVr/1E0DBy9RKayUDNFElly6kAfhn/ALMmdv68cet > > > > > 9 > > > > > GWkNjV/DwEGmtdXnhuGxXioxN1XkoJJNbjDCBEzx/mDDIna7w3jE2v28bXYP9kf > > > > > v > > > > > aLgvUdK0J0pvbmF0aGFuIFMuIEZpc2hlciA8ZXhhYnJpYWxAZ21haWwuY29tPoj > > > > > a > > > > > BBMTCgA+AhsBBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEEhxY4ohp/LDgGZHF > > > > > C > > > > > AwajVDNrTw0FAloq3hgFCQWj6loACgkQAwajVDNrTw2uBwIJASDBvmAQDW59SVM > > > > > f > > > > > HZ27HF6CeH1OQM6fdKxfSGZmwZXBp45MsZjzO5cXh1cuJgA1jm72Wblh7PNjAxz > > > > > l > > > > > 9lD4Q2o0AgkBJYXTSjXnH395kY//RPzsuibRj4Xzdx2Riwa22h6Nl/TFf1xoFDD > > > > > Z > > > > > /9CBP7sNvBpSh4ZohSwr5aYCLxObxvsF/B+I2gQTEwoAPgULCQgHAgYVCAkKCwI > > > > > E > > > > > FgIDAQIeAQIXgAUJDxWK5RYhBIcWOKIafyw4BmRxQgMGo1Qza08NBQJi12J8Ahs > > > > > D > > > > > AAoJEAMGo1Qza08N2hoCCQGJD79oA4k1FDY+cStkLQS8QkvTpS8xZScNRKwIW1l > > > > > v > > > > > uBKrHpfzYa7RHFh6rdbW5D+07+pNvNBg8o03+h+vr4ezqQIJAUwYTOJZlBIXeuj > > > > > f > > > > > 4LngH6C0Hc6bb0FtdMh9bHC82Iv7KSIlXcq8PZgrkWMADUu0yeJhLPXQXBzvnej > > > > > C > > > > > z6dlmR9uiNgEExMKAD4CGwEFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AWIQSHFji > > > > > i > > > > > Gn8sOAZkcUIDBqNUM2tPDQUCYtdhegUJDxWK5QAKCRADBqNUM2tPDXbsAgjQhVz > > > > > d > > > > > OuT6ZSo+3wXUQjl3scKnSPrzFDimknaZw6Zo0MYpnClY8wSTiYKrmgyUgQ8aQVl > > > > > B > > > > > +A3R1NUa/BfhRWyB3QIIjd1IFc8MosTtO3odKhbfmBWsLjKPjupRm6buZWBVNmt > > > > > E > > > > > mkY86nmp+vbrjFFYR5gQYa5pY045gXikw86aGUSpv3iI2AQTEwoAPgIbAQULCQg > > > > > H > > > > > AgYVCAkKCwIEFgIDAQIeAQIXgBYhBIcWOKIafyw4BmRxQgMGo1Qza08NBQJhC/O > > > > > j > > > > > BQkNMwXlAAoJEAMGo1Qza08N994CB1IAohe6KsGMKJx6ucfvv7bKfqU+BUaS0m6 > > > > > c > > > > > CsSDea7wNFFuqK7+21QcJqTyAgIcIsgtkizDqTWQRr5az/l98Q2AAgifl3v+6sJ > > > > > H > > > > > zisMQffJ9S7C0BKN7vbkmyg+2PxW0Mnvsvr2s34NOmdOTav+jdK4RFrH9bO4UI2 > > > > > H > > > > > uqb5oBWOCmaf2IjZBBMTCgA+BQsJCAcCBhUICQoLAgQWAgMBAh4BAheABQkJZTv > > > > > o > > > > > FiEEhxY4ohp/LDgGZHFCAwajVDNrTw0FAl1eDRACGwMACgkQAwajVDNrTw10zQI > > > > > I > > > > > yVoClrNxQ/D4szu3XhJ9PXPyVelg3TPWpngxPLSvtPcBTrmM88nYCjsYr2YkZm7 > > > > > F > > > > > KVn0TfxpafDCp3+c0vmXrdwCCQEA3lZ0TMbS6g1qVjr8tP/LcclUl9EcTQBhwrM > > > > > z > > > > > ptaKpK5KbwIGqCH/8osk1xBA3sTCCZidQ1DDWR8PDtLtkyv5mYjZBBMTCgA+Ahs > > > > > B > > > > > BQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEEhxY4ohp/LDgGZHFCAwajVDNrTw0 > > > > > F > > > > > Al0+b/YFCQllO+gACgkQAwajVDNrTw03OwIJAetmR3/nyb7FGWX9a47CgH/4itK > > > > > a > > > > >
Re: 8.0.16 release
Feel free to update 3rd party dependencies (make sure to create a Jira, so it gets into the release notes). To update the BOMs you can either rely on the related GitHub action (will do it automatically via a PR) or just run a quick build. Am Mittwoch, dem 25.10.2023 um 08:40 -0500 schrieb Jonathan S. Fisher: > Richard: thank you sir, I see my key in there. > Rod: Are the docker images part of the main build? I don't use Docker > professionally, so I'm not very familiar with the whole process. > > I see Tomcat 9.0.82 in tomee-8.x. Yeehaw! > > Does anyone have an issue with me updating to eclipselink 2.7.13? > https://github.com/eclipse-ee4j/eclipselink/releases/tag/2.7.13 We've > been running TomEE 8.0.15 with 2.7.13 in production for a few weeks > and haven't seen any issues. > > > On Tue, Oct 24, 2023 at 10:18 AM Rod Jenkins > wrote: > > > > Is there anyway to test the keys before we deploy? We have issues > > in the past with new keys and verifying the packages when the > > docker images are built. > > > > Thanks, > > Rod. > > > > > > > > On Oct 24, 2023, at 9:06 AM, Richard Zowalla > > > wrote: > > > > > > Added to https://dist.apache.org/repos/dist/release/tomee/KEYS > > > > > > > Am Dienstag, dem 24.10.2023 um 08:54 -0500 schrieb Jonathan S. > > > > Fisher: > > > > pasted here: > > > > > > > > -BEGIN PGP PUBLIC KEY BLOCK- > > > > > > > > mJMEV5tUvhMFK4EEACMEIwQBDFKWRWNFys17LQRo18NBQ0cJk9HitooLx1k3dGT > > > > A > > > > G2By4TUnNYaR/ranOPJ47IRVr/1E0DBy9RKayUDNFElly6kAfhn/ALMmdv68cet > > > > 9 > > > > GWkNjV/DwEGmtdXnhuGxXioxN1XkoJJNbjDCBEzx/mDDIna7w3jE2v28bXYP9kf > > > > v > > > > aLgvUdK0J0pvbmF0aGFuIFMuIEZpc2hlciA8ZXhhYnJpYWxAZ21haWwuY29tPoj > > > > a > > > > BBMTCgA+AhsBBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEEhxY4ohp/LDgGZHF > > > > C > > > > AwajVDNrTw0FAloq3hgFCQWj6loACgkQAwajVDNrTw2uBwIJASDBvmAQDW59SVM > > > > f > > > > HZ27HF6CeH1OQM6fdKxfSGZmwZXBp45MsZjzO5cXh1cuJgA1jm72Wblh7PNjAxz > > > > l > > > > 9lD4Q2o0AgkBJYXTSjXnH395kY//RPzsuibRj4Xzdx2Riwa22h6Nl/TFf1xoFDD > > > > Z > > > > /9CBP7sNvBpSh4ZohSwr5aYCLxObxvsF/B+I2gQTEwoAPgULCQgHAgYVCAkKCwI > > > > E > > > > FgIDAQIeAQIXgAUJDxWK5RYhBIcWOKIafyw4BmRxQgMGo1Qza08NBQJi12J8Ahs > > > > D > > > > AAoJEAMGo1Qza08N2hoCCQGJD79oA4k1FDY+cStkLQS8QkvTpS8xZScNRKwIW1l > > > > v > > > > uBKrHpfzYa7RHFh6rdbW5D+07+pNvNBg8o03+h+vr4ezqQIJAUwYTOJZlBIXeuj > > > > f > > > > 4LngH6C0Hc6bb0FtdMh9bHC82Iv7KSIlXcq8PZgrkWMADUu0yeJhLPXQXBzvnej > > > > C > > > > z6dlmR9uiNgEExMKAD4CGwEFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AWIQSHFji > > > > i > > > > Gn8sOAZkcUIDBqNUM2tPDQUCYtdhegUJDxWK5QAKCRADBqNUM2tPDXbsAgjQhVz > > > > d > > > > OuT6ZSo+3wXUQjl3scKnSPrzFDimknaZw6Zo0MYpnClY8wSTiYKrmgyUgQ8aQVl > > > > B > > > > +A3R1NUa/BfhRWyB3QIIjd1IFc8MosTtO3odKhbfmBWsLjKPjupRm6buZWBVNmt > > > > E > > > > mkY86nmp+vbrjFFYR5gQYa5pY045gXikw86aGUSpv3iI2AQTEwoAPgIbAQULCQg > > > > H > > > > AgYVCAkKCwIEFgIDAQIeAQIXgBYhBIcWOKIafyw4BmRxQgMGo1Qza08NBQJhC/O > > > > j > > > > BQkNMwXlAAoJEAMGo1Qza08N994CB1IAohe6KsGMKJx6ucfvv7bKfqU+BUaS0m6 > > > > c > > > > CsSDea7wNFFuqK7+21QcJqTyAgIcIsgtkizDqTWQRr5az/l98Q2AAgifl3v+6sJ > > > > H > > > > zisMQffJ9S7C0BKN7vbkmyg+2PxW0Mnvsvr2s34NOmdOTav+jdK4RFrH9bO4UI2 > > > > H > > > > uqb5oBWOCmaf2IjZBBMTCgA+BQsJCAcCBhUICQoLAgQWAgMBAh4BAheABQkJZTv > > > > o > > > > FiEEhxY4ohp/LDgGZHFCAwajVDNrTw0FAl1eDRACGwMACgkQAwajVDNrTw10zQI > > > > I > > > > yVoClrNxQ/D4szu3XhJ9PXPyVelg3TPWpngxPLSvtPcBTrmM88nYCjsYr2YkZm7 > > > > F > > > > KVn0TfxpafDCp3+c0vmXrdwCCQEA3lZ0TMbS6g1qVjr8tP/LcclUl9EcTQBhwrM > > > > z > > > > ptaKpK5KbwIGqCH/8osk1xBA3sTCCZidQ1DDWR8PDtLtkyv5mYjZBBMTCgA+Ahs > > > > B > > > > BQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEEhxY4ohp/LDgGZHFCAwajVDNrTw0 > > > > F > > > > Al0+b/YFCQllO+gACgkQAwajVDNrTw03OwIJAetmR3/nyb7FGWX9a47CgH/4itK > > > > a > > > > J3wET5QXNBT0G9oJYMBLMpbfchaSaodc2B2ZoGJLE8193CVDjWpVQTpX1Q+aAgj > > > > n > > > > gqkOqPGRSGBbf4oJjsCCxNd1BQDptepfIxLPnJr9n9LWXhFQJ6m1dX0TYhXqwF+ > > > > c > > > > InjN/G8QtQ6K5M09dg0T44jZBBMTCgAnBQJXm1S+AhsBBQkDwmcABQsJCAcCBhU > > > > I > > > > CQoLAgQWAgMBAh4BAheAACEJEAMGo1Qza08NFiEEhxY4ohp/LDgGZHFCAwajVDN > > > > r > > > > Tw1yfwIGMWuJgOMUPEsOMpKowBo5H0hZ+7FXB9pSJO4tw2JR2lmCNlS7dL8BSUg > > > > 6 > > > > 8iuUFNLuACPYv3yREYwtWgPHMI/9M/ICCQGLN09dQYTesY5Ivd1YGDdY7WQSoYw > > > > o > > > > wQm0ggBKH6myPOa/SLizr5o1glhYEfusgLaOYDa9v8FPIIiW0vOWHp6RIYjcBBM > > > > T > > > > CgBBBQsJCAcCBhUICQoLAgQWAgMBAh4BAheABQkPFYrlAhkBFiEEhxY4ohp/LDg > > > > G > > > > ZHFCAwajVDNrTw0FAmU1ZXcCGwEACgkQAwajVDNrTw1kSAIIiTKmmWLKGT6/pEF > > > > e > > > > A+4Nrfm9O7KRRGB7xThijjOKXjHYi2n38fYjod/1oWHFI9h2YRsCiBKF6LDQ6f6 > > > > L > > > > i0cCpbQCCQE9u7C6xrf/139K+KrN31c9BoMx+L/jDcMErzk+lT1O3HbeoXtiKWX > > > > 6 > > > > WD6t/AvqHfvEkg34h1dd8I+2/MzfQ+Ml0oihBBATCgAGBQJadScvAAoJEFdOlh1 > > > > P > > > > 9inBYDwCCQGMrDpimY/uwGoixIwHeca14nCWtCatfyuqX67pMUhNSGGDVmoSEAd > > > > S > > > > mJ6OhGM2jzqG2qzdAuOxH9tMu8WswAetkQIIhd02g0k2h8fPAQb0G7DSJyUCogQ > > > > S > > > > PC8ZP1KrHFJ4gbt+8EJRDC2K7GnEn0MoMnlQCJflc6bB0qgYkdceTq28kQmIuAQ > > > > Q > > > >
Re: 8.0.16 release
They are NOT apart of the main build. I take care of those manually. Thanks, Rod. Sent from my iPhone > On Oct 25, 2023, at 8:40 AM, Jonathan S. Fisher wrote: > > Richard: thank you sir, I see my key in there. > Rod: Are the docker images part of the main build? I don't use Docker > professionally, so I'm not very familiar with the whole process. > > I see Tomcat 9.0.82 in tomee-8.x. Yeehaw! > > Does anyone have an issue with me updating to eclipselink 2.7.13? > https://github.com/eclipse-ee4j/eclipselink/releases/tag/2.7.13 We've > been running TomEE 8.0.15 with 2.7.13 in production for a few weeks > and haven't seen any issues. > > >> On Tue, Oct 24, 2023 at 10:18 AM Rod Jenkins wrote: >> >> Is there anyway to test the keys before we deploy? We have issues in the >> past with new keys and verifying the packages when the docker images are >> built. >> >> Thanks, >> Rod. >> >>> On Oct 24, 2023, at 9:06 AM, Richard Zowalla wrote: >>> >>> Added to https://dist.apache.org/repos/dist/release/tomee/KEYS >>> Am Dienstag, dem 24.10.2023 um 08:54 -0500 schrieb Jonathan S. Fisher: pasted here: -BEGIN PGP PUBLIC KEY BLOCK- mJMEV5tUvhMFK4EEACMEIwQBDFKWRWNFys17LQRo18NBQ0cJk9HitooLx1k3dGTA G2By4TUnNYaR/ranOPJ47IRVr/1E0DBy9RKayUDNFElly6kAfhn/ALMmdv68cet9 GWkNjV/DwEGmtdXnhuGxXioxN1XkoJJNbjDCBEzx/mDDIna7w3jE2v28bXYP9kfv aLgvUdK0J0pvbmF0aGFuIFMuIEZpc2hlciA8ZXhhYnJpYWxAZ21haWwuY29tPoja BBMTCgA+AhsBBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEEhxY4ohp/LDgGZHFC AwajVDNrTw0FAloq3hgFCQWj6loACgkQAwajVDNrTw2uBwIJASDBvmAQDW59SVMf HZ27HF6CeH1OQM6fdKxfSGZmwZXBp45MsZjzO5cXh1cuJgA1jm72Wblh7PNjAxzl 9lD4Q2o0AgkBJYXTSjXnH395kY//RPzsuibRj4Xzdx2Riwa22h6Nl/TFf1xoFDDZ /9CBP7sNvBpSh4ZohSwr5aYCLxObxvsF/B+I2gQTEwoAPgULCQgHAgYVCAkKCwIE FgIDAQIeAQIXgAUJDxWK5RYhBIcWOKIafyw4BmRxQgMGo1Qza08NBQJi12J8AhsD AAoJEAMGo1Qza08N2hoCCQGJD79oA4k1FDY+cStkLQS8QkvTpS8xZScNRKwIW1lv uBKrHpfzYa7RHFh6rdbW5D+07+pNvNBg8o03+h+vr4ezqQIJAUwYTOJZlBIXeujf 4LngH6C0Hc6bb0FtdMh9bHC82Iv7KSIlXcq8PZgrkWMADUu0yeJhLPXQXBzvnejC z6dlmR9uiNgEExMKAD4CGwEFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AWIQSHFjii Gn8sOAZkcUIDBqNUM2tPDQUCYtdhegUJDxWK5QAKCRADBqNUM2tPDXbsAgjQhVzd OuT6ZSo+3wXUQjl3scKnSPrzFDimknaZw6Zo0MYpnClY8wSTiYKrmgyUgQ8aQVlB +A3R1NUa/BfhRWyB3QIIjd1IFc8MosTtO3odKhbfmBWsLjKPjupRm6buZWBVNmtE mkY86nmp+vbrjFFYR5gQYa5pY045gXikw86aGUSpv3iI2AQTEwoAPgIbAQULCQgH AgYVCAkKCwIEFgIDAQIeAQIXgBYhBIcWOKIafyw4BmRxQgMGo1Qza08NBQJhC/Oj BQkNMwXlAAoJEAMGo1Qza08N994CB1IAohe6KsGMKJx6ucfvv7bKfqU+BUaS0m6c CsSDea7wNFFuqK7+21QcJqTyAgIcIsgtkizDqTWQRr5az/l98Q2AAgifl3v+6sJH zisMQffJ9S7C0BKN7vbkmyg+2PxW0Mnvsvr2s34NOmdOTav+jdK4RFrH9bO4UI2H uqb5oBWOCmaf2IjZBBMTCgA+BQsJCAcCBhUICQoLAgQWAgMBAh4BAheABQkJZTvo FiEEhxY4ohp/LDgGZHFCAwajVDNrTw0FAl1eDRACGwMACgkQAwajVDNrTw10zQII yVoClrNxQ/D4szu3XhJ9PXPyVelg3TPWpngxPLSvtPcBTrmM88nYCjsYr2YkZm7F KVn0TfxpafDCp3+c0vmXrdwCCQEA3lZ0TMbS6g1qVjr8tP/LcclUl9EcTQBhwrMz ptaKpK5KbwIGqCH/8osk1xBA3sTCCZidQ1DDWR8PDtLtkyv5mYjZBBMTCgA+AhsB BQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEEhxY4ohp/LDgGZHFCAwajVDNrTw0F Al0+b/YFCQllO+gACgkQAwajVDNrTw03OwIJAetmR3/nyb7FGWX9a47CgH/4itKa J3wET5QXNBT0G9oJYMBLMpbfchaSaodc2B2ZoGJLE8193CVDjWpVQTpX1Q+aAgjn gqkOqPGRSGBbf4oJjsCCxNd1BQDptepfIxLPnJr9n9LWXhFQJ6m1dX0TYhXqwF+c InjN/G8QtQ6K5M09dg0T44jZBBMTCgAnBQJXm1S+AhsBBQkDwmcABQsJCAcCBhUI CQoLAgQWAgMBAh4BAheAACEJEAMGo1Qza08NFiEEhxY4ohp/LDgGZHFCAwajVDNr Tw1yfwIGMWuJgOMUPEsOMpKowBo5H0hZ+7FXB9pSJO4tw2JR2lmCNlS7dL8BSUg6 8iuUFNLuACPYv3yREYwtWgPHMI/9M/ICCQGLN09dQYTesY5Ivd1YGDdY7WQSoYwo wQm0ggBKH6myPOa/SLizr5o1glhYEfusgLaOYDa9v8FPIIiW0vOWHp6RIYjcBBMT CgBBBQsJCAcCBhUICQoLAgQWAgMBAh4BAheABQkPFYrlAhkBFiEEhxY4ohp/LDgG ZHFCAwajVDNrTw0FAmU1ZXcCGwEACgkQAwajVDNrTw1kSAIIiTKmmWLKGT6/pEFe A+4Nrfm9O7KRRGB7xThijjOKXjHYi2n38fYjod/1oWHFI9h2YRsCiBKF6LDQ6f6L i0cCpbQCCQE9u7C6xrf/139K+KrN31c9BoMx+L/jDcMErzk+lT1O3HbeoXtiKWX6 WD6t/AvqHfvEkg34h1dd8I+2/MzfQ+Ml0oihBBATCgAGBQJadScvAAoJEFdOlh1P 9inBYDwCCQGMrDpimY/uwGoixIwHeca14nCWtCatfyuqX67pMUhNSGGDVmoSEAdS mJ6OhGM2jzqG2qzdAuOxH9tMu8WswAetkQIIhd02g0k2h8fPAQb0G7DSJyUCogQS PC8ZP1KrHFJ4gbt+8EJRDC2K7GnEn0MoMnlQCJflc6bB0qgYkdceTq28kQmIuAQQ EwoAHRYhBKiwEqxbUFuB2WVeFek/s8oe5jeGBQJbY9mZAAoJEOk/s8oe5jeGpFYC COHHPH2dYN7UgbSjo10XQUbZmnCWYLbVUp85QpX4SfcELJiWpTDeIA+yx/l1oA5q YOxrnUVoqU7DqlX8q+axXXVCAgkBXjEWxhj7U1dX09WdLjMt0IacphezlXyatDXs HQfAgkA7vvP+rYlhA0Wj0ZFSGX6ITUZ33vtElf9YZBN1RtMFmdKI3AQTEwoAQQUL CQgHAgYVCAkKCwIEFgIDAQIeAQIXgAIZAQUJEPa+ZRYhBIcWOKIafyw4BmRxQgMG o1Qza08NBQJlNX/GAhsBAAoJEAMGo1Qza08NpvkCCIEyKQ4n6erY/9g10YKXZwEK UjDXr2EsCCcXSGHjoU14xyMtAYA+mfhF4xv6KnubHGQOQn2EfCvsagnYCJJXX0Kc AgkBeGP8Js90a1BvZ7cFV6JL8vMsp7HYhsjSZSy/y2HxpFtsnBTi4WJ1PbViN8aK KpABSPhR4u4ACNBYfDjPzhKUjOGI3QQTEwoAQQULCQgHAgYVCAkKCwIEFgIDAQIe AQIXgAUJDxWK5QIbAxYhBIcWOKIafyw4BmRxQgMGo1Qza08NBQJkrYWJAhkBAAoJ
Re: 8.0.16 release
Richard: thank you sir, I see my key in there. Rod: Are the docker images part of the main build? I don't use Docker professionally, so I'm not very familiar with the whole process. I see Tomcat 9.0.82 in tomee-8.x. Yeehaw! Does anyone have an issue with me updating to eclipselink 2.7.13? https://github.com/eclipse-ee4j/eclipselink/releases/tag/2.7.13 We've been running TomEE 8.0.15 with 2.7.13 in production for a few weeks and haven't seen any issues. On Tue, Oct 24, 2023 at 10:18 AM Rod Jenkins wrote: > > Is there anyway to test the keys before we deploy? We have issues in the > past with new keys and verifying the packages when the docker images are > built. > > Thanks, > Rod. > > > > > On Oct 24, 2023, at 9:06 AM, Richard Zowalla wrote: > > > > Added to https://dist.apache.org/repos/dist/release/tomee/KEYS > > > >> Am Dienstag, dem 24.10.2023 um 08:54 -0500 schrieb Jonathan S. Fisher: > >> pasted here: > >> > >> -BEGIN PGP PUBLIC KEY BLOCK- > >> > >> mJMEV5tUvhMFK4EEACMEIwQBDFKWRWNFys17LQRo18NBQ0cJk9HitooLx1k3dGTA > >> G2By4TUnNYaR/ranOPJ47IRVr/1E0DBy9RKayUDNFElly6kAfhn/ALMmdv68cet9 > >> GWkNjV/DwEGmtdXnhuGxXioxN1XkoJJNbjDCBEzx/mDDIna7w3jE2v28bXYP9kfv > >> aLgvUdK0J0pvbmF0aGFuIFMuIEZpc2hlciA8ZXhhYnJpYWxAZ21haWwuY29tPoja > >> BBMTCgA+AhsBBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEEhxY4ohp/LDgGZHFC > >> AwajVDNrTw0FAloq3hgFCQWj6loACgkQAwajVDNrTw2uBwIJASDBvmAQDW59SVMf > >> HZ27HF6CeH1OQM6fdKxfSGZmwZXBp45MsZjzO5cXh1cuJgA1jm72Wblh7PNjAxzl > >> 9lD4Q2o0AgkBJYXTSjXnH395kY//RPzsuibRj4Xzdx2Riwa22h6Nl/TFf1xoFDDZ > >> /9CBP7sNvBpSh4ZohSwr5aYCLxObxvsF/B+I2gQTEwoAPgULCQgHAgYVCAkKCwIE > >> FgIDAQIeAQIXgAUJDxWK5RYhBIcWOKIafyw4BmRxQgMGo1Qza08NBQJi12J8AhsD > >> AAoJEAMGo1Qza08N2hoCCQGJD79oA4k1FDY+cStkLQS8QkvTpS8xZScNRKwIW1lv > >> uBKrHpfzYa7RHFh6rdbW5D+07+pNvNBg8o03+h+vr4ezqQIJAUwYTOJZlBIXeujf > >> 4LngH6C0Hc6bb0FtdMh9bHC82Iv7KSIlXcq8PZgrkWMADUu0yeJhLPXQXBzvnejC > >> z6dlmR9uiNgEExMKAD4CGwEFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AWIQSHFjii > >> Gn8sOAZkcUIDBqNUM2tPDQUCYtdhegUJDxWK5QAKCRADBqNUM2tPDXbsAgjQhVzd > >> OuT6ZSo+3wXUQjl3scKnSPrzFDimknaZw6Zo0MYpnClY8wSTiYKrmgyUgQ8aQVlB > >> +A3R1NUa/BfhRWyB3QIIjd1IFc8MosTtO3odKhbfmBWsLjKPjupRm6buZWBVNmtE > >> mkY86nmp+vbrjFFYR5gQYa5pY045gXikw86aGUSpv3iI2AQTEwoAPgIbAQULCQgH > >> AgYVCAkKCwIEFgIDAQIeAQIXgBYhBIcWOKIafyw4BmRxQgMGo1Qza08NBQJhC/Oj > >> BQkNMwXlAAoJEAMGo1Qza08N994CB1IAohe6KsGMKJx6ucfvv7bKfqU+BUaS0m6c > >> CsSDea7wNFFuqK7+21QcJqTyAgIcIsgtkizDqTWQRr5az/l98Q2AAgifl3v+6sJH > >> zisMQffJ9S7C0BKN7vbkmyg+2PxW0Mnvsvr2s34NOmdOTav+jdK4RFrH9bO4UI2H > >> uqb5oBWOCmaf2IjZBBMTCgA+BQsJCAcCBhUICQoLAgQWAgMBAh4BAheABQkJZTvo > >> FiEEhxY4ohp/LDgGZHFCAwajVDNrTw0FAl1eDRACGwMACgkQAwajVDNrTw10zQII > >> yVoClrNxQ/D4szu3XhJ9PXPyVelg3TPWpngxPLSvtPcBTrmM88nYCjsYr2YkZm7F > >> KVn0TfxpafDCp3+c0vmXrdwCCQEA3lZ0TMbS6g1qVjr8tP/LcclUl9EcTQBhwrMz > >> ptaKpK5KbwIGqCH/8osk1xBA3sTCCZidQ1DDWR8PDtLtkyv5mYjZBBMTCgA+AhsB > >> BQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEEhxY4ohp/LDgGZHFCAwajVDNrTw0F > >> Al0+b/YFCQllO+gACgkQAwajVDNrTw03OwIJAetmR3/nyb7FGWX9a47CgH/4itKa > >> J3wET5QXNBT0G9oJYMBLMpbfchaSaodc2B2ZoGJLE8193CVDjWpVQTpX1Q+aAgjn > >> gqkOqPGRSGBbf4oJjsCCxNd1BQDptepfIxLPnJr9n9LWXhFQJ6m1dX0TYhXqwF+c > >> InjN/G8QtQ6K5M09dg0T44jZBBMTCgAnBQJXm1S+AhsBBQkDwmcABQsJCAcCBhUI > >> CQoLAgQWAgMBAh4BAheAACEJEAMGo1Qza08NFiEEhxY4ohp/LDgGZHFCAwajVDNr > >> Tw1yfwIGMWuJgOMUPEsOMpKowBo5H0hZ+7FXB9pSJO4tw2JR2lmCNlS7dL8BSUg6 > >> 8iuUFNLuACPYv3yREYwtWgPHMI/9M/ICCQGLN09dQYTesY5Ivd1YGDdY7WQSoYwo > >> wQm0ggBKH6myPOa/SLizr5o1glhYEfusgLaOYDa9v8FPIIiW0vOWHp6RIYjcBBMT > >> CgBBBQsJCAcCBhUICQoLAgQWAgMBAh4BAheABQkPFYrlAhkBFiEEhxY4ohp/LDgG > >> ZHFCAwajVDNrTw0FAmU1ZXcCGwEACgkQAwajVDNrTw1kSAIIiTKmmWLKGT6/pEFe > >> A+4Nrfm9O7KRRGB7xThijjOKXjHYi2n38fYjod/1oWHFI9h2YRsCiBKF6LDQ6f6L > >> i0cCpbQCCQE9u7C6xrf/139K+KrN31c9BoMx+L/jDcMErzk+lT1O3HbeoXtiKWX6 > >> WD6t/AvqHfvEkg34h1dd8I+2/MzfQ+Ml0oihBBATCgAGBQJadScvAAoJEFdOlh1P > >> 9inBYDwCCQGMrDpimY/uwGoixIwHeca14nCWtCatfyuqX67pMUhNSGGDVmoSEAdS > >> mJ6OhGM2jzqG2qzdAuOxH9tMu8WswAetkQIIhd02g0k2h8fPAQb0G7DSJyUCogQS > >> PC8ZP1KrHFJ4gbt+8EJRDC2K7GnEn0MoMnlQCJflc6bB0qgYkdceTq28kQmIuAQQ > >> EwoAHRYhBKiwEqxbUFuB2WVeFek/s8oe5jeGBQJbY9mZAAoJEOk/s8oe5jeGpFYC > >> COHHPH2dYN7UgbSjo10XQUbZmnCWYLbVUp85QpX4SfcELJiWpTDeIA+yx/l1oA5q > >> YOxrnUVoqU7DqlX8q+axXXVCAgkBXjEWxhj7U1dX09WdLjMt0IacphezlXyatDXs > >> HQfAgkA7vvP+rYlhA0Wj0ZFSGX6ITUZ33vtElf9YZBN1RtMFmdKI3AQTEwoAQQUL > >> CQgHAgYVCAkKCwIEFgIDAQIeAQIXgAIZAQUJEPa+ZRYhBIcWOKIafyw4BmRxQgMG > >> o1Qza08NBQJlNX/GAhsBAAoJEAMGo1Qza08NpvkCCIEyKQ4n6erY/9g10YKXZwEK > >> UjDXr2EsCCcXSGHjoU14xyMtAYA+mfhF4xv6KnubHGQOQn2EfCvsagnYCJJXX0Kc > >> AgkBeGP8Js90a1BvZ7cFV6JL8vMsp7HYhsjSZSy/y2HxpFtsnBTi4WJ1PbViN8aK > >> KpABSPhR4u4ACNBYfDjPzhKUjOGI3QQTEwoAQQULCQgHAgYVCAkKCwIEFgIDAQIe > >> AQIXgAUJDxWK5QIbAxYhBIcWOKIafyw4BmRxQgMGo1Qza08NBQJkrYWJAhkBAAoJ > >> EAMGo1Qza08N6wsCCQHyd3RKJE4X2HyY2fx6tmRkBtj9eMiupsMZMa2brctqQ/zX > >> j+lKxC21H99mfoVS6VFpyM7ipIaSmzc+Xa9ZwLIM0QIJARNw2zzOe7Pdmkkvsrxv > >> 5Dyp3qsX40tGuok3S2R/xPQ2npvs1SpHQUX6VYqqFwPtsxDssgfq9U3xHAj3mDct > >>
Re: 8.0.16 release
Is there anyway to test the keys before we deploy? We have issues in the past with new keys and verifying the packages when the docker images are built. Thanks, Rod. > > On Oct 24, 2023, at 9:06 AM, Richard Zowalla wrote: > > Added to https://dist.apache.org/repos/dist/release/tomee/KEYS > >> Am Dienstag, dem 24.10.2023 um 08:54 -0500 schrieb Jonathan S. Fisher: >> pasted here: >> >> -BEGIN PGP PUBLIC KEY BLOCK- >> >> mJMEV5tUvhMFK4EEACMEIwQBDFKWRWNFys17LQRo18NBQ0cJk9HitooLx1k3dGTA >> G2By4TUnNYaR/ranOPJ47IRVr/1E0DBy9RKayUDNFElly6kAfhn/ALMmdv68cet9 >> GWkNjV/DwEGmtdXnhuGxXioxN1XkoJJNbjDCBEzx/mDDIna7w3jE2v28bXYP9kfv >> aLgvUdK0J0pvbmF0aGFuIFMuIEZpc2hlciA8ZXhhYnJpYWxAZ21haWwuY29tPoja >> BBMTCgA+AhsBBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEEhxY4ohp/LDgGZHFC >> AwajVDNrTw0FAloq3hgFCQWj6loACgkQAwajVDNrTw2uBwIJASDBvmAQDW59SVMf >> HZ27HF6CeH1OQM6fdKxfSGZmwZXBp45MsZjzO5cXh1cuJgA1jm72Wblh7PNjAxzl >> 9lD4Q2o0AgkBJYXTSjXnH395kY//RPzsuibRj4Xzdx2Riwa22h6Nl/TFf1xoFDDZ >> /9CBP7sNvBpSh4ZohSwr5aYCLxObxvsF/B+I2gQTEwoAPgULCQgHAgYVCAkKCwIE >> FgIDAQIeAQIXgAUJDxWK5RYhBIcWOKIafyw4BmRxQgMGo1Qza08NBQJi12J8AhsD >> AAoJEAMGo1Qza08N2hoCCQGJD79oA4k1FDY+cStkLQS8QkvTpS8xZScNRKwIW1lv >> uBKrHpfzYa7RHFh6rdbW5D+07+pNvNBg8o03+h+vr4ezqQIJAUwYTOJZlBIXeujf >> 4LngH6C0Hc6bb0FtdMh9bHC82Iv7KSIlXcq8PZgrkWMADUu0yeJhLPXQXBzvnejC >> z6dlmR9uiNgEExMKAD4CGwEFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AWIQSHFjii >> Gn8sOAZkcUIDBqNUM2tPDQUCYtdhegUJDxWK5QAKCRADBqNUM2tPDXbsAgjQhVzd >> OuT6ZSo+3wXUQjl3scKnSPrzFDimknaZw6Zo0MYpnClY8wSTiYKrmgyUgQ8aQVlB >> +A3R1NUa/BfhRWyB3QIIjd1IFc8MosTtO3odKhbfmBWsLjKPjupRm6buZWBVNmtE >> mkY86nmp+vbrjFFYR5gQYa5pY045gXikw86aGUSpv3iI2AQTEwoAPgIbAQULCQgH >> AgYVCAkKCwIEFgIDAQIeAQIXgBYhBIcWOKIafyw4BmRxQgMGo1Qza08NBQJhC/Oj >> BQkNMwXlAAoJEAMGo1Qza08N994CB1IAohe6KsGMKJx6ucfvv7bKfqU+BUaS0m6c >> CsSDea7wNFFuqK7+21QcJqTyAgIcIsgtkizDqTWQRr5az/l98Q2AAgifl3v+6sJH >> zisMQffJ9S7C0BKN7vbkmyg+2PxW0Mnvsvr2s34NOmdOTav+jdK4RFrH9bO4UI2H >> uqb5oBWOCmaf2IjZBBMTCgA+BQsJCAcCBhUICQoLAgQWAgMBAh4BAheABQkJZTvo >> FiEEhxY4ohp/LDgGZHFCAwajVDNrTw0FAl1eDRACGwMACgkQAwajVDNrTw10zQII >> yVoClrNxQ/D4szu3XhJ9PXPyVelg3TPWpngxPLSvtPcBTrmM88nYCjsYr2YkZm7F >> KVn0TfxpafDCp3+c0vmXrdwCCQEA3lZ0TMbS6g1qVjr8tP/LcclUl9EcTQBhwrMz >> ptaKpK5KbwIGqCH/8osk1xBA3sTCCZidQ1DDWR8PDtLtkyv5mYjZBBMTCgA+AhsB >> BQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEEhxY4ohp/LDgGZHFCAwajVDNrTw0F >> Al0+b/YFCQllO+gACgkQAwajVDNrTw03OwIJAetmR3/nyb7FGWX9a47CgH/4itKa >> J3wET5QXNBT0G9oJYMBLMpbfchaSaodc2B2ZoGJLE8193CVDjWpVQTpX1Q+aAgjn >> gqkOqPGRSGBbf4oJjsCCxNd1BQDptepfIxLPnJr9n9LWXhFQJ6m1dX0TYhXqwF+c >> InjN/G8QtQ6K5M09dg0T44jZBBMTCgAnBQJXm1S+AhsBBQkDwmcABQsJCAcCBhUI >> CQoLAgQWAgMBAh4BAheAACEJEAMGo1Qza08NFiEEhxY4ohp/LDgGZHFCAwajVDNr >> Tw1yfwIGMWuJgOMUPEsOMpKowBo5H0hZ+7FXB9pSJO4tw2JR2lmCNlS7dL8BSUg6 >> 8iuUFNLuACPYv3yREYwtWgPHMI/9M/ICCQGLN09dQYTesY5Ivd1YGDdY7WQSoYwo >> wQm0ggBKH6myPOa/SLizr5o1glhYEfusgLaOYDa9v8FPIIiW0vOWHp6RIYjcBBMT >> CgBBBQsJCAcCBhUICQoLAgQWAgMBAh4BAheABQkPFYrlAhkBFiEEhxY4ohp/LDgG >> ZHFCAwajVDNrTw0FAmU1ZXcCGwEACgkQAwajVDNrTw1kSAIIiTKmmWLKGT6/pEFe >> A+4Nrfm9O7KRRGB7xThijjOKXjHYi2n38fYjod/1oWHFI9h2YRsCiBKF6LDQ6f6L >> i0cCpbQCCQE9u7C6xrf/139K+KrN31c9BoMx+L/jDcMErzk+lT1O3HbeoXtiKWX6 >> WD6t/AvqHfvEkg34h1dd8I+2/MzfQ+Ml0oihBBATCgAGBQJadScvAAoJEFdOlh1P >> 9inBYDwCCQGMrDpimY/uwGoixIwHeca14nCWtCatfyuqX67pMUhNSGGDVmoSEAdS >> mJ6OhGM2jzqG2qzdAuOxH9tMu8WswAetkQIIhd02g0k2h8fPAQb0G7DSJyUCogQS >> PC8ZP1KrHFJ4gbt+8EJRDC2K7GnEn0MoMnlQCJflc6bB0qgYkdceTq28kQmIuAQQ >> EwoAHRYhBKiwEqxbUFuB2WVeFek/s8oe5jeGBQJbY9mZAAoJEOk/s8oe5jeGpFYC >> COHHPH2dYN7UgbSjo10XQUbZmnCWYLbVUp85QpX4SfcELJiWpTDeIA+yx/l1oA5q >> YOxrnUVoqU7DqlX8q+axXXVCAgkBXjEWxhj7U1dX09WdLjMt0IacphezlXyatDXs >> HQfAgkA7vvP+rYlhA0Wj0ZFSGX6ITUZ33vtElf9YZBN1RtMFmdKI3AQTEwoAQQUL >> CQgHAgYVCAkKCwIEFgIDAQIeAQIXgAIZAQUJEPa+ZRYhBIcWOKIafyw4BmRxQgMG >> o1Qza08NBQJlNX/GAhsBAAoJEAMGo1Qza08NpvkCCIEyKQ4n6erY/9g10YKXZwEK >> UjDXr2EsCCcXSGHjoU14xyMtAYA+mfhF4xv6KnubHGQOQn2EfCvsagnYCJJXX0Kc >> AgkBeGP8Js90a1BvZ7cFV6JL8vMsp7HYhsjSZSy/y2HxpFtsnBTi4WJ1PbViN8aK >> KpABSPhR4u4ACNBYfDjPzhKUjOGI3QQTEwoAQQULCQgHAgYVCAkKCwIEFgIDAQIe >> AQIXgAUJDxWK5QIbAxYhBIcWOKIafyw4BmRxQgMGo1Qza08NBQJkrYWJAhkBAAoJ >> EAMGo1Qza08N6wsCCQHyd3RKJE4X2HyY2fx6tmRkBtj9eMiupsMZMa2brctqQ/zX >> j+lKxC21H99mfoVS6VFpyM7ipIaSmzc+Xa9ZwLIM0QIJARNw2zzOe7Pdmkkvsrxv >> 5Dyp3qsX40tGuok3S2R/xPQ2npvs1SpHQUX6VYqqFwPtsxDssgfq9U3xHAj3mDct >> el5ziN0EExMKAEEFCwkIBwIGFQgJCgsCBBYCAwECHgECF4ACGQEFCRD2vmUWIQSH >> FjiiGn8sOAZkcUIDBqNUM2tPDQUCZTV+DgIbAwAKCRADBqNUM2tPDRNJAgkBA2dX >> HkNTZ+XLKLTdVwcTTV9YUbN0xvjTdAE2ioxIpF9PolZ8xjKFTIHSuOjn65O9NBZi >> hYFD3mPDTwoIZY5xLKMCCQHDFKa1G5SXndrTA3ZYF99m/38Py4x7WpQdLwosJIe3 >> EsHkbRShpOxOJ8tSTCgl/fbQbXySUTZ4dtRDQd+PamJ5HrQvSm9uYXRoYW4gUy4g >> RmlzaGVyIDxleGFicmlhbCtlY2xpcHNlQGdtYWlsLmNvbT6I2QQTEwoAPhYhBIcW >> OKIafyw4BmRxQgMGo1Qza08NBQJkrYWJAhsDBQkPFYrlBQsJCAcCBhUKCQgLAgQW >> AgMBAh4BAheAAAoJEAMGo1Qza08NzA0CCLZ3s9y1hMPWSSEuuqPtvU8s4+MLuI+t >> aVGCq3Oe7fOrM9C9SkIK5gYLNSgm2ucM/Qz0UmMRQMt7yFPbbpj5CiTEAgkBg7GS >> 565j0SQYMJD2A8xJLy68K70TN8J4dE6DOFTbEH++z7UcdSbTJdaEh7nhhNnQS9px >>
Re: 8.0.16 release
Added to https://dist.apache.org/repos/dist/release/tomee/KEYS Am Dienstag, dem 24.10.2023 um 08:54 -0500 schrieb Jonathan S. Fisher: > pasted here: > > -BEGIN PGP PUBLIC KEY BLOCK- > > mJMEV5tUvhMFK4EEACMEIwQBDFKWRWNFys17LQRo18NBQ0cJk9HitooLx1k3dGTA > G2By4TUnNYaR/ranOPJ47IRVr/1E0DBy9RKayUDNFElly6kAfhn/ALMmdv68cet9 > GWkNjV/DwEGmtdXnhuGxXioxN1XkoJJNbjDCBEzx/mDDIna7w3jE2v28bXYP9kfv > aLgvUdK0J0pvbmF0aGFuIFMuIEZpc2hlciA8ZXhhYnJpYWxAZ21haWwuY29tPoja > BBMTCgA+AhsBBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEEhxY4ohp/LDgGZHFC > AwajVDNrTw0FAloq3hgFCQWj6loACgkQAwajVDNrTw2uBwIJASDBvmAQDW59SVMf > HZ27HF6CeH1OQM6fdKxfSGZmwZXBp45MsZjzO5cXh1cuJgA1jm72Wblh7PNjAxzl > 9lD4Q2o0AgkBJYXTSjXnH395kY//RPzsuibRj4Xzdx2Riwa22h6Nl/TFf1xoFDDZ > /9CBP7sNvBpSh4ZohSwr5aYCLxObxvsF/B+I2gQTEwoAPgULCQgHAgYVCAkKCwIE > FgIDAQIeAQIXgAUJDxWK5RYhBIcWOKIafyw4BmRxQgMGo1Qza08NBQJi12J8AhsD > AAoJEAMGo1Qza08N2hoCCQGJD79oA4k1FDY+cStkLQS8QkvTpS8xZScNRKwIW1lv > uBKrHpfzYa7RHFh6rdbW5D+07+pNvNBg8o03+h+vr4ezqQIJAUwYTOJZlBIXeujf > 4LngH6C0Hc6bb0FtdMh9bHC82Iv7KSIlXcq8PZgrkWMADUu0yeJhLPXQXBzvnejC > z6dlmR9uiNgEExMKAD4CGwEFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AWIQSHFjii > Gn8sOAZkcUIDBqNUM2tPDQUCYtdhegUJDxWK5QAKCRADBqNUM2tPDXbsAgjQhVzd > OuT6ZSo+3wXUQjl3scKnSPrzFDimknaZw6Zo0MYpnClY8wSTiYKrmgyUgQ8aQVlB > +A3R1NUa/BfhRWyB3QIIjd1IFc8MosTtO3odKhbfmBWsLjKPjupRm6buZWBVNmtE > mkY86nmp+vbrjFFYR5gQYa5pY045gXikw86aGUSpv3iI2AQTEwoAPgIbAQULCQgH > AgYVCAkKCwIEFgIDAQIeAQIXgBYhBIcWOKIafyw4BmRxQgMGo1Qza08NBQJhC/Oj > BQkNMwXlAAoJEAMGo1Qza08N994CB1IAohe6KsGMKJx6ucfvv7bKfqU+BUaS0m6c > CsSDea7wNFFuqK7+21QcJqTyAgIcIsgtkizDqTWQRr5az/l98Q2AAgifl3v+6sJH > zisMQffJ9S7C0BKN7vbkmyg+2PxW0Mnvsvr2s34NOmdOTav+jdK4RFrH9bO4UI2H > uqb5oBWOCmaf2IjZBBMTCgA+BQsJCAcCBhUICQoLAgQWAgMBAh4BAheABQkJZTvo > FiEEhxY4ohp/LDgGZHFCAwajVDNrTw0FAl1eDRACGwMACgkQAwajVDNrTw10zQII > yVoClrNxQ/D4szu3XhJ9PXPyVelg3TPWpngxPLSvtPcBTrmM88nYCjsYr2YkZm7F > KVn0TfxpafDCp3+c0vmXrdwCCQEA3lZ0TMbS6g1qVjr8tP/LcclUl9EcTQBhwrMz > ptaKpK5KbwIGqCH/8osk1xBA3sTCCZidQ1DDWR8PDtLtkyv5mYjZBBMTCgA+AhsB > BQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEEhxY4ohp/LDgGZHFCAwajVDNrTw0F > Al0+b/YFCQllO+gACgkQAwajVDNrTw03OwIJAetmR3/nyb7FGWX9a47CgH/4itKa > J3wET5QXNBT0G9oJYMBLMpbfchaSaodc2B2ZoGJLE8193CVDjWpVQTpX1Q+aAgjn > gqkOqPGRSGBbf4oJjsCCxNd1BQDptepfIxLPnJr9n9LWXhFQJ6m1dX0TYhXqwF+c > InjN/G8QtQ6K5M09dg0T44jZBBMTCgAnBQJXm1S+AhsBBQkDwmcABQsJCAcCBhUI > CQoLAgQWAgMBAh4BAheAACEJEAMGo1Qza08NFiEEhxY4ohp/LDgGZHFCAwajVDNr > Tw1yfwIGMWuJgOMUPEsOMpKowBo5H0hZ+7FXB9pSJO4tw2JR2lmCNlS7dL8BSUg6 > 8iuUFNLuACPYv3yREYwtWgPHMI/9M/ICCQGLN09dQYTesY5Ivd1YGDdY7WQSoYwo > wQm0ggBKH6myPOa/SLizr5o1glhYEfusgLaOYDa9v8FPIIiW0vOWHp6RIYjcBBMT > CgBBBQsJCAcCBhUICQoLAgQWAgMBAh4BAheABQkPFYrlAhkBFiEEhxY4ohp/LDgG > ZHFCAwajVDNrTw0FAmU1ZXcCGwEACgkQAwajVDNrTw1kSAIIiTKmmWLKGT6/pEFe > A+4Nrfm9O7KRRGB7xThijjOKXjHYi2n38fYjod/1oWHFI9h2YRsCiBKF6LDQ6f6L > i0cCpbQCCQE9u7C6xrf/139K+KrN31c9BoMx+L/jDcMErzk+lT1O3HbeoXtiKWX6 > WD6t/AvqHfvEkg34h1dd8I+2/MzfQ+Ml0oihBBATCgAGBQJadScvAAoJEFdOlh1P > 9inBYDwCCQGMrDpimY/uwGoixIwHeca14nCWtCatfyuqX67pMUhNSGGDVmoSEAdS > mJ6OhGM2jzqG2qzdAuOxH9tMu8WswAetkQIIhd02g0k2h8fPAQb0G7DSJyUCogQS > PC8ZP1KrHFJ4gbt+8EJRDC2K7GnEn0MoMnlQCJflc6bB0qgYkdceTq28kQmIuAQQ > EwoAHRYhBKiwEqxbUFuB2WVeFek/s8oe5jeGBQJbY9mZAAoJEOk/s8oe5jeGpFYC > COHHPH2dYN7UgbSjo10XQUbZmnCWYLbVUp85QpX4SfcELJiWpTDeIA+yx/l1oA5q > YOxrnUVoqU7DqlX8q+axXXVCAgkBXjEWxhj7U1dX09WdLjMt0IacphezlXyatDXs > HQfAgkA7vvP+rYlhA0Wj0ZFSGX6ITUZ33vtElf9YZBN1RtMFmdKI3AQTEwoAQQUL > CQgHAgYVCAkKCwIEFgIDAQIeAQIXgAIZAQUJEPa+ZRYhBIcWOKIafyw4BmRxQgMG > o1Qza08NBQJlNX/GAhsBAAoJEAMGo1Qza08NpvkCCIEyKQ4n6erY/9g10YKXZwEK > UjDXr2EsCCcXSGHjoU14xyMtAYA+mfhF4xv6KnubHGQOQn2EfCvsagnYCJJXX0Kc > AgkBeGP8Js90a1BvZ7cFV6JL8vMsp7HYhsjSZSy/y2HxpFtsnBTi4WJ1PbViN8aK > KpABSPhR4u4ACNBYfDjPzhKUjOGI3QQTEwoAQQULCQgHAgYVCAkKCwIEFgIDAQIe > AQIXgAUJDxWK5QIbAxYhBIcWOKIafyw4BmRxQgMGo1Qza08NBQJkrYWJAhkBAAoJ > EAMGo1Qza08N6wsCCQHyd3RKJE4X2HyY2fx6tmRkBtj9eMiupsMZMa2brctqQ/zX > j+lKxC21H99mfoVS6VFpyM7ipIaSmzc+Xa9ZwLIM0QIJARNw2zzOe7Pdmkkvsrxv > 5Dyp3qsX40tGuok3S2R/xPQ2npvs1SpHQUX6VYqqFwPtsxDssgfq9U3xHAj3mDct > el5ziN0EExMKAEEFCwkIBwIGFQgJCgsCBBYCAwECHgECF4ACGQEFCRD2vmUWIQSH > FjiiGn8sOAZkcUIDBqNUM2tPDQUCZTV+DgIbAwAKCRADBqNUM2tPDRNJAgkBA2dX > HkNTZ+XLKLTdVwcTTV9YUbN0xvjTdAE2ioxIpF9PolZ8xjKFTIHSuOjn65O9NBZi > hYFD3mPDTwoIZY5xLKMCCQHDFKa1G5SXndrTA3ZYF99m/38Py4x7WpQdLwosJIe3 > EsHkbRShpOxOJ8tSTCgl/fbQbXySUTZ4dtRDQd+PamJ5HrQvSm9uYXRoYW4gUy4g > RmlzaGVyIDxleGFicmlhbCtlY2xpcHNlQGdtYWlsLmNvbT6I2QQTEwoAPhYhBIcW > OKIafyw4BmRxQgMGo1Qza08NBQJkrYWJAhsDBQkPFYrlBQsJCAcCBhUKCQgLAgQW > AgMBAh4BAheAAAoJEAMGo1Qza08NzA0CCLZ3s9y1hMPWSSEuuqPtvU8s4+MLuI+t > aVGCq3Oe7fOrM9C9SkIK5gYLNSgm2ucM/Qz0UmMRQMt7yFPbbpj5CiTEAgkBg7GS > 565j0SQYMJD2A8xJLy68K70TN8J4dE6DOFTbEH++z7UcdSbTJdaEh7nhhNnQS9px > /yPw+gQZz3NUFCOJW8aI2QQTEwoAPgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIX > gBYhBIcWOKIafyw4BmRxQgMGo1Qza08NBQJlNWvGBQkQ9r5lAAoJEAMGo1Qza08N > QhECCQFmodrh64RuDR2t4H1ne+zLQUOxlkM6JO8BC8s/nSS8CGJdPi0rpRQCliiM > RgCkbIUdbmBFzx28r7KIabwKBTE+HAIHfeUtjs1wzN6r4qKLscAIDr/p75FvaOYi >
Re: 8.0.16 release
pasted here: -BEGIN PGP PUBLIC KEY BLOCK- mJMEV5tUvhMFK4EEACMEIwQBDFKWRWNFys17LQRo18NBQ0cJk9HitooLx1k3dGTA G2By4TUnNYaR/ranOPJ47IRVr/1E0DBy9RKayUDNFElly6kAfhn/ALMmdv68cet9 GWkNjV/DwEGmtdXnhuGxXioxN1XkoJJNbjDCBEzx/mDDIna7w3jE2v28bXYP9kfv aLgvUdK0J0pvbmF0aGFuIFMuIEZpc2hlciA8ZXhhYnJpYWxAZ21haWwuY29tPoja BBMTCgA+AhsBBQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEEhxY4ohp/LDgGZHFC AwajVDNrTw0FAloq3hgFCQWj6loACgkQAwajVDNrTw2uBwIJASDBvmAQDW59SVMf HZ27HF6CeH1OQM6fdKxfSGZmwZXBp45MsZjzO5cXh1cuJgA1jm72Wblh7PNjAxzl 9lD4Q2o0AgkBJYXTSjXnH395kY//RPzsuibRj4Xzdx2Riwa22h6Nl/TFf1xoFDDZ /9CBP7sNvBpSh4ZohSwr5aYCLxObxvsF/B+I2gQTEwoAPgULCQgHAgYVCAkKCwIE FgIDAQIeAQIXgAUJDxWK5RYhBIcWOKIafyw4BmRxQgMGo1Qza08NBQJi12J8AhsD AAoJEAMGo1Qza08N2hoCCQGJD79oA4k1FDY+cStkLQS8QkvTpS8xZScNRKwIW1lv uBKrHpfzYa7RHFh6rdbW5D+07+pNvNBg8o03+h+vr4ezqQIJAUwYTOJZlBIXeujf 4LngH6C0Hc6bb0FtdMh9bHC82Iv7KSIlXcq8PZgrkWMADUu0yeJhLPXQXBzvnejC z6dlmR9uiNgEExMKAD4CGwEFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AWIQSHFjii Gn8sOAZkcUIDBqNUM2tPDQUCYtdhegUJDxWK5QAKCRADBqNUM2tPDXbsAgjQhVzd OuT6ZSo+3wXUQjl3scKnSPrzFDimknaZw6Zo0MYpnClY8wSTiYKrmgyUgQ8aQVlB +A3R1NUa/BfhRWyB3QIIjd1IFc8MosTtO3odKhbfmBWsLjKPjupRm6buZWBVNmtE mkY86nmp+vbrjFFYR5gQYa5pY045gXikw86aGUSpv3iI2AQTEwoAPgIbAQULCQgH AgYVCAkKCwIEFgIDAQIeAQIXgBYhBIcWOKIafyw4BmRxQgMGo1Qza08NBQJhC/Oj BQkNMwXlAAoJEAMGo1Qza08N994CB1IAohe6KsGMKJx6ucfvv7bKfqU+BUaS0m6c CsSDea7wNFFuqK7+21QcJqTyAgIcIsgtkizDqTWQRr5az/l98Q2AAgifl3v+6sJH zisMQffJ9S7C0BKN7vbkmyg+2PxW0Mnvsvr2s34NOmdOTav+jdK4RFrH9bO4UI2H uqb5oBWOCmaf2IjZBBMTCgA+BQsJCAcCBhUICQoLAgQWAgMBAh4BAheABQkJZTvo FiEEhxY4ohp/LDgGZHFCAwajVDNrTw0FAl1eDRACGwMACgkQAwajVDNrTw10zQII yVoClrNxQ/D4szu3XhJ9PXPyVelg3TPWpngxPLSvtPcBTrmM88nYCjsYr2YkZm7F KVn0TfxpafDCp3+c0vmXrdwCCQEA3lZ0TMbS6g1qVjr8tP/LcclUl9EcTQBhwrMz ptaKpK5KbwIGqCH/8osk1xBA3sTCCZidQ1DDWR8PDtLtkyv5mYjZBBMTCgA+AhsB BQsJCAcCBhUICQoLAgQWAgMBAh4BAheAFiEEhxY4ohp/LDgGZHFCAwajVDNrTw0F Al0+b/YFCQllO+gACgkQAwajVDNrTw03OwIJAetmR3/nyb7FGWX9a47CgH/4itKa J3wET5QXNBT0G9oJYMBLMpbfchaSaodc2B2ZoGJLE8193CVDjWpVQTpX1Q+aAgjn gqkOqPGRSGBbf4oJjsCCxNd1BQDptepfIxLPnJr9n9LWXhFQJ6m1dX0TYhXqwF+c InjN/G8QtQ6K5M09dg0T44jZBBMTCgAnBQJXm1S+AhsBBQkDwmcABQsJCAcCBhUI CQoLAgQWAgMBAh4BAheAACEJEAMGo1Qza08NFiEEhxY4ohp/LDgGZHFCAwajVDNr Tw1yfwIGMWuJgOMUPEsOMpKowBo5H0hZ+7FXB9pSJO4tw2JR2lmCNlS7dL8BSUg6 8iuUFNLuACPYv3yREYwtWgPHMI/9M/ICCQGLN09dQYTesY5Ivd1YGDdY7WQSoYwo wQm0ggBKH6myPOa/SLizr5o1glhYEfusgLaOYDa9v8FPIIiW0vOWHp6RIYjcBBMT CgBBBQsJCAcCBhUICQoLAgQWAgMBAh4BAheABQkPFYrlAhkBFiEEhxY4ohp/LDgG ZHFCAwajVDNrTw0FAmU1ZXcCGwEACgkQAwajVDNrTw1kSAIIiTKmmWLKGT6/pEFe A+4Nrfm9O7KRRGB7xThijjOKXjHYi2n38fYjod/1oWHFI9h2YRsCiBKF6LDQ6f6L i0cCpbQCCQE9u7C6xrf/139K+KrN31c9BoMx+L/jDcMErzk+lT1O3HbeoXtiKWX6 WD6t/AvqHfvEkg34h1dd8I+2/MzfQ+Ml0oihBBATCgAGBQJadScvAAoJEFdOlh1P 9inBYDwCCQGMrDpimY/uwGoixIwHeca14nCWtCatfyuqX67pMUhNSGGDVmoSEAdS mJ6OhGM2jzqG2qzdAuOxH9tMu8WswAetkQIIhd02g0k2h8fPAQb0G7DSJyUCogQS PC8ZP1KrHFJ4gbt+8EJRDC2K7GnEn0MoMnlQCJflc6bB0qgYkdceTq28kQmIuAQQ EwoAHRYhBKiwEqxbUFuB2WVeFek/s8oe5jeGBQJbY9mZAAoJEOk/s8oe5jeGpFYC COHHPH2dYN7UgbSjo10XQUbZmnCWYLbVUp85QpX4SfcELJiWpTDeIA+yx/l1oA5q YOxrnUVoqU7DqlX8q+axXXVCAgkBXjEWxhj7U1dX09WdLjMt0IacphezlXyatDXs HQfAgkA7vvP+rYlhA0Wj0ZFSGX6ITUZ33vtElf9YZBN1RtMFmdKI3AQTEwoAQQUL CQgHAgYVCAkKCwIEFgIDAQIeAQIXgAIZAQUJEPa+ZRYhBIcWOKIafyw4BmRxQgMG o1Qza08NBQJlNX/GAhsBAAoJEAMGo1Qza08NpvkCCIEyKQ4n6erY/9g10YKXZwEK UjDXr2EsCCcXSGHjoU14xyMtAYA+mfhF4xv6KnubHGQOQn2EfCvsagnYCJJXX0Kc AgkBeGP8Js90a1BvZ7cFV6JL8vMsp7HYhsjSZSy/y2HxpFtsnBTi4WJ1PbViN8aK KpABSPhR4u4ACNBYfDjPzhKUjOGI3QQTEwoAQQULCQgHAgYVCAkKCwIEFgIDAQIe AQIXgAUJDxWK5QIbAxYhBIcWOKIafyw4BmRxQgMGo1Qza08NBQJkrYWJAhkBAAoJ EAMGo1Qza08N6wsCCQHyd3RKJE4X2HyY2fx6tmRkBtj9eMiupsMZMa2brctqQ/zX j+lKxC21H99mfoVS6VFpyM7ipIaSmzc+Xa9ZwLIM0QIJARNw2zzOe7Pdmkkvsrxv 5Dyp3qsX40tGuok3S2R/xPQ2npvs1SpHQUX6VYqqFwPtsxDssgfq9U3xHAj3mDct el5ziN0EExMKAEEFCwkIBwIGFQgJCgsCBBYCAwECHgECF4ACGQEFCRD2vmUWIQSH FjiiGn8sOAZkcUIDBqNUM2tPDQUCZTV+DgIbAwAKCRADBqNUM2tPDRNJAgkBA2dX HkNTZ+XLKLTdVwcTTV9YUbN0xvjTdAE2ioxIpF9PolZ8xjKFTIHSuOjn65O9NBZi hYFD3mPDTwoIZY5xLKMCCQHDFKa1G5SXndrTA3ZYF99m/38Py4x7WpQdLwosJIe3 EsHkbRShpOxOJ8tSTCgl/fbQbXySUTZ4dtRDQd+PamJ5HrQvSm9uYXRoYW4gUy4g RmlzaGVyIDxleGFicmlhbCtlY2xpcHNlQGdtYWlsLmNvbT6I2QQTEwoAPhYhBIcW OKIafyw4BmRxQgMGo1Qza08NBQJkrYWJAhsDBQkPFYrlBQsJCAcCBhUKCQgLAgQW AgMBAh4BAheAAAoJEAMGo1Qza08NzA0CCLZ3s9y1hMPWSSEuuqPtvU8s4+MLuI+t aVGCq3Oe7fOrM9C9SkIK5gYLNSgm2ucM/Qz0UmMRQMt7yFPbbpj5CiTEAgkBg7GS 565j0SQYMJD2A8xJLy68K70TN8J4dE6DOFTbEH++z7UcdSbTJdaEh7nhhNnQS9px /yPw+gQZz3NUFCOJW8aI2QQTEwoAPgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIX gBYhBIcWOKIafyw4BmRxQgMGo1Qza08NBQJlNWvGBQkQ9r5lAAoJEAMGo1Qza08N QhECCQFmodrh64RuDR2t4H1ne+zLQUOxlkM6JO8BC8s/nSS8CGJdPi0rpRQCliiM RgCkbIUdbmBFzx28r7KIabwKBTE+HAIHfeUtjs1wzN6r4qKLscAIDr/p75FvaOYi u7AQYLTIamdSbOBXd731koJro7t9q3JVZPiL2s3KAXCjxHAfYz9w7E20J0pvbmF0 aGFuIFMuIEZpc2hlciA8amZpc2hlckBhcGFjaGUub3JnPojaBBMTCgA+FiEEhxY4 ohp/LDgGZHFCAwajVDNrTw0FAmU1V3QCGwMFCQ8ViuUFCwkIBwIGFQoJCAsCBBYC AwECHgECF4AACgkQAwajVDNrTw30jwIJASdHa+NzU2uObSBwFvNE2ee9ybppHyz4 UUjnlJPFlIq96jTH+F5CaLDNdLWVTjqxFwKioxqyzV5M/j3WwacOaJ4pAgkB2kPI
Re: 8.0.16 release
The list doesn't allow attachments, so maybe add it as plain text (or put it into a gist) Gruß Richard Am 22. Oktober 2023 21:48:22 MESZ schrieb "Jonathan S. Fisher" : >Attached! Thank you! > >On Sat, Oct 21, 2023 at 7:42 PM Richard Zowalla wrote: >> >> Just send it in the required ascii armored format via your apache mail (or >> via die web ui on lists.apache.org after login. >> >> I can take care of it. >> >> >> Am 22. Oktober 2023 01:05:53 MESZ schrieb "Jonathan S. Fisher" >> : >> >Richard thanks. Anyone on this thread able to add me to the KEYS file? >> >I'd like to give this a roll :) >> > >> >cheers, >> > >> > >> >On Thu, Oct 19, 2023 at 7:12 AM Jamie Johnson wrote: >> >> >> >> Just checking in on this. Anything the community can do to facilitate the >> >> release? >> >> >> >> On Tue, Oct 17, 2023 at 9:58 AM Richard Zowalla >> >> wrote: >> >> >> >> > Hi, >> >> > >> >> > see https://tomee.apache.org/dev/release-tomee.html >> >> > >> >> > Might be beneficial to join the ASF slack with your apache.org mail. >> >> > >> >> > Starting the VOTE, moving artifacts to release area as well as updating >> >> > https://downloads.apache.org/tomee/KEYS needs to be done by a PMC >> >> > member. >> >> > >> >> > Gruß >> >> > Richard >> >> > >> >> > Am 17. Oktober 2023 15:50:33 MESZ schrieb "Jonathan S. Fisher" < >> >> > exabr...@gmail.com>: >> >> > >-BEGIN PGP SIGNED MESSAGE- >> >> > >Hash: SHA512 >> >> > > >> >> > >ello other TomEE committers :) >> >> > > >> >> > >If I wanted to cut 8.0.16, how do I do that? My personal GPG key is >> >> > >871638A21A7F2C38066471420306A354336B4F0D. I'll sign this text block to >> >> > >prove I have control of my key. >> >> > > >> >> > >Thank you! >> >> > >-BEGIN PGP SIGNATURE- >> >> > > >> >> > >iLkEARMKAB0WIQSHFjiiGn8sOAZkcUIDBqNUM2tPDQUCZS6RIAAKCRADBqNUM2tP >> >> > >DYahAgkBNYn+LlIdFttvNW6KAJXHgNEQxmjJ6ALb7VaaEdqAXjMNxwglLQQQVOVY >> >> > >NtRxRj5nHDOXUVqwLjftisxyNnAkx50CCQHYbqySGYuWOxMdS8jsDGA2/UjTp0ib >> >> > >RkLoChrMvppzIK5GOvd0UyBKmrvG3dkzJwQllPZ3EYvNZfLyl+/K5oOshg== >> >> > >=d0gl >> >> > >-END PGP SIGNATURE- >> >> > > >> >> > > >> >> > > >> >> > >On Sat, Oct 14, 2023 at 6:12 AM Jamie Johnson >> >> > >wrote: >> >> > >> >> >> > >> Looks like tomcat 9.0.82 was released! >> >> > >> >> >> > >> On Wed, Oct 11, 2023 at 12:54 PM Jamie Johnson >> >> > wrote: >> >> > >> >> >> > >> > Looks right to me as well. Thanks Richard! >> >> > >> > >> >> > >> > On Wed, Oct 11, 2023 at 12:45 PM Richard Zowalla >> >> > >> > > >> > > >> >> > >> > wrote: >> >> > >> > >> >> > >> >> I think we are running into >> >> > >> >> https://bz.apache.org/bugzilla/show_bug.cgi?id=67664 >> >> > >> >> >> >> > >> >> This requires 9.0.82 to become available. >> >> > >> >> >> >> > >> >> They are already voting: >> >> > >> >> https://lists.apache.org/thread/qro48x3xnvhvvxxv3hwnqnnsrrry773j >> >> > >> >> >> >> > >> >> After 9.0.82 becomes available, we are most likely in a good >> >> > >> >> shape to >> >> > >> >> start a release >> >> > >> >> >> >> > >> >> Gruß >> >> > >> >> Richard >> >> > >> >> >> >> > >> >> Am 11. Oktober 2023 18:14:09 MESZ schrieb Richard Zowalla < >> >> > >> >> rich...@zowalla.com>: >> >> > >> >> >It seems the Tomcat upgrade breaks some connection pool related >> >> > tests. >> >> > >> >> > >> >> > >> >> >I guess we need to check our integration code to fix it: >> >> > >> >> >> >> > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/testReport/ >> >> > >> >> > >> >> > >> >> >So if anyone wants to dig, feel free. >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> >Am 11. Oktober 2023 16:56:27 MESZ schrieb Jamie Johnson < >> >> > >> >> jej2...@gmail.com>: >> >> > >> >> >>There are other vulnerabilities (pulled from https://osv.dev/) >> >> > that >> >> > >> >> can be >> >> > >> >> >>addressed, but need to be reviewed. The format below is >> >> > >> >> >>dependency >> >> > >> >> >>current_version (fix_version). >> >> > >> >> >> >> >> > >> >> >>org.apache.httpcomponents:httpclient 4.2.2 (>= 4.5.13) >> >> > >> >> >>GHSA-2x83-r56g-cv47 (4.2.3), GHSA-7r82-7xv7-xcpj >> >> > >> >> >>(4.5.13), GHSA-fmj5-wv96-r2ch (4.3.6), GHSA-cfh5-3ghh-wfjx >> >> > >> >> >>(4.3.5) >> >> > >> >> >> >> >> > >> >> >>xalan:xalan 2.7.2 (2.7.3) >> >> > >> >> >>GHSA-9339-86wc-4qgf (2.7.3) >> >> > >> >> >> >> >> > >> >> >>org.apache.commons:commons-compress 1.14 (>=1.24.0) >> >> > >> >> >>GHSA-hrmr-f5m6-m9pq (1.18), GHSA-xqfj-vm6h-2x34 (1.22), >> >> > >> >> GHSA-h436-432x-8fvx >> >> > >> >> >>(1.16), GHSA-crv7-7245-f45f (1.21), GHSA-mc84-pj99-q6hh >> >> > >> >> >>(1.21), GHSA-7hfm-57qf-j43q (1.21), GHSA-cgwf-w82q-5jrr (1.24.0) >> >> > >> >> >> >> >> > >> >> >>org.eclipse.jetty:jetty-server 9.4.49.v20220914 >> >> > >> >> >>(9.4.51.v20230217) >> >> > >> >> >>GHSA-qw69-rqj8-6qw8 (9.4.51.v20230217), GHSA-p26g-97m4-6q7c >> >> > >> >> >>(9.4.51.v20230217) >> >> > >> >> >> >> >> > >> >> >>org.eclipse.jetty:jetty-http 9.4.49.v20220914
Re: 8.0.16 release
Attached! Thank you! On Sat, Oct 21, 2023 at 7:42 PM Richard Zowalla wrote: > > Just send it in the required ascii armored format via your apache mail (or > via die web ui on lists.apache.org after login. > > I can take care of it. > > > Am 22. Oktober 2023 01:05:53 MESZ schrieb "Jonathan S. Fisher" > : > >Richard thanks. Anyone on this thread able to add me to the KEYS file? > >I'd like to give this a roll :) > > > >cheers, > > > > > >On Thu, Oct 19, 2023 at 7:12 AM Jamie Johnson wrote: > >> > >> Just checking in on this. Anything the community can do to facilitate the > >> release? > >> > >> On Tue, Oct 17, 2023 at 9:58 AM Richard Zowalla > >> wrote: > >> > >> > Hi, > >> > > >> > see https://tomee.apache.org/dev/release-tomee.html > >> > > >> > Might be beneficial to join the ASF slack with your apache.org mail. > >> > > >> > Starting the VOTE, moving artifacts to release area as well as updating > >> > https://downloads.apache.org/tomee/KEYS needs to be done by a PMC member. > >> > > >> > Gruß > >> > Richard > >> > > >> > Am 17. Oktober 2023 15:50:33 MESZ schrieb "Jonathan S. Fisher" < > >> > exabr...@gmail.com>: > >> > >-BEGIN PGP SIGNED MESSAGE- > >> > >Hash: SHA512 > >> > > > >> > >ello other TomEE committers :) > >> > > > >> > >If I wanted to cut 8.0.16, how do I do that? My personal GPG key is > >> > >871638A21A7F2C38066471420306A354336B4F0D. I'll sign this text block to > >> > >prove I have control of my key. > >> > > > >> > >Thank you! > >> > >-BEGIN PGP SIGNATURE- > >> > > > >> > >iLkEARMKAB0WIQSHFjiiGn8sOAZkcUIDBqNUM2tPDQUCZS6RIAAKCRADBqNUM2tP > >> > >DYahAgkBNYn+LlIdFttvNW6KAJXHgNEQxmjJ6ALb7VaaEdqAXjMNxwglLQQQVOVY > >> > >NtRxRj5nHDOXUVqwLjftisxyNnAkx50CCQHYbqySGYuWOxMdS8jsDGA2/UjTp0ib > >> > >RkLoChrMvppzIK5GOvd0UyBKmrvG3dkzJwQllPZ3EYvNZfLyl+/K5oOshg== > >> > >=d0gl > >> > >-END PGP SIGNATURE- > >> > > > >> > > > >> > > > >> > >On Sat, Oct 14, 2023 at 6:12 AM Jamie Johnson wrote: > >> > >> > >> > >> Looks like tomcat 9.0.82 was released! > >> > >> > >> > >> On Wed, Oct 11, 2023 at 12:54 PM Jamie Johnson > >> > wrote: > >> > >> > >> > >> > Looks right to me as well. Thanks Richard! > >> > >> > > >> > >> > On Wed, Oct 11, 2023 at 12:45 PM Richard Zowalla > >> > >> > >> > > > >> > >> > wrote: > >> > >> > > >> > >> >> I think we are running into > >> > >> >> https://bz.apache.org/bugzilla/show_bug.cgi?id=67664 > >> > >> >> > >> > >> >> This requires 9.0.82 to become available. > >> > >> >> > >> > >> >> They are already voting: > >> > >> >> https://lists.apache.org/thread/qro48x3xnvhvvxxv3hwnqnnsrrry773j > >> > >> >> > >> > >> >> After 9.0.82 becomes available, we are most likely in a good shape > >> > >> >> to > >> > >> >> start a release > >> > >> >> > >> > >> >> Gruß > >> > >> >> Richard > >> > >> >> > >> > >> >> Am 11. Oktober 2023 18:14:09 MESZ schrieb Richard Zowalla < > >> > >> >> rich...@zowalla.com>: > >> > >> >> >It seems the Tomcat upgrade breaks some connection pool related > >> > tests. > >> > >> >> > > >> > >> >> >I guess we need to check our integration code to fix it: > >> > >> >> > >> > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/testReport/ > >> > >> >> > > >> > >> >> >So if anyone wants to dig, feel free. > >> > >> >> > > >> > >> >> > > >> > >> >> > > >> > >> >> >Am 11. Oktober 2023 16:56:27 MESZ schrieb Jamie Johnson < > >> > >> >> jej2...@gmail.com>: > >> > >> >> >>There are other vulnerabilities (pulled from https://osv.dev/) > >> > that > >> > >> >> can be > >> > >> >> >>addressed, but need to be reviewed. The format below is > >> > >> >> >>dependency > >> > >> >> >>current_version (fix_version). > >> > >> >> >> > >> > >> >> >>org.apache.httpcomponents:httpclient 4.2.2 (>= 4.5.13) > >> > >> >> >>GHSA-2x83-r56g-cv47 (4.2.3), GHSA-7r82-7xv7-xcpj > >> > >> >> >>(4.5.13), GHSA-fmj5-wv96-r2ch (4.3.6), GHSA-cfh5-3ghh-wfjx > >> > >> >> >>(4.3.5) > >> > >> >> >> > >> > >> >> >>xalan:xalan 2.7.2 (2.7.3) > >> > >> >> >>GHSA-9339-86wc-4qgf (2.7.3) > >> > >> >> >> > >> > >> >> >>org.apache.commons:commons-compress 1.14 (>=1.24.0) > >> > >> >> >>GHSA-hrmr-f5m6-m9pq (1.18), GHSA-xqfj-vm6h-2x34 (1.22), > >> > >> >> GHSA-h436-432x-8fvx > >> > >> >> >>(1.16), GHSA-crv7-7245-f45f (1.21), GHSA-mc84-pj99-q6hh > >> > >> >> >>(1.21), GHSA-7hfm-57qf-j43q (1.21), GHSA-cgwf-w82q-5jrr (1.24.0) > >> > >> >> >> > >> > >> >> >>org.eclipse.jetty:jetty-server 9.4.49.v20220914 > >> > >> >> >>(9.4.51.v20230217) > >> > >> >> >>GHSA-qw69-rqj8-6qw8 (9.4.51.v20230217), GHSA-p26g-97m4-6q7c > >> > >> >> >>(9.4.51.v20230217) > >> > >> >> >> > >> > >> >> >>org.eclipse.jetty:jetty-http 9.4.49.v20220914 (>=9.4.53) > >> > >> >> >>GHSA-hmr7-m48g-48f6 (9.4.52), GHSA-wgh7-54f2-x98r (9.4.53) > >> > >> >> >> > >> > >> >> >>org.eclipse.jetty:jetty-servlets 9.4.49.v20220914 (9.4.53) > >> > >> >> >>GHSA-3gh6-v5v9-6v9j (9.4.53) > >> > >> >> >> > >> > >> >> >>org.apache.sshd:sshd-core 2.1.0 (>=2.10.0) > >> > >> >> >>GHSA-9279-7hph-r3xw
Re: 8.0.16 release
Just send it in the required ascii armored format via your apache mail (or via die web ui on lists.apache.org after login. I can take care of it. Am 22. Oktober 2023 01:05:53 MESZ schrieb "Jonathan S. Fisher" : >Richard thanks. Anyone on this thread able to add me to the KEYS file? >I'd like to give this a roll :) > >cheers, > > >On Thu, Oct 19, 2023 at 7:12 AM Jamie Johnson wrote: >> >> Just checking in on this. Anything the community can do to facilitate the >> release? >> >> On Tue, Oct 17, 2023 at 9:58 AM Richard Zowalla wrote: >> >> > Hi, >> > >> > see https://tomee.apache.org/dev/release-tomee.html >> > >> > Might be beneficial to join the ASF slack with your apache.org mail. >> > >> > Starting the VOTE, moving artifacts to release area as well as updating >> > https://downloads.apache.org/tomee/KEYS needs to be done by a PMC member. >> > >> > Gruß >> > Richard >> > >> > Am 17. Oktober 2023 15:50:33 MESZ schrieb "Jonathan S. Fisher" < >> > exabr...@gmail.com>: >> > >-BEGIN PGP SIGNED MESSAGE- >> > >Hash: SHA512 >> > > >> > >ello other TomEE committers :) >> > > >> > >If I wanted to cut 8.0.16, how do I do that? My personal GPG key is >> > >871638A21A7F2C38066471420306A354336B4F0D. I'll sign this text block to >> > >prove I have control of my key. >> > > >> > >Thank you! >> > >-BEGIN PGP SIGNATURE- >> > > >> > >iLkEARMKAB0WIQSHFjiiGn8sOAZkcUIDBqNUM2tPDQUCZS6RIAAKCRADBqNUM2tP >> > >DYahAgkBNYn+LlIdFttvNW6KAJXHgNEQxmjJ6ALb7VaaEdqAXjMNxwglLQQQVOVY >> > >NtRxRj5nHDOXUVqwLjftisxyNnAkx50CCQHYbqySGYuWOxMdS8jsDGA2/UjTp0ib >> > >RkLoChrMvppzIK5GOvd0UyBKmrvG3dkzJwQllPZ3EYvNZfLyl+/K5oOshg== >> > >=d0gl >> > >-END PGP SIGNATURE- >> > > >> > > >> > > >> > >On Sat, Oct 14, 2023 at 6:12 AM Jamie Johnson wrote: >> > >> >> > >> Looks like tomcat 9.0.82 was released! >> > >> >> > >> On Wed, Oct 11, 2023 at 12:54 PM Jamie Johnson >> > wrote: >> > >> >> > >> > Looks right to me as well. Thanks Richard! >> > >> > >> > >> > On Wed, Oct 11, 2023 at 12:45 PM Richard Zowalla > > > >> > >> > wrote: >> > >> > >> > >> >> I think we are running into >> > >> >> https://bz.apache.org/bugzilla/show_bug.cgi?id=67664 >> > >> >> >> > >> >> This requires 9.0.82 to become available. >> > >> >> >> > >> >> They are already voting: >> > >> >> https://lists.apache.org/thread/qro48x3xnvhvvxxv3hwnqnnsrrry773j >> > >> >> >> > >> >> After 9.0.82 becomes available, we are most likely in a good shape to >> > >> >> start a release >> > >> >> >> > >> >> Gruß >> > >> >> Richard >> > >> >> >> > >> >> Am 11. Oktober 2023 18:14:09 MESZ schrieb Richard Zowalla < >> > >> >> rich...@zowalla.com>: >> > >> >> >It seems the Tomcat upgrade breaks some connection pool related >> > tests. >> > >> >> > >> > >> >> >I guess we need to check our integration code to fix it: >> > >> >> >> > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/testReport/ >> > >> >> > >> > >> >> >So if anyone wants to dig, feel free. >> > >> >> > >> > >> >> > >> > >> >> > >> > >> >> >Am 11. Oktober 2023 16:56:27 MESZ schrieb Jamie Johnson < >> > >> >> jej2...@gmail.com>: >> > >> >> >>There are other vulnerabilities (pulled from https://osv.dev/) >> > that >> > >> >> can be >> > >> >> >>addressed, but need to be reviewed. The format below is dependency >> > >> >> >>current_version (fix_version). >> > >> >> >> >> > >> >> >>org.apache.httpcomponents:httpclient 4.2.2 (>= 4.5.13) >> > >> >> >>GHSA-2x83-r56g-cv47 (4.2.3), GHSA-7r82-7xv7-xcpj >> > >> >> >>(4.5.13), GHSA-fmj5-wv96-r2ch (4.3.6), GHSA-cfh5-3ghh-wfjx (4.3.5) >> > >> >> >> >> > >> >> >>xalan:xalan 2.7.2 (2.7.3) >> > >> >> >>GHSA-9339-86wc-4qgf (2.7.3) >> > >> >> >> >> > >> >> >>org.apache.commons:commons-compress 1.14 (>=1.24.0) >> > >> >> >>GHSA-hrmr-f5m6-m9pq (1.18), GHSA-xqfj-vm6h-2x34 (1.22), >> > >> >> GHSA-h436-432x-8fvx >> > >> >> >>(1.16), GHSA-crv7-7245-f45f (1.21), GHSA-mc84-pj99-q6hh >> > >> >> >>(1.21), GHSA-7hfm-57qf-j43q (1.21), GHSA-cgwf-w82q-5jrr (1.24.0) >> > >> >> >> >> > >> >> >>org.eclipse.jetty:jetty-server 9.4.49.v20220914 (9.4.51.v20230217) >> > >> >> >>GHSA-qw69-rqj8-6qw8 (9.4.51.v20230217), GHSA-p26g-97m4-6q7c >> > >> >> >>(9.4.51.v20230217) >> > >> >> >> >> > >> >> >>org.eclipse.jetty:jetty-http 9.4.49.v20220914 (>=9.4.53) >> > >> >> >>GHSA-hmr7-m48g-48f6 (9.4.52), GHSA-wgh7-54f2-x98r (9.4.53) >> > >> >> >> >> > >> >> >>org.eclipse.jetty:jetty-servlets 9.4.49.v20220914 (9.4.53) >> > >> >> >>GHSA-3gh6-v5v9-6v9j (9.4.53) >> > >> >> >> >> > >> >> >>org.apache.sshd:sshd-core 2.1.0 (>=2.10.0) >> > >> >> >>GHSA-9279-7hph-r3xw (2.7.0), GHSA-fhw8-8j55-vwgq >> > >> >> >>(2.9.2), GHSA-mjmq-gwgm-5qhm (2.10.0) >> > >> >> >> >> > >> >> >>com.google.code.gson:gson 2.2.4 (2.8.9) >> > >> >> >>GHSA-4jrv-ppp4-jm57 (2.8.9) >> > >> >> >> >> > >> >> >>org.webjars:handlebars 1.2.1 (4.7.7) >> > >> >> >>GHSA-f2jv-r9rf-7988 (4.7.7) >> > >> >> >> >> > >> >> >>org.apache.ivy:ivy 2.3.0 (>= 2.5.2) >> > >> >> >>GHSA-wv7w-rj2x-556x (2.5.1), GHSA-2jc4-r94c-rp7h
Re: 8.0.16 release
Richard thanks. Anyone on this thread able to add me to the KEYS file? I'd like to give this a roll :) cheers, On Thu, Oct 19, 2023 at 7:12 AM Jamie Johnson wrote: > > Just checking in on this. Anything the community can do to facilitate the > release? > > On Tue, Oct 17, 2023 at 9:58 AM Richard Zowalla wrote: > > > Hi, > > > > see https://tomee.apache.org/dev/release-tomee.html > > > > Might be beneficial to join the ASF slack with your apache.org mail. > > > > Starting the VOTE, moving artifacts to release area as well as updating > > https://downloads.apache.org/tomee/KEYS needs to be done by a PMC member. > > > > Gruß > > Richard > > > > Am 17. Oktober 2023 15:50:33 MESZ schrieb "Jonathan S. Fisher" < > > exabr...@gmail.com>: > > >-BEGIN PGP SIGNED MESSAGE- > > >Hash: SHA512 > > > > > >ello other TomEE committers :) > > > > > >If I wanted to cut 8.0.16, how do I do that? My personal GPG key is > > >871638A21A7F2C38066471420306A354336B4F0D. I'll sign this text block to > > >prove I have control of my key. > > > > > >Thank you! > > >-BEGIN PGP SIGNATURE- > > > > > >iLkEARMKAB0WIQSHFjiiGn8sOAZkcUIDBqNUM2tPDQUCZS6RIAAKCRADBqNUM2tP > > >DYahAgkBNYn+LlIdFttvNW6KAJXHgNEQxmjJ6ALb7VaaEdqAXjMNxwglLQQQVOVY > > >NtRxRj5nHDOXUVqwLjftisxyNnAkx50CCQHYbqySGYuWOxMdS8jsDGA2/UjTp0ib > > >RkLoChrMvppzIK5GOvd0UyBKmrvG3dkzJwQllPZ3EYvNZfLyl+/K5oOshg== > > >=d0gl > > >-END PGP SIGNATURE- > > > > > > > > > > > >On Sat, Oct 14, 2023 at 6:12 AM Jamie Johnson wrote: > > >> > > >> Looks like tomcat 9.0.82 was released! > > >> > > >> On Wed, Oct 11, 2023 at 12:54 PM Jamie Johnson > > wrote: > > >> > > >> > Looks right to me as well. Thanks Richard! > > >> > > > >> > On Wed, Oct 11, 2023 at 12:45 PM Richard Zowalla > > > > >> > wrote: > > >> > > > >> >> I think we are running into > > >> >> https://bz.apache.org/bugzilla/show_bug.cgi?id=67664 > > >> >> > > >> >> This requires 9.0.82 to become available. > > >> >> > > >> >> They are already voting: > > >> >> https://lists.apache.org/thread/qro48x3xnvhvvxxv3hwnqnnsrrry773j > > >> >> > > >> >> After 9.0.82 becomes available, we are most likely in a good shape to > > >> >> start a release > > >> >> > > >> >> Gruß > > >> >> Richard > > >> >> > > >> >> Am 11. Oktober 2023 18:14:09 MESZ schrieb Richard Zowalla < > > >> >> rich...@zowalla.com>: > > >> >> >It seems the Tomcat upgrade breaks some connection pool related > > tests. > > >> >> > > > >> >> >I guess we need to check our integration code to fix it: > > >> >> > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/testReport/ > > >> >> > > > >> >> >So if anyone wants to dig, feel free. > > >> >> > > > >> >> > > > >> >> > > > >> >> >Am 11. Oktober 2023 16:56:27 MESZ schrieb Jamie Johnson < > > >> >> jej2...@gmail.com>: > > >> >> >>There are other vulnerabilities (pulled from https://osv.dev/) > > that > > >> >> can be > > >> >> >>addressed, but need to be reviewed. The format below is dependency > > >> >> >>current_version (fix_version). > > >> >> >> > > >> >> >>org.apache.httpcomponents:httpclient 4.2.2 (>= 4.5.13) > > >> >> >>GHSA-2x83-r56g-cv47 (4.2.3), GHSA-7r82-7xv7-xcpj > > >> >> >>(4.5.13), GHSA-fmj5-wv96-r2ch (4.3.6), GHSA-cfh5-3ghh-wfjx (4.3.5) > > >> >> >> > > >> >> >>xalan:xalan 2.7.2 (2.7.3) > > >> >> >>GHSA-9339-86wc-4qgf (2.7.3) > > >> >> >> > > >> >> >>org.apache.commons:commons-compress 1.14 (>=1.24.0) > > >> >> >>GHSA-hrmr-f5m6-m9pq (1.18), GHSA-xqfj-vm6h-2x34 (1.22), > > >> >> GHSA-h436-432x-8fvx > > >> >> >>(1.16), GHSA-crv7-7245-f45f (1.21), GHSA-mc84-pj99-q6hh > > >> >> >>(1.21), GHSA-7hfm-57qf-j43q (1.21), GHSA-cgwf-w82q-5jrr (1.24.0) > > >> >> >> > > >> >> >>org.eclipse.jetty:jetty-server 9.4.49.v20220914 (9.4.51.v20230217) > > >> >> >>GHSA-qw69-rqj8-6qw8 (9.4.51.v20230217), GHSA-p26g-97m4-6q7c > > >> >> >>(9.4.51.v20230217) > > >> >> >> > > >> >> >>org.eclipse.jetty:jetty-http 9.4.49.v20220914 (>=9.4.53) > > >> >> >>GHSA-hmr7-m48g-48f6 (9.4.52), GHSA-wgh7-54f2-x98r (9.4.53) > > >> >> >> > > >> >> >>org.eclipse.jetty:jetty-servlets 9.4.49.v20220914 (9.4.53) > > >> >> >>GHSA-3gh6-v5v9-6v9j (9.4.53) > > >> >> >> > > >> >> >>org.apache.sshd:sshd-core 2.1.0 (>=2.10.0) > > >> >> >>GHSA-9279-7hph-r3xw (2.7.0), GHSA-fhw8-8j55-vwgq > > >> >> >>(2.9.2), GHSA-mjmq-gwgm-5qhm (2.10.0) > > >> >> >> > > >> >> >>com.google.code.gson:gson 2.2.4 (2.8.9) > > >> >> >>GHSA-4jrv-ppp4-jm57 (2.8.9) > > >> >> >> > > >> >> >>org.webjars:handlebars 1.2.1 (4.7.7) > > >> >> >>GHSA-f2jv-r9rf-7988 (4.7.7) > > >> >> >> > > >> >> >>org.apache.ivy:ivy 2.3.0 (>= 2.5.2) > > >> >> >>GHSA-wv7w-rj2x-556x (2.5.1), GHSA-2jc4-r94c-rp7h (2.5.2) > > >> >> >> > > >> >> >> > > >> >> >>On Wed, Oct 11, 2023 at 6:49 AM Jamie Johnson > > >> >> wrote: > > >> >> >> > > >> >> >>> How deep down the rabbit hole should the dependency checks > > normally > > >> >> go? > > >> >> >>> Looks like the big ones I was tracking with security updates were > > >> >> done. > > >> >> >>> > > >> >> >>>
Re: 8.0.16 release
Just checking in on this. Anything the community can do to facilitate the release? On Tue, Oct 17, 2023 at 9:58 AM Richard Zowalla wrote: > Hi, > > see https://tomee.apache.org/dev/release-tomee.html > > Might be beneficial to join the ASF slack with your apache.org mail. > > Starting the VOTE, moving artifacts to release area as well as updating > https://downloads.apache.org/tomee/KEYS needs to be done by a PMC member. > > Gruß > Richard > > Am 17. Oktober 2023 15:50:33 MESZ schrieb "Jonathan S. Fisher" < > exabr...@gmail.com>: > >-BEGIN PGP SIGNED MESSAGE- > >Hash: SHA512 > > > >ello other TomEE committers :) > > > >If I wanted to cut 8.0.16, how do I do that? My personal GPG key is > >871638A21A7F2C38066471420306A354336B4F0D. I'll sign this text block to > >prove I have control of my key. > > > >Thank you! > >-BEGIN PGP SIGNATURE- > > > >iLkEARMKAB0WIQSHFjiiGn8sOAZkcUIDBqNUM2tPDQUCZS6RIAAKCRADBqNUM2tP > >DYahAgkBNYn+LlIdFttvNW6KAJXHgNEQxmjJ6ALb7VaaEdqAXjMNxwglLQQQVOVY > >NtRxRj5nHDOXUVqwLjftisxyNnAkx50CCQHYbqySGYuWOxMdS8jsDGA2/UjTp0ib > >RkLoChrMvppzIK5GOvd0UyBKmrvG3dkzJwQllPZ3EYvNZfLyl+/K5oOshg== > >=d0gl > >-END PGP SIGNATURE- > > > > > > > >On Sat, Oct 14, 2023 at 6:12 AM Jamie Johnson wrote: > >> > >> Looks like tomcat 9.0.82 was released! > >> > >> On Wed, Oct 11, 2023 at 12:54 PM Jamie Johnson > wrote: > >> > >> > Looks right to me as well. Thanks Richard! > >> > > >> > On Wed, Oct 11, 2023 at 12:45 PM Richard Zowalla > > >> > wrote: > >> > > >> >> I think we are running into > >> >> https://bz.apache.org/bugzilla/show_bug.cgi?id=67664 > >> >> > >> >> This requires 9.0.82 to become available. > >> >> > >> >> They are already voting: > >> >> https://lists.apache.org/thread/qro48x3xnvhvvxxv3hwnqnnsrrry773j > >> >> > >> >> After 9.0.82 becomes available, we are most likely in a good shape to > >> >> start a release > >> >> > >> >> Gruß > >> >> Richard > >> >> > >> >> Am 11. Oktober 2023 18:14:09 MESZ schrieb Richard Zowalla < > >> >> rich...@zowalla.com>: > >> >> >It seems the Tomcat upgrade breaks some connection pool related > tests. > >> >> > > >> >> >I guess we need to check our integration code to fix it: > >> >> > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/testReport/ > >> >> > > >> >> >So if anyone wants to dig, feel free. > >> >> > > >> >> > > >> >> > > >> >> >Am 11. Oktober 2023 16:56:27 MESZ schrieb Jamie Johnson < > >> >> jej2...@gmail.com>: > >> >> >>There are other vulnerabilities (pulled from https://osv.dev/) > that > >> >> can be > >> >> >>addressed, but need to be reviewed. The format below is dependency > >> >> >>current_version (fix_version). > >> >> >> > >> >> >>org.apache.httpcomponents:httpclient 4.2.2 (>= 4.5.13) > >> >> >>GHSA-2x83-r56g-cv47 (4.2.3), GHSA-7r82-7xv7-xcpj > >> >> >>(4.5.13), GHSA-fmj5-wv96-r2ch (4.3.6), GHSA-cfh5-3ghh-wfjx (4.3.5) > >> >> >> > >> >> >>xalan:xalan 2.7.2 (2.7.3) > >> >> >>GHSA-9339-86wc-4qgf (2.7.3) > >> >> >> > >> >> >>org.apache.commons:commons-compress 1.14 (>=1.24.0) > >> >> >>GHSA-hrmr-f5m6-m9pq (1.18), GHSA-xqfj-vm6h-2x34 (1.22), > >> >> GHSA-h436-432x-8fvx > >> >> >>(1.16), GHSA-crv7-7245-f45f (1.21), GHSA-mc84-pj99-q6hh > >> >> >>(1.21), GHSA-7hfm-57qf-j43q (1.21), GHSA-cgwf-w82q-5jrr (1.24.0) > >> >> >> > >> >> >>org.eclipse.jetty:jetty-server 9.4.49.v20220914 (9.4.51.v20230217) > >> >> >>GHSA-qw69-rqj8-6qw8 (9.4.51.v20230217), GHSA-p26g-97m4-6q7c > >> >> >>(9.4.51.v20230217) > >> >> >> > >> >> >>org.eclipse.jetty:jetty-http 9.4.49.v20220914 (>=9.4.53) > >> >> >>GHSA-hmr7-m48g-48f6 (9.4.52), GHSA-wgh7-54f2-x98r (9.4.53) > >> >> >> > >> >> >>org.eclipse.jetty:jetty-servlets 9.4.49.v20220914 (9.4.53) > >> >> >>GHSA-3gh6-v5v9-6v9j (9.4.53) > >> >> >> > >> >> >>org.apache.sshd:sshd-core 2.1.0 (>=2.10.0) > >> >> >>GHSA-9279-7hph-r3xw (2.7.0), GHSA-fhw8-8j55-vwgq > >> >> >>(2.9.2), GHSA-mjmq-gwgm-5qhm (2.10.0) > >> >> >> > >> >> >>com.google.code.gson:gson 2.2.4 (2.8.9) > >> >> >>GHSA-4jrv-ppp4-jm57 (2.8.9) > >> >> >> > >> >> >>org.webjars:handlebars 1.2.1 (4.7.7) > >> >> >>GHSA-f2jv-r9rf-7988 (4.7.7) > >> >> >> > >> >> >>org.apache.ivy:ivy 2.3.0 (>= 2.5.2) > >> >> >>GHSA-wv7w-rj2x-556x (2.5.1), GHSA-2jc4-r94c-rp7h (2.5.2) > >> >> >> > >> >> >> > >> >> >>On Wed, Oct 11, 2023 at 6:49 AM Jamie Johnson > >> >> wrote: > >> >> >> > >> >> >>> How deep down the rabbit hole should the dependency checks > normally > >> >> go? > >> >> >>> Looks like the big ones I was tracking with security updates were > >> >> done. > >> >> >>> > >> >> >>> johnzon 1.2.21 > >> >> >>> tomcat 9.0.81 > >> >> >>> bouncy castle 1.76 > >> >> >>> > >> >> >>> Still poking around a bit but there’s obviously a lot. > >> >> >>> > >> >> >>> On Wed, Oct 11, 2023 at 2:09 AM Richard Zowalla > > >> >> wrote: > >> >> >>> > >> >> In theory, every committer can act as release manager. > >> >> > >> >> There are some steps in the process, which requires PMC karma, > though > >> >> (such as
Re: 8.0.16 release
Hi, see https://tomee.apache.org/dev/release-tomee.html Might be beneficial to join the ASF slack with your apache.org mail. Starting the VOTE, moving artifacts to release area as well as updating https://downloads.apache.org/tomee/KEYS needs to be done by a PMC member. Gruß Richard Am 17. Oktober 2023 15:50:33 MESZ schrieb "Jonathan S. Fisher" : >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA512 > >ello other TomEE committers :) > >If I wanted to cut 8.0.16, how do I do that? My personal GPG key is >871638A21A7F2C38066471420306A354336B4F0D. I'll sign this text block to >prove I have control of my key. > >Thank you! >-BEGIN PGP SIGNATURE- > >iLkEARMKAB0WIQSHFjiiGn8sOAZkcUIDBqNUM2tPDQUCZS6RIAAKCRADBqNUM2tP >DYahAgkBNYn+LlIdFttvNW6KAJXHgNEQxmjJ6ALb7VaaEdqAXjMNxwglLQQQVOVY >NtRxRj5nHDOXUVqwLjftisxyNnAkx50CCQHYbqySGYuWOxMdS8jsDGA2/UjTp0ib >RkLoChrMvppzIK5GOvd0UyBKmrvG3dkzJwQllPZ3EYvNZfLyl+/K5oOshg== >=d0gl >-END PGP SIGNATURE- > > > >On Sat, Oct 14, 2023 at 6:12 AM Jamie Johnson wrote: >> >> Looks like tomcat 9.0.82 was released! >> >> On Wed, Oct 11, 2023 at 12:54 PM Jamie Johnson wrote: >> >> > Looks right to me as well. Thanks Richard! >> > >> > On Wed, Oct 11, 2023 at 12:45 PM Richard Zowalla >> > wrote: >> > >> >> I think we are running into >> >> https://bz.apache.org/bugzilla/show_bug.cgi?id=67664 >> >> >> >> This requires 9.0.82 to become available. >> >> >> >> They are already voting: >> >> https://lists.apache.org/thread/qro48x3xnvhvvxxv3hwnqnnsrrry773j >> >> >> >> After 9.0.82 becomes available, we are most likely in a good shape to >> >> start a release >> >> >> >> Gruß >> >> Richard >> >> >> >> Am 11. Oktober 2023 18:14:09 MESZ schrieb Richard Zowalla < >> >> rich...@zowalla.com>: >> >> >It seems the Tomcat upgrade breaks some connection pool related tests. >> >> > >> >> >I guess we need to check our integration code to fix it: >> >> https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/testReport/ >> >> > >> >> >So if anyone wants to dig, feel free. >> >> > >> >> > >> >> > >> >> >Am 11. Oktober 2023 16:56:27 MESZ schrieb Jamie Johnson < >> >> jej2...@gmail.com>: >> >> >>There are other vulnerabilities (pulled from https://osv.dev/) that >> >> can be >> >> >>addressed, but need to be reviewed. The format below is dependency >> >> >>current_version (fix_version). >> >> >> >> >> >>org.apache.httpcomponents:httpclient 4.2.2 (>= 4.5.13) >> >> >>GHSA-2x83-r56g-cv47 (4.2.3), GHSA-7r82-7xv7-xcpj >> >> >>(4.5.13), GHSA-fmj5-wv96-r2ch (4.3.6), GHSA-cfh5-3ghh-wfjx (4.3.5) >> >> >> >> >> >>xalan:xalan 2.7.2 (2.7.3) >> >> >>GHSA-9339-86wc-4qgf (2.7.3) >> >> >> >> >> >>org.apache.commons:commons-compress 1.14 (>=1.24.0) >> >> >>GHSA-hrmr-f5m6-m9pq (1.18), GHSA-xqfj-vm6h-2x34 (1.22), >> >> GHSA-h436-432x-8fvx >> >> >>(1.16), GHSA-crv7-7245-f45f (1.21), GHSA-mc84-pj99-q6hh >> >> >>(1.21), GHSA-7hfm-57qf-j43q (1.21), GHSA-cgwf-w82q-5jrr (1.24.0) >> >> >> >> >> >>org.eclipse.jetty:jetty-server 9.4.49.v20220914 (9.4.51.v20230217) >> >> >>GHSA-qw69-rqj8-6qw8 (9.4.51.v20230217), GHSA-p26g-97m4-6q7c >> >> >>(9.4.51.v20230217) >> >> >> >> >> >>org.eclipse.jetty:jetty-http 9.4.49.v20220914 (>=9.4.53) >> >> >>GHSA-hmr7-m48g-48f6 (9.4.52), GHSA-wgh7-54f2-x98r (9.4.53) >> >> >> >> >> >>org.eclipse.jetty:jetty-servlets 9.4.49.v20220914 (9.4.53) >> >> >>GHSA-3gh6-v5v9-6v9j (9.4.53) >> >> >> >> >> >>org.apache.sshd:sshd-core 2.1.0 (>=2.10.0) >> >> >>GHSA-9279-7hph-r3xw (2.7.0), GHSA-fhw8-8j55-vwgq >> >> >>(2.9.2), GHSA-mjmq-gwgm-5qhm (2.10.0) >> >> >> >> >> >>com.google.code.gson:gson 2.2.4 (2.8.9) >> >> >>GHSA-4jrv-ppp4-jm57 (2.8.9) >> >> >> >> >> >>org.webjars:handlebars 1.2.1 (4.7.7) >> >> >>GHSA-f2jv-r9rf-7988 (4.7.7) >> >> >> >> >> >>org.apache.ivy:ivy 2.3.0 (>= 2.5.2) >> >> >>GHSA-wv7w-rj2x-556x (2.5.1), GHSA-2jc4-r94c-rp7h (2.5.2) >> >> >> >> >> >> >> >> >>On Wed, Oct 11, 2023 at 6:49 AM Jamie Johnson >> >> wrote: >> >> >> >> >> >>> How deep down the rabbit hole should the dependency checks normally >> >> go? >> >> >>> Looks like the big ones I was tracking with security updates were >> >> done. >> >> >>> >> >> >>> johnzon 1.2.21 >> >> >>> tomcat 9.0.81 >> >> >>> bouncy castle 1.76 >> >> >>> >> >> >>> Still poking around a bit but there’s obviously a lot. >> >> >>> >> >> >>> On Wed, Oct 11, 2023 at 2:09 AM Richard Zowalla >> >> wrote: >> >> >>> >> >> In theory, every committer can act as release manager. >> >> >> >> There are some steps in the process, which requires PMC karma, though >> >> (such as adding a key to the KEYS file, moving stuff to the release >> >> are >> >> on SVN, start the VOTE, etc.). >> >> >> >> The process is documented here: [1] >> >> >> >> That being said: >> >> >> >> I am currently planning to start the release process for TomEE 9.1.1 >> >> within this week. Due to the Tomcat security issues released >> >> yesterday, >> >> we need to do some backporting, which will
Re: 8.0.16 release
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ello other TomEE committers :) If I wanted to cut 8.0.16, how do I do that? My personal GPG key is 871638A21A7F2C38066471420306A354336B4F0D. I'll sign this text block to prove I have control of my key. Thank you! -BEGIN PGP SIGNATURE- iLkEARMKAB0WIQSHFjiiGn8sOAZkcUIDBqNUM2tPDQUCZS6RIAAKCRADBqNUM2tP DYahAgkBNYn+LlIdFttvNW6KAJXHgNEQxmjJ6ALb7VaaEdqAXjMNxwglLQQQVOVY NtRxRj5nHDOXUVqwLjftisxyNnAkx50CCQHYbqySGYuWOxMdS8jsDGA2/UjTp0ib RkLoChrMvppzIK5GOvd0UyBKmrvG3dkzJwQllPZ3EYvNZfLyl+/K5oOshg== =d0gl -END PGP SIGNATURE- On Sat, Oct 14, 2023 at 6:12 AM Jamie Johnson wrote: > > Looks like tomcat 9.0.82 was released! > > On Wed, Oct 11, 2023 at 12:54 PM Jamie Johnson wrote: > > > Looks right to me as well. Thanks Richard! > > > > On Wed, Oct 11, 2023 at 12:45 PM Richard Zowalla > > wrote: > > > >> I think we are running into > >> https://bz.apache.org/bugzilla/show_bug.cgi?id=67664 > >> > >> This requires 9.0.82 to become available. > >> > >> They are already voting: > >> https://lists.apache.org/thread/qro48x3xnvhvvxxv3hwnqnnsrrry773j > >> > >> After 9.0.82 becomes available, we are most likely in a good shape to > >> start a release > >> > >> Gruß > >> Richard > >> > >> Am 11. Oktober 2023 18:14:09 MESZ schrieb Richard Zowalla < > >> rich...@zowalla.com>: > >> >It seems the Tomcat upgrade breaks some connection pool related tests. > >> > > >> >I guess we need to check our integration code to fix it: > >> https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/testReport/ > >> > > >> >So if anyone wants to dig, feel free. > >> > > >> > > >> > > >> >Am 11. Oktober 2023 16:56:27 MESZ schrieb Jamie Johnson < > >> jej2...@gmail.com>: > >> >>There are other vulnerabilities (pulled from https://osv.dev/) that > >> can be > >> >>addressed, but need to be reviewed. The format below is dependency > >> >>current_version (fix_version). > >> >> > >> >>org.apache.httpcomponents:httpclient 4.2.2 (>= 4.5.13) > >> >>GHSA-2x83-r56g-cv47 (4.2.3), GHSA-7r82-7xv7-xcpj > >> >>(4.5.13), GHSA-fmj5-wv96-r2ch (4.3.6), GHSA-cfh5-3ghh-wfjx (4.3.5) > >> >> > >> >>xalan:xalan 2.7.2 (2.7.3) > >> >>GHSA-9339-86wc-4qgf (2.7.3) > >> >> > >> >>org.apache.commons:commons-compress 1.14 (>=1.24.0) > >> >>GHSA-hrmr-f5m6-m9pq (1.18), GHSA-xqfj-vm6h-2x34 (1.22), > >> GHSA-h436-432x-8fvx > >> >>(1.16), GHSA-crv7-7245-f45f (1.21), GHSA-mc84-pj99-q6hh > >> >>(1.21), GHSA-7hfm-57qf-j43q (1.21), GHSA-cgwf-w82q-5jrr (1.24.0) > >> >> > >> >>org.eclipse.jetty:jetty-server 9.4.49.v20220914 (9.4.51.v20230217) > >> >>GHSA-qw69-rqj8-6qw8 (9.4.51.v20230217), GHSA-p26g-97m4-6q7c > >> >>(9.4.51.v20230217) > >> >> > >> >>org.eclipse.jetty:jetty-http 9.4.49.v20220914 (>=9.4.53) > >> >>GHSA-hmr7-m48g-48f6 (9.4.52), GHSA-wgh7-54f2-x98r (9.4.53) > >> >> > >> >>org.eclipse.jetty:jetty-servlets 9.4.49.v20220914 (9.4.53) > >> >>GHSA-3gh6-v5v9-6v9j (9.4.53) > >> >> > >> >>org.apache.sshd:sshd-core 2.1.0 (>=2.10.0) > >> >>GHSA-9279-7hph-r3xw (2.7.0), GHSA-fhw8-8j55-vwgq > >> >>(2.9.2), GHSA-mjmq-gwgm-5qhm (2.10.0) > >> >> > >> >>com.google.code.gson:gson 2.2.4 (2.8.9) > >> >>GHSA-4jrv-ppp4-jm57 (2.8.9) > >> >> > >> >>org.webjars:handlebars 1.2.1 (4.7.7) > >> >>GHSA-f2jv-r9rf-7988 (4.7.7) > >> >> > >> >>org.apache.ivy:ivy 2.3.0 (>= 2.5.2) > >> >>GHSA-wv7w-rj2x-556x (2.5.1), GHSA-2jc4-r94c-rp7h (2.5.2) > >> >> > >> >> > >> >>On Wed, Oct 11, 2023 at 6:49 AM Jamie Johnson > >> wrote: > >> >> > >> >>> How deep down the rabbit hole should the dependency checks normally > >> go? > >> >>> Looks like the big ones I was tracking with security updates were > >> done. > >> >>> > >> >>> johnzon 1.2.21 > >> >>> tomcat 9.0.81 > >> >>> bouncy castle 1.76 > >> >>> > >> >>> Still poking around a bit but there’s obviously a lot. > >> >>> > >> >>> On Wed, Oct 11, 2023 at 2:09 AM Richard Zowalla > >> wrote: > >> >>> > >> In theory, every committer can act as release manager. > >> > >> There are some steps in the process, which requires PMC karma, though > >> (such as adding a key to the KEYS file, moving stuff to the release > >> are > >> on SVN, start the VOTE, etc.). > >> > >> The process is documented here: [1] > >> > >> That being said: > >> > >> I am currently planning to start the release process for TomEE 9.1.1 > >> within this week. Due to the Tomcat security issues released > >> yesterday, > >> we need to do some backporting, which will consume additional time. > >> (It > >> just interrupted my preparations, so it needs additional CI / TCK > >> cycles) > >> > >> A release usally consumes around 1-3 hours of work. Mostly because > >> you > >> have to wait for stuff being build or to run some basic sanity checks > >> before starting and to not forget any step. > >> > >> What would really help for a TomEE 8.0.16 is to carefully re-check > >> the > >> current dependencies for
Re: 8.0.16 release
Looks like tomcat 9.0.82 was released! On Wed, Oct 11, 2023 at 12:54 PM Jamie Johnson wrote: > Looks right to me as well. Thanks Richard! > > On Wed, Oct 11, 2023 at 12:45 PM Richard Zowalla > wrote: > >> I think we are running into >> https://bz.apache.org/bugzilla/show_bug.cgi?id=67664 >> >> This requires 9.0.82 to become available. >> >> They are already voting: >> https://lists.apache.org/thread/qro48x3xnvhvvxxv3hwnqnnsrrry773j >> >> After 9.0.82 becomes available, we are most likely in a good shape to >> start a release >> >> Gruß >> Richard >> >> Am 11. Oktober 2023 18:14:09 MESZ schrieb Richard Zowalla < >> rich...@zowalla.com>: >> >It seems the Tomcat upgrade breaks some connection pool related tests. >> > >> >I guess we need to check our integration code to fix it: >> https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/testReport/ >> > >> >So if anyone wants to dig, feel free. >> > >> > >> > >> >Am 11. Oktober 2023 16:56:27 MESZ schrieb Jamie Johnson < >> jej2...@gmail.com>: >> >>There are other vulnerabilities (pulled from https://osv.dev/) that >> can be >> >>addressed, but need to be reviewed. The format below is dependency >> >>current_version (fix_version). >> >> >> >>org.apache.httpcomponents:httpclient 4.2.2 (>= 4.5.13) >> >>GHSA-2x83-r56g-cv47 (4.2.3), GHSA-7r82-7xv7-xcpj >> >>(4.5.13), GHSA-fmj5-wv96-r2ch (4.3.6), GHSA-cfh5-3ghh-wfjx (4.3.5) >> >> >> >>xalan:xalan 2.7.2 (2.7.3) >> >>GHSA-9339-86wc-4qgf (2.7.3) >> >> >> >>org.apache.commons:commons-compress 1.14 (>=1.24.0) >> >>GHSA-hrmr-f5m6-m9pq (1.18), GHSA-xqfj-vm6h-2x34 (1.22), >> GHSA-h436-432x-8fvx >> >>(1.16), GHSA-crv7-7245-f45f (1.21), GHSA-mc84-pj99-q6hh >> >>(1.21), GHSA-7hfm-57qf-j43q (1.21), GHSA-cgwf-w82q-5jrr (1.24.0) >> >> >> >>org.eclipse.jetty:jetty-server 9.4.49.v20220914 (9.4.51.v20230217) >> >>GHSA-qw69-rqj8-6qw8 (9.4.51.v20230217), GHSA-p26g-97m4-6q7c >> >>(9.4.51.v20230217) >> >> >> >>org.eclipse.jetty:jetty-http 9.4.49.v20220914 (>=9.4.53) >> >>GHSA-hmr7-m48g-48f6 (9.4.52), GHSA-wgh7-54f2-x98r (9.4.53) >> >> >> >>org.eclipse.jetty:jetty-servlets 9.4.49.v20220914 (9.4.53) >> >>GHSA-3gh6-v5v9-6v9j (9.4.53) >> >> >> >>org.apache.sshd:sshd-core 2.1.0 (>=2.10.0) >> >>GHSA-9279-7hph-r3xw (2.7.0), GHSA-fhw8-8j55-vwgq >> >>(2.9.2), GHSA-mjmq-gwgm-5qhm (2.10.0) >> >> >> >>com.google.code.gson:gson 2.2.4 (2.8.9) >> >>GHSA-4jrv-ppp4-jm57 (2.8.9) >> >> >> >>org.webjars:handlebars 1.2.1 (4.7.7) >> >>GHSA-f2jv-r9rf-7988 (4.7.7) >> >> >> >>org.apache.ivy:ivy 2.3.0 (>= 2.5.2) >> >>GHSA-wv7w-rj2x-556x (2.5.1), GHSA-2jc4-r94c-rp7h (2.5.2) >> >> >> >> >> >>On Wed, Oct 11, 2023 at 6:49 AM Jamie Johnson >> wrote: >> >> >> >>> How deep down the rabbit hole should the dependency checks normally >> go? >> >>> Looks like the big ones I was tracking with security updates were >> done. >> >>> >> >>> johnzon 1.2.21 >> >>> tomcat 9.0.81 >> >>> bouncy castle 1.76 >> >>> >> >>> Still poking around a bit but there’s obviously a lot. >> >>> >> >>> On Wed, Oct 11, 2023 at 2:09 AM Richard Zowalla >> wrote: >> >>> >> In theory, every committer can act as release manager. >> >> There are some steps in the process, which requires PMC karma, though >> (such as adding a key to the KEYS file, moving stuff to the release >> are >> on SVN, start the VOTE, etc.). >> >> The process is documented here: [1] >> >> That being said: >> >> I am currently planning to start the release process for TomEE 9.1.1 >> within this week. Due to the Tomcat security issues released >> yesterday, >> we need to do some backporting, which will consume additional time. >> (It >> just interrupted my preparations, so it needs additional CI / TCK >> cycles) >> >> A release usally consumes around 1-3 hours of work. Mostly because >> you >> have to wait for stuff being build or to run some basic sanity checks >> before starting and to not forget any step. >> >> What would really help for a TomEE 8.0.16 is to carefully re-check >> the >> current dependencies for important 3rd party dependencies (and update >> if needed. Note: Each update or bunch of updates shouldn't break the >> build. A full build on CI takes around 4-8 hours) on that branch, >> build >> it locally and conduct some sanity checks (for example: same lib in >> different versions in /lib -> check and fix) with the created >> tar.gz/zip files. >> >> This is one of the steps, which usually consumes a lot of time. If >> you >> want to give it a try, I am happy to help out for the steps which >> require PMC involvement. Otherwise, I might find some time in the >> next >> week to start a release of 8.0.16 - just let me know and I can plan >> my >> time accordingly ;-) >> >> Gruß >> Richard >> >> >> >> >> [1] https://tomee.apache.org/dev/release-tomee.html >> >> >>
Re: 8.0.16 release
Looks right to me as well. Thanks Richard! On Wed, Oct 11, 2023 at 12:45 PM Richard Zowalla wrote: > I think we are running into > https://bz.apache.org/bugzilla/show_bug.cgi?id=67664 > > This requires 9.0.82 to become available. > > They are already voting: > https://lists.apache.org/thread/qro48x3xnvhvvxxv3hwnqnnsrrry773j > > After 9.0.82 becomes available, we are most likely in a good shape to > start a release > > Gruß > Richard > > Am 11. Oktober 2023 18:14:09 MESZ schrieb Richard Zowalla < > rich...@zowalla.com>: > >It seems the Tomcat upgrade breaks some connection pool related tests. > > > >I guess we need to check our integration code to fix it: > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/testReport/ > > > >So if anyone wants to dig, feel free. > > > > > > > >Am 11. Oktober 2023 16:56:27 MESZ schrieb Jamie Johnson < > jej2...@gmail.com>: > >>There are other vulnerabilities (pulled from https://osv.dev/) that can > be > >>addressed, but need to be reviewed. The format below is dependency > >>current_version (fix_version). > >> > >>org.apache.httpcomponents:httpclient 4.2.2 (>= 4.5.13) > >>GHSA-2x83-r56g-cv47 (4.2.3), GHSA-7r82-7xv7-xcpj > >>(4.5.13), GHSA-fmj5-wv96-r2ch (4.3.6), GHSA-cfh5-3ghh-wfjx (4.3.5) > >> > >>xalan:xalan 2.7.2 (2.7.3) > >>GHSA-9339-86wc-4qgf (2.7.3) > >> > >>org.apache.commons:commons-compress 1.14 (>=1.24.0) > >>GHSA-hrmr-f5m6-m9pq (1.18), GHSA-xqfj-vm6h-2x34 (1.22), > GHSA-h436-432x-8fvx > >>(1.16), GHSA-crv7-7245-f45f (1.21), GHSA-mc84-pj99-q6hh > >>(1.21), GHSA-7hfm-57qf-j43q (1.21), GHSA-cgwf-w82q-5jrr (1.24.0) > >> > >>org.eclipse.jetty:jetty-server 9.4.49.v20220914 (9.4.51.v20230217) > >>GHSA-qw69-rqj8-6qw8 (9.4.51.v20230217), GHSA-p26g-97m4-6q7c > >>(9.4.51.v20230217) > >> > >>org.eclipse.jetty:jetty-http 9.4.49.v20220914 (>=9.4.53) > >>GHSA-hmr7-m48g-48f6 (9.4.52), GHSA-wgh7-54f2-x98r (9.4.53) > >> > >>org.eclipse.jetty:jetty-servlets 9.4.49.v20220914 (9.4.53) > >>GHSA-3gh6-v5v9-6v9j (9.4.53) > >> > >>org.apache.sshd:sshd-core 2.1.0 (>=2.10.0) > >>GHSA-9279-7hph-r3xw (2.7.0), GHSA-fhw8-8j55-vwgq > >>(2.9.2), GHSA-mjmq-gwgm-5qhm (2.10.0) > >> > >>com.google.code.gson:gson 2.2.4 (2.8.9) > >>GHSA-4jrv-ppp4-jm57 (2.8.9) > >> > >>org.webjars:handlebars 1.2.1 (4.7.7) > >>GHSA-f2jv-r9rf-7988 (4.7.7) > >> > >>org.apache.ivy:ivy 2.3.0 (>= 2.5.2) > >>GHSA-wv7w-rj2x-556x (2.5.1), GHSA-2jc4-r94c-rp7h (2.5.2) > >> > >> > >>On Wed, Oct 11, 2023 at 6:49 AM Jamie Johnson wrote: > >> > >>> How deep down the rabbit hole should the dependency checks normally go? > >>> Looks like the big ones I was tracking with security updates were done. > >>> > >>> johnzon 1.2.21 > >>> tomcat 9.0.81 > >>> bouncy castle 1.76 > >>> > >>> Still poking around a bit but there’s obviously a lot. > >>> > >>> On Wed, Oct 11, 2023 at 2:09 AM Richard Zowalla > wrote: > >>> > In theory, every committer can act as release manager. > > There are some steps in the process, which requires PMC karma, though > (such as adding a key to the KEYS file, moving stuff to the release > are > on SVN, start the VOTE, etc.). > > The process is documented here: [1] > > That being said: > > I am currently planning to start the release process for TomEE 9.1.1 > within this week. Due to the Tomcat security issues released > yesterday, > we need to do some backporting, which will consume additional time. > (It > just interrupted my preparations, so it needs additional CI / TCK > cycles) > > A release usally consumes around 1-3 hours of work. Mostly because you > have to wait for stuff being build or to run some basic sanity checks > before starting and to not forget any step. > > What would really help for a TomEE 8.0.16 is to carefully re-check the > current dependencies for important 3rd party dependencies (and update > if needed. Note: Each update or bunch of updates shouldn't break the > build. A full build on CI takes around 4-8 hours) on that branch, > build > it locally and conduct some sanity checks (for example: same lib in > different versions in /lib -> check and fix) with the created > tar.gz/zip files. > > This is one of the steps, which usually consumes a lot of time. If you > want to give it a try, I am happy to help out for the steps which > require PMC involvement. Otherwise, I might find some time in the next > week to start a release of 8.0.16 - just let me know and I can plan my > time accordingly ;-) > > Gruß > Richard > > > > > [1] https://tomee.apache.org/dev/release-tomee.html > > > Am Dienstag, dem 10.10.2023 um 17:56 -0500 schrieb Jonathan S. Fisher: > > Jean-Louis, are there directions anywhere? Not promising anything :) > > > > On Tue, Oct 10, 2023 at 5:22 PM Jean-Louis Monteiro > > wrote: > > > > > >
Re: 8.0.16 release
I think we are running into https://bz.apache.org/bugzilla/show_bug.cgi?id=67664 This requires 9.0.82 to become available. They are already voting: https://lists.apache.org/thread/qro48x3xnvhvvxxv3hwnqnnsrrry773j After 9.0.82 becomes available, we are most likely in a good shape to start a release Gruß Richard Am 11. Oktober 2023 18:14:09 MESZ schrieb Richard Zowalla : >It seems the Tomcat upgrade breaks some connection pool related tests. > >I guess we need to check our integration code to fix it: >https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/testReport/ > >So if anyone wants to dig, feel free. > > > >Am 11. Oktober 2023 16:56:27 MESZ schrieb Jamie Johnson : >>There are other vulnerabilities (pulled from https://osv.dev/) that can be >>addressed, but need to be reviewed. The format below is dependency >>current_version (fix_version). >> >>org.apache.httpcomponents:httpclient 4.2.2 (>= 4.5.13) >>GHSA-2x83-r56g-cv47 (4.2.3), GHSA-7r82-7xv7-xcpj >>(4.5.13), GHSA-fmj5-wv96-r2ch (4.3.6), GHSA-cfh5-3ghh-wfjx (4.3.5) >> >>xalan:xalan 2.7.2 (2.7.3) >>GHSA-9339-86wc-4qgf (2.7.3) >> >>org.apache.commons:commons-compress 1.14 (>=1.24.0) >>GHSA-hrmr-f5m6-m9pq (1.18), GHSA-xqfj-vm6h-2x34 (1.22), GHSA-h436-432x-8fvx >>(1.16), GHSA-crv7-7245-f45f (1.21), GHSA-mc84-pj99-q6hh >>(1.21), GHSA-7hfm-57qf-j43q (1.21), GHSA-cgwf-w82q-5jrr (1.24.0) >> >>org.eclipse.jetty:jetty-server 9.4.49.v20220914 (9.4.51.v20230217) >>GHSA-qw69-rqj8-6qw8 (9.4.51.v20230217), GHSA-p26g-97m4-6q7c >>(9.4.51.v20230217) >> >>org.eclipse.jetty:jetty-http 9.4.49.v20220914 (>=9.4.53) >>GHSA-hmr7-m48g-48f6 (9.4.52), GHSA-wgh7-54f2-x98r (9.4.53) >> >>org.eclipse.jetty:jetty-servlets 9.4.49.v20220914 (9.4.53) >>GHSA-3gh6-v5v9-6v9j (9.4.53) >> >>org.apache.sshd:sshd-core 2.1.0 (>=2.10.0) >>GHSA-9279-7hph-r3xw (2.7.0), GHSA-fhw8-8j55-vwgq >>(2.9.2), GHSA-mjmq-gwgm-5qhm (2.10.0) >> >>com.google.code.gson:gson 2.2.4 (2.8.9) >>GHSA-4jrv-ppp4-jm57 (2.8.9) >> >>org.webjars:handlebars 1.2.1 (4.7.7) >>GHSA-f2jv-r9rf-7988 (4.7.7) >> >>org.apache.ivy:ivy 2.3.0 (>= 2.5.2) >>GHSA-wv7w-rj2x-556x (2.5.1), GHSA-2jc4-r94c-rp7h (2.5.2) >> >> >>On Wed, Oct 11, 2023 at 6:49 AM Jamie Johnson wrote: >> >>> How deep down the rabbit hole should the dependency checks normally go? >>> Looks like the big ones I was tracking with security updates were done. >>> >>> johnzon 1.2.21 >>> tomcat 9.0.81 >>> bouncy castle 1.76 >>> >>> Still poking around a bit but there’s obviously a lot. >>> >>> On Wed, Oct 11, 2023 at 2:09 AM Richard Zowalla wrote: >>> In theory, every committer can act as release manager. There are some steps in the process, which requires PMC karma, though (such as adding a key to the KEYS file, moving stuff to the release are on SVN, start the VOTE, etc.). The process is documented here: [1] That being said: I am currently planning to start the release process for TomEE 9.1.1 within this week. Due to the Tomcat security issues released yesterday, we need to do some backporting, which will consume additional time. (It just interrupted my preparations, so it needs additional CI / TCK cycles) A release usally consumes around 1-3 hours of work. Mostly because you have to wait for stuff being build or to run some basic sanity checks before starting and to not forget any step. What would really help for a TomEE 8.0.16 is to carefully re-check the current dependencies for important 3rd party dependencies (and update if needed. Note: Each update or bunch of updates shouldn't break the build. A full build on CI takes around 4-8 hours) on that branch, build it locally and conduct some sanity checks (for example: same lib in different versions in /lib -> check and fix) with the created tar.gz/zip files. This is one of the steps, which usually consumes a lot of time. If you want to give it a try, I am happy to help out for the steps which require PMC involvement. Otherwise, I might find some time in the next week to start a release of 8.0.16 - just let me know and I can plan my time accordingly ;-) Gruß Richard [1] https://tomee.apache.org/dev/release-tomee.html Am Dienstag, dem 10.10.2023 um 17:56 -0500 schrieb Jonathan S. Fisher: > Jean-Louis, are there directions anywhere? Not promising anything :) > > On Tue, Oct 10, 2023 at 5:22 PM Jean-Louis Monteiro > wrote: > > > > Whomever is committer can do it. > > > > I was just trying to give you an honest reply regarding my > > availabilities > > and give visibility to the rest of the community and the other > > committers > > at the same time. > > > > Hope it helps. > > > > > > Le mar. 10 oct. 2023, 23:27, Jamie Johnson a > > écrit : > > > > > I’m not sure
Re: 8.0.16 release
It seems the Tomcat upgrade breaks some connection pool related tests. I guess we need to check our integration code to fix it: https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/testReport/ So if anyone wants to dig, feel free. Am 11. Oktober 2023 16:56:27 MESZ schrieb Jamie Johnson : >There are other vulnerabilities (pulled from https://osv.dev/) that can be >addressed, but need to be reviewed. The format below is dependency >current_version (fix_version). > >org.apache.httpcomponents:httpclient 4.2.2 (>= 4.5.13) >GHSA-2x83-r56g-cv47 (4.2.3), GHSA-7r82-7xv7-xcpj >(4.5.13), GHSA-fmj5-wv96-r2ch (4.3.6), GHSA-cfh5-3ghh-wfjx (4.3.5) > >xalan:xalan 2.7.2 (2.7.3) >GHSA-9339-86wc-4qgf (2.7.3) > >org.apache.commons:commons-compress 1.14 (>=1.24.0) >GHSA-hrmr-f5m6-m9pq (1.18), GHSA-xqfj-vm6h-2x34 (1.22), GHSA-h436-432x-8fvx >(1.16), GHSA-crv7-7245-f45f (1.21), GHSA-mc84-pj99-q6hh >(1.21), GHSA-7hfm-57qf-j43q (1.21), GHSA-cgwf-w82q-5jrr (1.24.0) > >org.eclipse.jetty:jetty-server 9.4.49.v20220914 (9.4.51.v20230217) >GHSA-qw69-rqj8-6qw8 (9.4.51.v20230217), GHSA-p26g-97m4-6q7c >(9.4.51.v20230217) > >org.eclipse.jetty:jetty-http 9.4.49.v20220914 (>=9.4.53) >GHSA-hmr7-m48g-48f6 (9.4.52), GHSA-wgh7-54f2-x98r (9.4.53) > >org.eclipse.jetty:jetty-servlets 9.4.49.v20220914 (9.4.53) >GHSA-3gh6-v5v9-6v9j (9.4.53) > >org.apache.sshd:sshd-core 2.1.0 (>=2.10.0) >GHSA-9279-7hph-r3xw (2.7.0), GHSA-fhw8-8j55-vwgq >(2.9.2), GHSA-mjmq-gwgm-5qhm (2.10.0) > >com.google.code.gson:gson 2.2.4 (2.8.9) >GHSA-4jrv-ppp4-jm57 (2.8.9) > >org.webjars:handlebars 1.2.1 (4.7.7) >GHSA-f2jv-r9rf-7988 (4.7.7) > >org.apache.ivy:ivy 2.3.0 (>= 2.5.2) >GHSA-wv7w-rj2x-556x (2.5.1), GHSA-2jc4-r94c-rp7h (2.5.2) > > >On Wed, Oct 11, 2023 at 6:49 AM Jamie Johnson wrote: > >> How deep down the rabbit hole should the dependency checks normally go? >> Looks like the big ones I was tracking with security updates were done. >> >> johnzon 1.2.21 >> tomcat 9.0.81 >> bouncy castle 1.76 >> >> Still poking around a bit but there’s obviously a lot. >> >> On Wed, Oct 11, 2023 at 2:09 AM Richard Zowalla wrote: >> >>> In theory, every committer can act as release manager. >>> >>> There are some steps in the process, which requires PMC karma, though >>> (such as adding a key to the KEYS file, moving stuff to the release are >>> on SVN, start the VOTE, etc.). >>> >>> The process is documented here: [1] >>> >>> That being said: >>> >>> I am currently planning to start the release process for TomEE 9.1.1 >>> within this week. Due to the Tomcat security issues released yesterday, >>> we need to do some backporting, which will consume additional time. (It >>> just interrupted my preparations, so it needs additional CI / TCK >>> cycles) >>> >>> A release usally consumes around 1-3 hours of work. Mostly because you >>> have to wait for stuff being build or to run some basic sanity checks >>> before starting and to not forget any step. >>> >>> What would really help for a TomEE 8.0.16 is to carefully re-check the >>> current dependencies for important 3rd party dependencies (and update >>> if needed. Note: Each update or bunch of updates shouldn't break the >>> build. A full build on CI takes around 4-8 hours) on that branch, build >>> it locally and conduct some sanity checks (for example: same lib in >>> different versions in /lib -> check and fix) with the created >>> tar.gz/zip files. >>> >>> This is one of the steps, which usually consumes a lot of time. If you >>> want to give it a try, I am happy to help out for the steps which >>> require PMC involvement. Otherwise, I might find some time in the next >>> week to start a release of 8.0.16 - just let me know and I can plan my >>> time accordingly ;-) >>> >>> Gruß >>> Richard >>> >>> >>> >>> >>> [1] https://tomee.apache.org/dev/release-tomee.html >>> >>> >>> Am Dienstag, dem 10.10.2023 um 17:56 -0500 schrieb Jonathan S. Fisher: >>> > Jean-Louis, are there directions anywhere? Not promising anything :) >>> > >>> > On Tue, Oct 10, 2023 at 5:22 PM Jean-Louis Monteiro >>> > wrote: >>> > > >>> > > Whomever is committer can do it. >>> > > >>> > > I was just trying to give you an honest reply regarding my >>> > > availabilities >>> > > and give visibility to the rest of the community and the other >>> > > committers >>> > > at the same time. >>> > > >>> > > Hope it helps. >>> > > >>> > > >>> > > Le mar. 10 oct. 2023, 23:27, Jamie Johnson a >>> > > écrit : >>> > > >>> > > > I’m not sure what that entails or who would go about doing it. Is >>> > > > it a >>> > > > community or contributor driven thing? >>> > > > >>> > > > On Tue, Oct 10, 2023 at 3:25 PM Jean-Louis Monteiro < >>> > > > jlmonte...@tomitribe.com> wrote: >>> > > > >>> > > > > I think most of the energy is currently on TomEE 9 and the new >>> > > > > TomEE 10. >>> > > > > I've also noticed some Tomcat CVE today if I remember >>> > > > > correctly. >>> > > > > >>> > > > > I'm all hands on TomEE 10 currently because we need to
Re: 8.0.16 release
Looking in the distribution I don't see any of these jars then. Do you agree? On Wed, Oct 11, 2023 at 11:11 AM Richard Zowalla wrote: > Some of these dependencies aren't shipped with the TomEE distribution. > Best way to check is to actually look through /lib > > > > Am 11. Oktober 2023 16:56:27 MESZ schrieb Jamie Johnson >: > >There are other vulnerabilities (pulled from https://osv.dev/) that can > be > >addressed, but need to be reviewed. The format below is dependency > >current_version (fix_version). > > > >org.apache.httpcomponents:httpclient 4.2.2 (>= 4.5.13) > >GHSA-2x83-r56g-cv47 (4.2.3), GHSA-7r82-7xv7-xcpj > >(4.5.13), GHSA-fmj5-wv96-r2ch (4.3.6), GHSA-cfh5-3ghh-wfjx (4.3.5) > > > >xalan:xalan 2.7.2 (2.7.3) > >GHSA-9339-86wc-4qgf (2.7.3) > > > >org.apache.commons:commons-compress 1.14 (>=1.24.0) > >GHSA-hrmr-f5m6-m9pq (1.18), GHSA-xqfj-vm6h-2x34 (1.22), > GHSA-h436-432x-8fvx > >(1.16), GHSA-crv7-7245-f45f (1.21), GHSA-mc84-pj99-q6hh > >(1.21), GHSA-7hfm-57qf-j43q (1.21), GHSA-cgwf-w82q-5jrr (1.24.0) > > > >org.eclipse.jetty:jetty-server 9.4.49.v20220914 (9.4.51.v20230217) > >GHSA-qw69-rqj8-6qw8 (9.4.51.v20230217), GHSA-p26g-97m4-6q7c > >(9.4.51.v20230217) > > > >org.eclipse.jetty:jetty-http 9.4.49.v20220914 (>=9.4.53) > >GHSA-hmr7-m48g-48f6 (9.4.52), GHSA-wgh7-54f2-x98r (9.4.53) > > > >org.eclipse.jetty:jetty-servlets 9.4.49.v20220914 (9.4.53) > >GHSA-3gh6-v5v9-6v9j (9.4.53) > > > >org.apache.sshd:sshd-core 2.1.0 (>=2.10.0) > >GHSA-9279-7hph-r3xw (2.7.0), GHSA-fhw8-8j55-vwgq > >(2.9.2), GHSA-mjmq-gwgm-5qhm (2.10.0) > > > >com.google.code.gson:gson 2.2.4 (2.8.9) > >GHSA-4jrv-ppp4-jm57 (2.8.9) > > > >org.webjars:handlebars 1.2.1 (4.7.7) > >GHSA-f2jv-r9rf-7988 (4.7.7) > > > >org.apache.ivy:ivy 2.3.0 (>= 2.5.2) > >GHSA-wv7w-rj2x-556x (2.5.1), GHSA-2jc4-r94c-rp7h (2.5.2) > > > > > >On Wed, Oct 11, 2023 at 6:49 AM Jamie Johnson wrote: > > > >> How deep down the rabbit hole should the dependency checks normally go? > >> Looks like the big ones I was tracking with security updates were done. > >> > >> johnzon 1.2.21 > >> tomcat 9.0.81 > >> bouncy castle 1.76 > >> > >> Still poking around a bit but there’s obviously a lot. > >> > >> On Wed, Oct 11, 2023 at 2:09 AM Richard Zowalla > wrote: > >> > >>> In theory, every committer can act as release manager. > >>> > >>> There are some steps in the process, which requires PMC karma, though > >>> (such as adding a key to the KEYS file, moving stuff to the release are > >>> on SVN, start the VOTE, etc.). > >>> > >>> The process is documented here: [1] > >>> > >>> That being said: > >>> > >>> I am currently planning to start the release process for TomEE 9.1.1 > >>> within this week. Due to the Tomcat security issues released yesterday, > >>> we need to do some backporting, which will consume additional time. (It > >>> just interrupted my preparations, so it needs additional CI / TCK > >>> cycles) > >>> > >>> A release usally consumes around 1-3 hours of work. Mostly because you > >>> have to wait for stuff being build or to run some basic sanity checks > >>> before starting and to not forget any step. > >>> > >>> What would really help for a TomEE 8.0.16 is to carefully re-check the > >>> current dependencies for important 3rd party dependencies (and update > >>> if needed. Note: Each update or bunch of updates shouldn't break the > >>> build. A full build on CI takes around 4-8 hours) on that branch, build > >>> it locally and conduct some sanity checks (for example: same lib in > >>> different versions in /lib -> check and fix) with the created > >>> tar.gz/zip files. > >>> > >>> This is one of the steps, which usually consumes a lot of time. If you > >>> want to give it a try, I am happy to help out for the steps which > >>> require PMC involvement. Otherwise, I might find some time in the next > >>> week to start a release of 8.0.16 - just let me know and I can plan my > >>> time accordingly ;-) > >>> > >>> Gruß > >>> Richard > >>> > >>> > >>> > >>> > >>> [1] https://tomee.apache.org/dev/release-tomee.html > >>> > >>> > >>> Am Dienstag, dem 10.10.2023 um 17:56 -0500 schrieb Jonathan S. Fisher: > >>> > Jean-Louis, are there directions anywhere? Not promising anything :) > >>> > > >>> > On Tue, Oct 10, 2023 at 5:22 PM Jean-Louis Monteiro > >>> > wrote: > >>> > > > >>> > > Whomever is committer can do it. > >>> > > > >>> > > I was just trying to give you an honest reply regarding my > >>> > > availabilities > >>> > > and give visibility to the rest of the community and the other > >>> > > committers > >>> > > at the same time. > >>> > > > >>> > > Hope it helps. > >>> > > > >>> > > > >>> > > Le mar. 10 oct. 2023, 23:27, Jamie Johnson a > >>> > > écrit : > >>> > > > >>> > > > I’m not sure what that entails or who would go about doing it. Is > >>> > > > it a > >>> > > > community or contributor driven thing? > >>> > > > > >>> > > > On Tue, Oct 10, 2023 at 3:25 PM Jean-Louis Monteiro < > >>> > > > jlmonte...@tomitribe.com> wrote: > >>> > > > > >>> > > > >
Re: 8.0.16 release
Some of these dependencies aren't shipped with the TomEE distribution. Best way to check is to actually look through /lib Am 11. Oktober 2023 16:56:27 MESZ schrieb Jamie Johnson : >There are other vulnerabilities (pulled from https://osv.dev/) that can be >addressed, but need to be reviewed. The format below is dependency >current_version (fix_version). > >org.apache.httpcomponents:httpclient 4.2.2 (>= 4.5.13) >GHSA-2x83-r56g-cv47 (4.2.3), GHSA-7r82-7xv7-xcpj >(4.5.13), GHSA-fmj5-wv96-r2ch (4.3.6), GHSA-cfh5-3ghh-wfjx (4.3.5) > >xalan:xalan 2.7.2 (2.7.3) >GHSA-9339-86wc-4qgf (2.7.3) > >org.apache.commons:commons-compress 1.14 (>=1.24.0) >GHSA-hrmr-f5m6-m9pq (1.18), GHSA-xqfj-vm6h-2x34 (1.22), GHSA-h436-432x-8fvx >(1.16), GHSA-crv7-7245-f45f (1.21), GHSA-mc84-pj99-q6hh >(1.21), GHSA-7hfm-57qf-j43q (1.21), GHSA-cgwf-w82q-5jrr (1.24.0) > >org.eclipse.jetty:jetty-server 9.4.49.v20220914 (9.4.51.v20230217) >GHSA-qw69-rqj8-6qw8 (9.4.51.v20230217), GHSA-p26g-97m4-6q7c >(9.4.51.v20230217) > >org.eclipse.jetty:jetty-http 9.4.49.v20220914 (>=9.4.53) >GHSA-hmr7-m48g-48f6 (9.4.52), GHSA-wgh7-54f2-x98r (9.4.53) > >org.eclipse.jetty:jetty-servlets 9.4.49.v20220914 (9.4.53) >GHSA-3gh6-v5v9-6v9j (9.4.53) > >org.apache.sshd:sshd-core 2.1.0 (>=2.10.0) >GHSA-9279-7hph-r3xw (2.7.0), GHSA-fhw8-8j55-vwgq >(2.9.2), GHSA-mjmq-gwgm-5qhm (2.10.0) > >com.google.code.gson:gson 2.2.4 (2.8.9) >GHSA-4jrv-ppp4-jm57 (2.8.9) > >org.webjars:handlebars 1.2.1 (4.7.7) >GHSA-f2jv-r9rf-7988 (4.7.7) > >org.apache.ivy:ivy 2.3.0 (>= 2.5.2) >GHSA-wv7w-rj2x-556x (2.5.1), GHSA-2jc4-r94c-rp7h (2.5.2) > > >On Wed, Oct 11, 2023 at 6:49 AM Jamie Johnson wrote: > >> How deep down the rabbit hole should the dependency checks normally go? >> Looks like the big ones I was tracking with security updates were done. >> >> johnzon 1.2.21 >> tomcat 9.0.81 >> bouncy castle 1.76 >> >> Still poking around a bit but there’s obviously a lot. >> >> On Wed, Oct 11, 2023 at 2:09 AM Richard Zowalla wrote: >> >>> In theory, every committer can act as release manager. >>> >>> There are some steps in the process, which requires PMC karma, though >>> (such as adding a key to the KEYS file, moving stuff to the release are >>> on SVN, start the VOTE, etc.). >>> >>> The process is documented here: [1] >>> >>> That being said: >>> >>> I am currently planning to start the release process for TomEE 9.1.1 >>> within this week. Due to the Tomcat security issues released yesterday, >>> we need to do some backporting, which will consume additional time. (It >>> just interrupted my preparations, so it needs additional CI / TCK >>> cycles) >>> >>> A release usally consumes around 1-3 hours of work. Mostly because you >>> have to wait for stuff being build or to run some basic sanity checks >>> before starting and to not forget any step. >>> >>> What would really help for a TomEE 8.0.16 is to carefully re-check the >>> current dependencies for important 3rd party dependencies (and update >>> if needed. Note: Each update or bunch of updates shouldn't break the >>> build. A full build on CI takes around 4-8 hours) on that branch, build >>> it locally and conduct some sanity checks (for example: same lib in >>> different versions in /lib -> check and fix) with the created >>> tar.gz/zip files. >>> >>> This is one of the steps, which usually consumes a lot of time. If you >>> want to give it a try, I am happy to help out for the steps which >>> require PMC involvement. Otherwise, I might find some time in the next >>> week to start a release of 8.0.16 - just let me know and I can plan my >>> time accordingly ;-) >>> >>> Gruß >>> Richard >>> >>> >>> >>> >>> [1] https://tomee.apache.org/dev/release-tomee.html >>> >>> >>> Am Dienstag, dem 10.10.2023 um 17:56 -0500 schrieb Jonathan S. Fisher: >>> > Jean-Louis, are there directions anywhere? Not promising anything :) >>> > >>> > On Tue, Oct 10, 2023 at 5:22 PM Jean-Louis Monteiro >>> > wrote: >>> > > >>> > > Whomever is committer can do it. >>> > > >>> > > I was just trying to give you an honest reply regarding my >>> > > availabilities >>> > > and give visibility to the rest of the community and the other >>> > > committers >>> > > at the same time. >>> > > >>> > > Hope it helps. >>> > > >>> > > >>> > > Le mar. 10 oct. 2023, 23:27, Jamie Johnson a >>> > > écrit : >>> > > >>> > > > I’m not sure what that entails or who would go about doing it. Is >>> > > > it a >>> > > > community or contributor driven thing? >>> > > > >>> > > > On Tue, Oct 10, 2023 at 3:25 PM Jean-Louis Monteiro < >>> > > > jlmonte...@tomitribe.com> wrote: >>> > > > >>> > > > > I think most of the energy is currently on TomEE 9 and the new >>> > > > > TomEE 10. >>> > > > > I've also noticed some Tomcat CVE today if I remember >>> > > > > correctly. >>> > > > > >>> > > > > I'm all hands on TomEE 10 currently because we need to fill the >>> > > > > feature >>> > > > > gaps on all implementations. So speaking about myself, not sure >>> > > > > I can >>> > > > > trigger a
Re: 8.0.16 release
There are other vulnerabilities (pulled from https://osv.dev/) that can be addressed, but need to be reviewed. The format below is dependency current_version (fix_version). org.apache.httpcomponents:httpclient 4.2.2 (>= 4.5.13) GHSA-2x83-r56g-cv47 (4.2.3), GHSA-7r82-7xv7-xcpj (4.5.13), GHSA-fmj5-wv96-r2ch (4.3.6), GHSA-cfh5-3ghh-wfjx (4.3.5) xalan:xalan 2.7.2 (2.7.3) GHSA-9339-86wc-4qgf (2.7.3) org.apache.commons:commons-compress 1.14 (>=1.24.0) GHSA-hrmr-f5m6-m9pq (1.18), GHSA-xqfj-vm6h-2x34 (1.22), GHSA-h436-432x-8fvx (1.16), GHSA-crv7-7245-f45f (1.21), GHSA-mc84-pj99-q6hh (1.21), GHSA-7hfm-57qf-j43q (1.21), GHSA-cgwf-w82q-5jrr (1.24.0) org.eclipse.jetty:jetty-server 9.4.49.v20220914 (9.4.51.v20230217) GHSA-qw69-rqj8-6qw8 (9.4.51.v20230217), GHSA-p26g-97m4-6q7c (9.4.51.v20230217) org.eclipse.jetty:jetty-http 9.4.49.v20220914 (>=9.4.53) GHSA-hmr7-m48g-48f6 (9.4.52), GHSA-wgh7-54f2-x98r (9.4.53) org.eclipse.jetty:jetty-servlets 9.4.49.v20220914 (9.4.53) GHSA-3gh6-v5v9-6v9j (9.4.53) org.apache.sshd:sshd-core 2.1.0 (>=2.10.0) GHSA-9279-7hph-r3xw (2.7.0), GHSA-fhw8-8j55-vwgq (2.9.2), GHSA-mjmq-gwgm-5qhm (2.10.0) com.google.code.gson:gson 2.2.4 (2.8.9) GHSA-4jrv-ppp4-jm57 (2.8.9) org.webjars:handlebars 1.2.1 (4.7.7) GHSA-f2jv-r9rf-7988 (4.7.7) org.apache.ivy:ivy 2.3.0 (>= 2.5.2) GHSA-wv7w-rj2x-556x (2.5.1), GHSA-2jc4-r94c-rp7h (2.5.2) On Wed, Oct 11, 2023 at 6:49 AM Jamie Johnson wrote: > How deep down the rabbit hole should the dependency checks normally go? > Looks like the big ones I was tracking with security updates were done. > > johnzon 1.2.21 > tomcat 9.0.81 > bouncy castle 1.76 > > Still poking around a bit but there’s obviously a lot. > > On Wed, Oct 11, 2023 at 2:09 AM Richard Zowalla wrote: > >> In theory, every committer can act as release manager. >> >> There are some steps in the process, which requires PMC karma, though >> (such as adding a key to the KEYS file, moving stuff to the release are >> on SVN, start the VOTE, etc.). >> >> The process is documented here: [1] >> >> That being said: >> >> I am currently planning to start the release process for TomEE 9.1.1 >> within this week. Due to the Tomcat security issues released yesterday, >> we need to do some backporting, which will consume additional time. (It >> just interrupted my preparations, so it needs additional CI / TCK >> cycles) >> >> A release usally consumes around 1-3 hours of work. Mostly because you >> have to wait for stuff being build or to run some basic sanity checks >> before starting and to not forget any step. >> >> What would really help for a TomEE 8.0.16 is to carefully re-check the >> current dependencies for important 3rd party dependencies (and update >> if needed. Note: Each update or bunch of updates shouldn't break the >> build. A full build on CI takes around 4-8 hours) on that branch, build >> it locally and conduct some sanity checks (for example: same lib in >> different versions in /lib -> check and fix) with the created >> tar.gz/zip files. >> >> This is one of the steps, which usually consumes a lot of time. If you >> want to give it a try, I am happy to help out for the steps which >> require PMC involvement. Otherwise, I might find some time in the next >> week to start a release of 8.0.16 - just let me know and I can plan my >> time accordingly ;-) >> >> Gruß >> Richard >> >> >> >> >> [1] https://tomee.apache.org/dev/release-tomee.html >> >> >> Am Dienstag, dem 10.10.2023 um 17:56 -0500 schrieb Jonathan S. Fisher: >> > Jean-Louis, are there directions anywhere? Not promising anything :) >> > >> > On Tue, Oct 10, 2023 at 5:22 PM Jean-Louis Monteiro >> > wrote: >> > > >> > > Whomever is committer can do it. >> > > >> > > I was just trying to give you an honest reply regarding my >> > > availabilities >> > > and give visibility to the rest of the community and the other >> > > committers >> > > at the same time. >> > > >> > > Hope it helps. >> > > >> > > >> > > Le mar. 10 oct. 2023, 23:27, Jamie Johnson a >> > > écrit : >> > > >> > > > I’m not sure what that entails or who would go about doing it. Is >> > > > it a >> > > > community or contributor driven thing? >> > > > >> > > > On Tue, Oct 10, 2023 at 3:25 PM Jean-Louis Monteiro < >> > > > jlmonte...@tomitribe.com> wrote: >> > > > >> > > > > I think most of the energy is currently on TomEE 9 and the new >> > > > > TomEE 10. >> > > > > I've also noticed some Tomcat CVE today if I remember >> > > > > correctly. >> > > > > >> > > > > I'm all hands on TomEE 10 currently because we need to fill the >> > > > > feature >> > > > > gaps on all implementations. So speaking about myself, not sure >> > > > > I can >> > > > > trigger a build and deliver the whole process in the next >> > > > > couple of days >> > > > or >> > > > > weeks. >> > > > > >> > > > > If someone can do it, I'm happy to review, test and vote on the >> > > > > release. >> > > > > -- >> > > > > Jean-Louis Monteiro >> > > > > http://twitter.com/jlouismonteiro >> > > > >
Re: 8.0.16 release
How deep down the rabbit hole should the dependency checks normally go? Looks like the big ones I was tracking with security updates were done. johnzon 1.2.21 tomcat 9.0.81 bouncy castle 1.76 Still poking around a bit but there’s obviously a lot. On Wed, Oct 11, 2023 at 2:09 AM Richard Zowalla wrote: > In theory, every committer can act as release manager. > > There are some steps in the process, which requires PMC karma, though > (such as adding a key to the KEYS file, moving stuff to the release are > on SVN, start the VOTE, etc.). > > The process is documented here: [1] > > That being said: > > I am currently planning to start the release process for TomEE 9.1.1 > within this week. Due to the Tomcat security issues released yesterday, > we need to do some backporting, which will consume additional time. (It > just interrupted my preparations, so it needs additional CI / TCK > cycles) > > A release usally consumes around 1-3 hours of work. Mostly because you > have to wait for stuff being build or to run some basic sanity checks > before starting and to not forget any step. > > What would really help for a TomEE 8.0.16 is to carefully re-check the > current dependencies for important 3rd party dependencies (and update > if needed. Note: Each update or bunch of updates shouldn't break the > build. A full build on CI takes around 4-8 hours) on that branch, build > it locally and conduct some sanity checks (for example: same lib in > different versions in /lib -> check and fix) with the created > tar.gz/zip files. > > This is one of the steps, which usually consumes a lot of time. If you > want to give it a try, I am happy to help out for the steps which > require PMC involvement. Otherwise, I might find some time in the next > week to start a release of 8.0.16 - just let me know and I can plan my > time accordingly ;-) > > Gruß > Richard > > > > > [1] https://tomee.apache.org/dev/release-tomee.html > > > Am Dienstag, dem 10.10.2023 um 17:56 -0500 schrieb Jonathan S. Fisher: > > Jean-Louis, are there directions anywhere? Not promising anything :) > > > > On Tue, Oct 10, 2023 at 5:22 PM Jean-Louis Monteiro > > wrote: > > > > > > Whomever is committer can do it. > > > > > > I was just trying to give you an honest reply regarding my > > > availabilities > > > and give visibility to the rest of the community and the other > > > committers > > > at the same time. > > > > > > Hope it helps. > > > > > > > > > Le mar. 10 oct. 2023, 23:27, Jamie Johnson a > > > écrit : > > > > > > > I’m not sure what that entails or who would go about doing it. Is > > > > it a > > > > community or contributor driven thing? > > > > > > > > On Tue, Oct 10, 2023 at 3:25 PM Jean-Louis Monteiro < > > > > jlmonte...@tomitribe.com> wrote: > > > > > > > > > I think most of the energy is currently on TomEE 9 and the new > > > > > TomEE 10. > > > > > I've also noticed some Tomcat CVE today if I remember > > > > > correctly. > > > > > > > > > > I'm all hands on TomEE 10 currently because we need to fill the > > > > > feature > > > > > gaps on all implementations. So speaking about myself, not sure > > > > > I can > > > > > trigger a build and deliver the whole process in the next > > > > > couple of days > > > > or > > > > > weeks. > > > > > > > > > > If someone can do it, I'm happy to review, test and vote on the > > > > > release. > > > > > -- > > > > > Jean-Louis Monteiro > > > > > http://twitter.com/jlouismonteiro > > > > > http://www.tomitribe.com > > > > > > > > > > > > > > > On Tue, Oct 10, 2023 at 5:48 PM Jamie Johnson > > > > > wrote: > > > > > > > > > > > Is there a timeline for the release of 8.0.16? There are a > > > > > > few > > > > security > > > > > > issues associated with johnzon that we’d like to leverage > > > > > > while we > > > > > migrate > > > > > > to a newer version of TomEE. > > > > > > > > > > > > > > > > > > > > > > >
Re: 8.0.16 release
In theory, every committer can act as release manager. There are some steps in the process, which requires PMC karma, though (such as adding a key to the KEYS file, moving stuff to the release are on SVN, start the VOTE, etc.). The process is documented here: [1] That being said: I am currently planning to start the release process for TomEE 9.1.1 within this week. Due to the Tomcat security issues released yesterday, we need to do some backporting, which will consume additional time. (It just interrupted my preparations, so it needs additional CI / TCK cycles) A release usally consumes around 1-3 hours of work. Mostly because you have to wait for stuff being build or to run some basic sanity checks before starting and to not forget any step. What would really help for a TomEE 8.0.16 is to carefully re-check the current dependencies for important 3rd party dependencies (and update if needed. Note: Each update or bunch of updates shouldn't break the build. A full build on CI takes around 4-8 hours) on that branch, build it locally and conduct some sanity checks (for example: same lib in different versions in /lib -> check and fix) with the created tar.gz/zip files. This is one of the steps, which usually consumes a lot of time. If you want to give it a try, I am happy to help out for the steps which require PMC involvement. Otherwise, I might find some time in the next week to start a release of 8.0.16 - just let me know and I can plan my time accordingly ;-) Gruß Richard [1] https://tomee.apache.org/dev/release-tomee.html Am Dienstag, dem 10.10.2023 um 17:56 -0500 schrieb Jonathan S. Fisher: > Jean-Louis, are there directions anywhere? Not promising anything :) > > On Tue, Oct 10, 2023 at 5:22 PM Jean-Louis Monteiro > wrote: > > > > Whomever is committer can do it. > > > > I was just trying to give you an honest reply regarding my > > availabilities > > and give visibility to the rest of the community and the other > > committers > > at the same time. > > > > Hope it helps. > > > > > > Le mar. 10 oct. 2023, 23:27, Jamie Johnson a > > écrit : > > > > > I’m not sure what that entails or who would go about doing it. Is > > > it a > > > community or contributor driven thing? > > > > > > On Tue, Oct 10, 2023 at 3:25 PM Jean-Louis Monteiro < > > > jlmonte...@tomitribe.com> wrote: > > > > > > > I think most of the energy is currently on TomEE 9 and the new > > > > TomEE 10. > > > > I've also noticed some Tomcat CVE today if I remember > > > > correctly. > > > > > > > > I'm all hands on TomEE 10 currently because we need to fill the > > > > feature > > > > gaps on all implementations. So speaking about myself, not sure > > > > I can > > > > trigger a build and deliver the whole process in the next > > > > couple of days > > > or > > > > weeks. > > > > > > > > If someone can do it, I'm happy to review, test and vote on the > > > > release. > > > > -- > > > > Jean-Louis Monteiro > > > > http://twitter.com/jlouismonteiro > > > > http://www.tomitribe.com > > > > > > > > > > > > On Tue, Oct 10, 2023 at 5:48 PM Jamie Johnson > > > > wrote: > > > > > > > > > Is there a timeline for the release of 8.0.16? There are a > > > > > few > > > security > > > > > issues associated with johnzon that we’d like to leverage > > > > > while we > > > > migrate > > > > > to a newer version of TomEE. > > > > > > > > > > > > > > > signature.asc Description: This is a digitally signed message part
Re: 8.0.16 release
Jean-Louis, are there directions anywhere? Not promising anything :) On Tue, Oct 10, 2023 at 5:22 PM Jean-Louis Monteiro wrote: > > Whomever is committer can do it. > > I was just trying to give you an honest reply regarding my availabilities > and give visibility to the rest of the community and the other committers > at the same time. > > Hope it helps. > > > Le mar. 10 oct. 2023, 23:27, Jamie Johnson a écrit : > > > I’m not sure what that entails or who would go about doing it. Is it a > > community or contributor driven thing? > > > > On Tue, Oct 10, 2023 at 3:25 PM Jean-Louis Monteiro < > > jlmonte...@tomitribe.com> wrote: > > > > > I think most of the energy is currently on TomEE 9 and the new TomEE 10. > > > I've also noticed some Tomcat CVE today if I remember correctly. > > > > > > I'm all hands on TomEE 10 currently because we need to fill the feature > > > gaps on all implementations. So speaking about myself, not sure I can > > > trigger a build and deliver the whole process in the next couple of days > > or > > > weeks. > > > > > > If someone can do it, I'm happy to review, test and vote on the release. > > > -- > > > Jean-Louis Monteiro > > > http://twitter.com/jlouismonteiro > > > http://www.tomitribe.com > > > > > > > > > On Tue, Oct 10, 2023 at 5:48 PM Jamie Johnson wrote: > > > > > > > Is there a timeline for the release of 8.0.16? There are a few > > security > > > > issues associated with johnzon that we’d like to leverage while we > > > migrate > > > > to a newer version of TomEE. > > > > > > > > > -- Jonathan | exabr...@gmail.com Pessimists, see a jar as half empty. Optimists, in contrast, see it as half full. Engineers, of course, understand the glass is twice as big as it needs to be.
Re: 8.0.16 release
Whomever is committer can do it. I was just trying to give you an honest reply regarding my availabilities and give visibility to the rest of the community and the other committers at the same time. Hope it helps. Le mar. 10 oct. 2023, 23:27, Jamie Johnson a écrit : > I’m not sure what that entails or who would go about doing it. Is it a > community or contributor driven thing? > > On Tue, Oct 10, 2023 at 3:25 PM Jean-Louis Monteiro < > jlmonte...@tomitribe.com> wrote: > > > I think most of the energy is currently on TomEE 9 and the new TomEE 10. > > I've also noticed some Tomcat CVE today if I remember correctly. > > > > I'm all hands on TomEE 10 currently because we need to fill the feature > > gaps on all implementations. So speaking about myself, not sure I can > > trigger a build and deliver the whole process in the next couple of days > or > > weeks. > > > > If someone can do it, I'm happy to review, test and vote on the release. > > -- > > Jean-Louis Monteiro > > http://twitter.com/jlouismonteiro > > http://www.tomitribe.com > > > > > > On Tue, Oct 10, 2023 at 5:48 PM Jamie Johnson wrote: > > > > > Is there a timeline for the release of 8.0.16? There are a few > security > > > issues associated with johnzon that we’d like to leverage while we > > migrate > > > to a newer version of TomEE. > > > > > >
Re: 8.0.16 release
I’m not sure what that entails or who would go about doing it. Is it a community or contributor driven thing? On Tue, Oct 10, 2023 at 3:25 PM Jean-Louis Monteiro < jlmonte...@tomitribe.com> wrote: > I think most of the energy is currently on TomEE 9 and the new TomEE 10. > I've also noticed some Tomcat CVE today if I remember correctly. > > I'm all hands on TomEE 10 currently because we need to fill the feature > gaps on all implementations. So speaking about myself, not sure I can > trigger a build and deliver the whole process in the next couple of days or > weeks. > > If someone can do it, I'm happy to review, test and vote on the release. > -- > Jean-Louis Monteiro > http://twitter.com/jlouismonteiro > http://www.tomitribe.com > > > On Tue, Oct 10, 2023 at 5:48 PM Jamie Johnson wrote: > > > Is there a timeline for the release of 8.0.16? There are a few security > > issues associated with johnzon that we’d like to leverage while we > migrate > > to a newer version of TomEE. > > >
Re: 8.0.16 release
+1 for a 8.0.16 to get these recent urgent CVEs fixed ASAP Le mar. 10 oct. 2023 à 21:25, Jean-Louis Monteiro a écrit : > > I think most of the energy is currently on TomEE 9 and the new TomEE 10. > I've also noticed some Tomcat CVE today if I remember correctly. > > I'm all hands on TomEE 10 currently because we need to fill the feature > gaps on all implementations. So speaking about myself, not sure I can > trigger a build and deliver the whole process in the next couple of days or > weeks. > > If someone can do it, I'm happy to review, test and vote on the release. > -- > Jean-Louis Monteiro > http://twitter.com/jlouismonteiro > http://www.tomitribe.com > > > On Tue, Oct 10, 2023 at 5:48 PM Jamie Johnson wrote: > > > Is there a timeline for the release of 8.0.16? There are a few security > > issues associated with johnzon that we’d like to leverage while we migrate > > to a newer version of TomEE. > >
Re: 8.0.16 release
I think most of the energy is currently on TomEE 9 and the new TomEE 10. I've also noticed some Tomcat CVE today if I remember correctly. I'm all hands on TomEE 10 currently because we need to fill the feature gaps on all implementations. So speaking about myself, not sure I can trigger a build and deliver the whole process in the next couple of days or weeks. If someone can do it, I'm happy to review, test and vote on the release. -- Jean-Louis Monteiro http://twitter.com/jlouismonteiro http://www.tomitribe.com On Tue, Oct 10, 2023 at 5:48 PM Jamie Johnson wrote: > Is there a timeline for the release of 8.0.16? There are a few security > issues associated with johnzon that we’d like to leverage while we migrate > to a newer version of TomEE. >
