[jira] [Created] (JAMES-3618) Guice JPA should support LDAP authentication

[Benoit Tellier (Jira)]

Benoit Tellier created JAMES-3618:
-

 Summary: Guice JPA should support LDAP authentication
 Key: JAMES-3618
 URL: https://issues.apache.org/jira/browse/JAMES-3618
 Project: James Server
  Issue Type: Improvement
  Components: guice, jpa, ldap
Affects Versions: 3.6.0
Reporter: Benoit Tellier
 Fix For: 3.7.0


Of the off the box features of JPA guice, sadly LDAP authentication is missing 
for Guice JPA apps.

Supporting it is as simple as plugging the module chooser for LDAP and writing 
a little integration test.

This feature is easy to use with Spring app, so should it be with Guice JPA...

This is the conclusion of a gitter discussion.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

-
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

Re: End of support for Apache James 2.3.2 ?

[btell...@apache.org]

Hello Noel,

First many thanks for your engagement that I believe did allow to have
the amazing piece of software we have today.

Apparently James 2.3 fails to talk SMTP with a modern Zimbra server,
expects a 'dot' terminated stream. This 'bug' do not occur on modern
James versions.

Do we also maintain Apache Excalibur [1] ? Retired in 2010... As far as
I get it, James 2.x actively relies on it.

[1] https://excalibur.apache.org/

That, is one of many dependencies, to be fairly honest I would not be
surprised a careful dependency audit finds hundreds of CVEs. Not to
mention the use of outdated java versions. Given the effort, do we, as a
community want to engage with serious maintenance of Apache James 2.3.x
? I have not seen security updates for years

Also, new upcoming users are not fully aware of the state of that
application, and might mistakenly believe they would get Apache grade
quality (security, backed by an active community, etc...)

In my opinion we should at the very least stops advertising that
version, that means:

 - Archive related downloads
 - Remove references from the website

That is our responsibility.

Stating clearly as a community that we no  longer assume maintining it would be 
better to me.

Best regards,

Benoit

On 23/07/2021 23:10, Noel J. Bergman wrote:
> I still use James v2 in production.  I could be convinced to move forward 
> (migration of config is a concern), but I still do run it, and would be able 
> to fix any bugs, given the amount of code in there that was written by me.
>
> Are there any particular defects that need to be addressed?  I agree that it 
> should be viewed as maintenance only, with no new development.
>
> Oh, and hi!  
>
>   --- Noel
>
> -Original Message-
> From: btell...@apache.org  
> Sent: Friday, July 23, 2021 5:18
> To: server-dev@james.apache.org
> Subject: End of support for Apache James 2.3.2 ?
>
> Hello,
>
> Following recent discussions on gitter, issues are reported on Apache James 
> version 2.3.2.
>
> This version is not under active development (released in 2013 with a 
> security fix in 2015 version 2.3.2.1).
>
> No active development had been undertook recently.
>
> The source code is not available on Git / Github.
>
> I fear no real active committer is able to fix issues on it.
>
> It uses Avalon Phoenix retired in 2004 (yes...).
>
> For archeologists, sources can be found at 
> http://svn.apache.org/repos/asf/james/server/tags/2_3_2_1/
>
> As such I propose to:
>
>  - Make it clear with a formal vote we can refer to that the Apache James PMC 
> no longer supports Apache James vers 2.x.
>  - Archive related downloads
>  - Remove references from the website
>  - Write a little email to the Apache announce mailing list, general@james, 
> server-user@james.
>
> Thoughts?
>
> Regards,
>
> Benoit TELLIER
>
>
> -
> To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
> For additional commands, e-mail: server-dev-h...@james.apache.org
>
>
>
> -
> To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
> For additional commands, e-mail: server-dev-h...@james.apache.org
>
>

-
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

Re: [VOTE] Retire Apache James HUPA

[Jean Helou]

+1

Le ven. 23 juil. 2021 à 11:28, Antoine Duprat  a écrit :

> +1
>
> Le ven. 23 juil. 2021 à 11:01, btell...@apache.org  a
> écrit :
>
> > Hello all,
> >
> > Following a first email on the topic [1] I would like to call for a
> > formal vote on Apache James Hupa retirement.
> >
> > [1]
> https://www.mail-archive.com/server-dev@james.apache.org/msg70575.html
> >
> > Rationnals:
> >  - The latest release (0.3.0) dates from 2012 which is an eternity in
> > computing.
> >  - The latest tag on Github is 0.0.3
> >  - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
> > lost :-(
> >  - This repository is crippled by multiple CVEs (quick dependabot
> review):
> >   - CVE-2021-29425 (commons-io)
> >   - GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
> > CVE-2019-10241 CVE-2019-10247 (Jetty server)
> >   - CVE-2020-9447 (gwtupload)
> >   - GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
> >   - CVE-2019-17571 (log4j)
> >   - CVE-2016-131 CVE-2016-3092 (commons-fileupload)
> >  - Sporadic activity since 2012
> >  - Zero to no exchanges for several years on the mailing lists.
> >
> > Given that alternatives exists, given that the project is
> > likely not mature, unmaintained and unsecure, I propose to retire this
> > Apache James subproject.
> >
> > |Voting rules: - This is a majority vote as stated in [2] for procedural
> > issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
> > vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
> > https://www.apache.org/foundation/voting.html Following this retirement,
> > follow up steps are to be taken as described in [3] [3]
> > https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html
> > | - 1. Get a formal vote on server-dev mailing list
> >  - 2. Place a RETIRED_PROJECT file marker in the git
> >  - 3. Add a note in the project README
> >  - 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE)
> >  - 5. Announce it on gene...@james.apache.org and announce@apache
> >  - 6. Add a notice to the Apache website, if present
> >  - 7. Remove releases from downloads.apache.org
> >  - 8. Add notices on the Apache release archives (example
> > https://archive.apache.org/dist/ant/antidote/ <
> > https://archive.apache.org/dist/ant/antidote/>)
> >
> > Best regards,
> >
> > Benoit Tellier
> > ||
> >
> >
> > -
> > To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
> > For additional commands, e-mail: server-dev-h...@james.apache.org
> >
> >
>

Re: [VOTE] Retire Apache James Postage

[Jean Helou]

+1

Le ven. 23 juil. 2021 à 11:28, Antoine Duprat  a écrit :

> +1
>
> Le ven. 23 juil. 2021 à 11:03, btell...@apache.org  a
> écrit :
>
> > Hello all,
> >
> > Following a first email on the topic [1] I would like to call for a
> > formal vote on Apache James Postage retirement.
> >
> > [1]
> https://www.mail-archive.com/server-dev@james.apache.org/msg70576.html
> >
> > Rationnals: this project...
> >  - Have no website page (not deployed)
> >  - Have no README
> >  - Have no formal release, but a tag named "james-2_20120613" dating
> > from 2012 which is quite old already...
> >  - Their exists some alternatives both for JMETER, and Gatling
> > performance testing tools.
> >  - Lack of support for recent mail protocols like IMAP and JMAP
> >  - Hard to scale blocking architecture (from what I understood?)
> >  - No development activity since 2013.
> >  - 5 forks in total on github, none of them did extra developments.
> >  - Relies on 3.0-beta5-SNAPSHOT which is quite old but also unreleased.
> > Proting postage to a released version would likely be already quite of a
> > fight...
> >  - Affected by CVE-2021-29425 (commons-io)||
> > Given the maturity of the project, the presence of alternatives, and the
> > absence of development, in the absence of mainteners, it could be wise
> > to consider retiring it.
> > |Voting rules: - This is a majority vote as stated in [2] for procedural
> > issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
> > vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
> > https://www.apache.org/foundation/voting.html Following this retirement,
> > follow up steps are to be taken as described in [3] [3]
> > https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html
> > | - 1. Get a formal vote on server-dev mailing list
> >  - 2. Place a RETIRED_PROJECT file marker in the git
> >  - 3. Add a note in the project README
> >  - 4. Retire the ISSUE trackers (Project names POSTAGE)
> >  - 5. Announce it on gene...@james.apache.org and announce@apache
> >  - 6. Add a notice to the Apache website, if present
> >  - 7. Remove releases from downloads.apache.org
> >  - 8. Add notices on the Apache release archives (example
> > https://archive.apache.org/dist/ant/antidote/ <
> > https://archive.apache.org/dist/ant/antidote/>)
> >
> > Best regards,
> >
> > Benoit Tellier
> > ||
> >
> >
> > -
> > To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
> > For additional commands, e-mail: server-dev-h...@james.apache.org
> >
> >
>

RE: End of support for Apache James 2.3.2 ?

[Noel J. Bergman]

I still use James v2 in production.  I could be convinced to move forward 
(migration of config is a concern), but I still do run it, and would be able to 
fix any bugs, given the amount of code in there that was written by me.

Are there any particular defects that need to be addressed?  I agree that it 
should be viewed as maintenance only, with no new development.

Oh, and hi!  

--- Noel

-Original Message-
From: btell...@apache.org  
Sent: Friday, July 23, 2021 5:18
To: server-dev@james.apache.org
Subject: End of support for Apache James 2.3.2 ?

Hello,

Following recent discussions on gitter, issues are reported on Apache James 
version 2.3.2.

This version is not under active development (released in 2013 with a security 
fix in 2015 version 2.3.2.1).

No active development had been undertook recently.

The source code is not available on Git / Github.

I fear no real active committer is able to fix issues on it.

It uses Avalon Phoenix retired in 2004 (yes...).

For archeologists, sources can be found at 
http://svn.apache.org/repos/asf/james/server/tags/2_3_2_1/

As such I propose to:

 - Make it clear with a formal vote we can refer to that the Apache James PMC 
no longer supports Apache James vers 2.x.
 - Archive related downloads
 - Remove references from the website
 - Write a little email to the Apache announce mailing list, general@james, 
server-user@james.

Thoughts?

Regards,

Benoit TELLIER


-
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org



-
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

[BUILD-FAILURE]: Job 'james/ApacheJames/master [master] [204]'

[Apache Jenkins Server]

BUILD-FAILURE: Job 'james/ApacheJames/master [master] [204]':
Check console output at "https://ci-builds.apache.org/job/james/job/ApacheJames/job/master/204/;>james/ApacheJames/master
 [master] [204]"

-
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

Re: [VOTE] Retire Apache James Postage

[Antoine Duprat]

+1

Le ven. 23 juil. 2021 à 11:03, btell...@apache.org  a
écrit :

> Hello all,
>
> Following a first email on the topic [1] I would like to call for a
> formal vote on Apache James Postage retirement.
>
> [1] https://www.mail-archive.com/server-dev@james.apache.org/msg70576.html
>
> Rationnals: this project...
>  - Have no website page (not deployed)
>  - Have no README
>  - Have no formal release, but a tag named "james-2_20120613" dating
> from 2012 which is quite old already...
>  - Their exists some alternatives both for JMETER, and Gatling
> performance testing tools.
>  - Lack of support for recent mail protocols like IMAP and JMAP
>  - Hard to scale blocking architecture (from what I understood?)
>  - No development activity since 2013.
>  - 5 forks in total on github, none of them did extra developments.
>  - Relies on 3.0-beta5-SNAPSHOT which is quite old but also unreleased.
> Proting postage to a released version would likely be already quite of a
> fight...
>  - Affected by CVE-2021-29425 (commons-io)||
> Given the maturity of the project, the presence of alternatives, and the
> absence of development, in the absence of mainteners, it could be wise
> to consider retiring it.
> |Voting rules: - This is a majority vote as stated in [2] for procedural
> issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
> vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
> https://www.apache.org/foundation/voting.html Following this retirement,
> follow up steps are to be taken as described in [3] [3]
> https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html
> | - 1. Get a formal vote on server-dev mailing list
>  - 2. Place a RETIRED_PROJECT file marker in the git
>  - 3. Add a note in the project README
>  - 4. Retire the ISSUE trackers (Project names POSTAGE)
>  - 5. Announce it on gene...@james.apache.org and announce@apache
>  - 6. Add a notice to the Apache website, if present
>  - 7. Remove releases from downloads.apache.org
>  - 8. Add notices on the Apache release archives (example
> https://archive.apache.org/dist/ant/antidote/ <
> https://archive.apache.org/dist/ant/antidote/>)
>
> Best regards,
>
> Benoit Tellier
> ||
>
>
> -
> To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
> For additional commands, e-mail: server-dev-h...@james.apache.org
>
>

Re: [VOTE] Retire Apache James HUPA

[Antoine Duprat]

+1

Le ven. 23 juil. 2021 à 11:01, btell...@apache.org  a
écrit :

> Hello all,
>
> Following a first email on the topic [1] I would like to call for a
> formal vote on Apache James Hupa retirement.
>
> [1] https://www.mail-archive.com/server-dev@james.apache.org/msg70575.html
>
> Rationnals:
>  - The latest release (0.3.0) dates from 2012 which is an eternity in
> computing.
>  - The latest tag on Github is 0.0.3
>  - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
> lost :-(
>  - This repository is crippled by multiple CVEs (quick dependabot review):
>   - CVE-2021-29425 (commons-io)
>   - GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
> CVE-2019-10241 CVE-2019-10247 (Jetty server)
>   - CVE-2020-9447 (gwtupload)
>   - GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
>   - CVE-2019-17571 (log4j)
>   - CVE-2016-131 CVE-2016-3092 (commons-fileupload)
>  - Sporadic activity since 2012
>  - Zero to no exchanges for several years on the mailing lists.
>
> Given that alternatives exists, given that the project is
> likely not mature, unmaintained and unsecure, I propose to retire this
> Apache James subproject.
>
> |Voting rules: - This is a majority vote as stated in [2] for procedural
> issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
> vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
> https://www.apache.org/foundation/voting.html Following this retirement,
> follow up steps are to be taken as described in [3] [3]
> https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html
> | - 1. Get a formal vote on server-dev mailing list
>  - 2. Place a RETIRED_PROJECT file marker in the git
>  - 3. Add a note in the project README
>  - 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE)
>  - 5. Announce it on gene...@james.apache.org and announce@apache
>  - 6. Add a notice to the Apache website, if present
>  - 7. Remove releases from downloads.apache.org
>  - 8. Add notices on the Apache release archives (example
> https://archive.apache.org/dist/ant/antidote/ <
> https://archive.apache.org/dist/ant/antidote/>)
>
> Best regards,
>
> Benoit Tellier
> ||
>
>
> -
> To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
> For additional commands, e-mail: server-dev-h...@james.apache.org
>
>

Re: [VOTE] Retire Apache James Postage

[btell...@apache.org]

+1

On 23/07/2021 16:03, btell...@apache.org wrote:
> Hello all,
>
> Following a first email on the topic [1] I would like to call for a
> formal vote on Apache James Postage retirement.
>
> [1] https://www.mail-archive.com/server-dev@james.apache.org/msg70576.html
>
> Rationnals: this project...
>  - Have no website page (not deployed)
>  - Have no README
>  - Have no formal release, but a tag named "james-2_20120613" dating
> from 2012 which is quite old already...
>  - Their exists some alternatives both for JMETER, and Gatling
> performance testing tools.
>  - Lack of support for recent mail protocols like IMAP and JMAP
>  - Hard to scale blocking architecture (from what I understood?)
>  - No development activity since 2013.
>  - 5 forks in total on github, none of them did extra developments.
>  - Relies on 3.0-beta5-SNAPSHOT which is quite old but also unreleased.
> Proting postage to a released version would likely be already quite of a
> fight...
>  - Affected by CVE-2021-29425 (commons-io)||
> Given the maturity of the project, the presence of alternatives, and the
> absence of development, in the absence of mainteners, it could be wise
> to consider retiring it.
> |Voting rules: - This is a majority vote as stated in [2] for procedural
> issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
> vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
> https://www.apache.org/foundation/voting.html Following this retirement,
> follow up steps are to be taken as described in [3] [3]
> https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html | - 1. 
> Get a formal vote on server-dev mailing list
>  - 2. Place a RETIRED_PROJECT file marker in the git
>  - 3. Add a note in the project README
>  - 4. Retire the ISSUE trackers (Project names POSTAGE)
>  - 5. Announce it on gene...@james.apache.org and announce@apache
>  - 6. Add a notice to the Apache website, if present
>  - 7. Remove releases from downloads.apache.org
>  - 8. Add notices on the Apache release archives (example
> https://archive.apache.org/dist/ant/antidote/ 
> )
>
> Best regards,
>
> Benoit Tellier
> ||
>
>
> -
> To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
> For additional commands, e-mail: server-dev-h...@james.apache.org
>
>

-
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

Re: [VOTE] Retire Apache James HUPA

[btell...@linagora.com]

+1

On 23/07/2021 16:00, btell...@apache.org wrote:
> Hello all,
>
> Following a first email on the topic [1] I would like to call for a
> formal vote on Apache James Hupa retirement.
>
> [1] https://www.mail-archive.com/server-dev@james.apache.org/msg70575.html
>
> Rationnals:
>  - The latest release (0.3.0) dates from 2012 which is an eternity in
> computing.
>  - The latest tag on Github is 0.0.3
>  - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
> lost :-(
>  - This repository is crippled by multiple CVEs (quick dependabot review):
>   - CVE-2021-29425 (commons-io)
>       - GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
> CVE-2019-10241 CVE-2019-10247 (Jetty server)
>   - CVE-2020-9447 (gwtupload)
>       - GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
>   - CVE-2019-17571 (log4j)
>   - CVE-2016-131 CVE-2016-3092 (commons-fileupload)
>  - Sporadic activity since 2012
>  - Zero to no exchanges for several years on the mailing lists.
>
> Given that alternatives exists, given that the project is
> likely not mature, unmaintained and unsecure, I propose to retire this
> Apache James subproject.
>
> |Voting rules: - This is a majority vote as stated in [2] for procedural
> issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
> vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
> https://www.apache.org/foundation/voting.html Following this retirement,
> follow up steps are to be taken as described in [3] [3]
> https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html | - 1. 
> Get a formal vote on server-dev mailing list
>  - 2. Place a RETIRED_PROJECT file marker in the git
>  - 3. Add a note in the project README
>  - 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE)
>  - 5. Announce it on gene...@james.apache.org and announce@apache
>  - 6. Add a notice to the Apache website, if present
>  - 7. Remove releases from downloads.apache.org
>  - 8. Add notices on the Apache release archives (example
> https://archive.apache.org/dist/ant/antidote/ 
> )
>
> Best regards,
>
> Benoit Tellier
> ||
>
>
> -
> To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
> For additional commands, e-mail: server-dev-h...@james.apache.org
>
>

-
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

End of support for Apache James 2.3.2 ?

[btell...@apache.org]

Hello,

Following recent discussions on gitter, issues are reported on Apache
James version 2.3.2.

This version is not under active development (released in 2013 with a
security fix in 2015 version 2.3.2.1).

No active development had been undertook recently.

The source code is not available on Git / Github.

I fear no real active committer is able to fix issues on it.

It uses Avalon Phoenix retired in 2004 (yes...).

For archeologists, sources can be found at
http://svn.apache.org/repos/asf/james/server/tags/2_3_2_1/

As such I propose to:

 - Make it clear with a formal vote we can refer to that the Apache
James PMC no longer supports Apache James vers 2.x.
 - Archive related downloads
 - Remove references from the website
 - Write a little email to the Apache announce mailing list,
general@james, server-user@james.

Thoughts?

Regards,

Benoit TELLIER


-
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

[VOTE] Retire Apache James Postage

[btell...@apache.org]

Hello all,

Following a first email on the topic [1] I would like to call for a
formal vote on Apache James Postage retirement.

[1] https://www.mail-archive.com/server-dev@james.apache.org/msg70576.html

Rationnals: this project...
 - Have no website page (not deployed)
 - Have no README
 - Have no formal release, but a tag named "james-2_20120613" dating
from 2012 which is quite old already...
 - Their exists some alternatives both for JMETER, and Gatling
performance testing tools.
 - Lack of support for recent mail protocols like IMAP and JMAP
 - Hard to scale blocking architecture (from what I understood?)
 - No development activity since 2013.
 - 5 forks in total on github, none of them did extra developments.
 - Relies on 3.0-beta5-SNAPSHOT which is quite old but also unreleased.
Proting postage to a released version would likely be already quite of a
fight...
 - Affected by CVE-2021-29425 (commons-io)||
Given the maturity of the project, the presence of alternatives, and the
absence of development, in the absence of mainteners, it could be wise
to consider retiring it.
|Voting rules: - This is a majority vote as stated in [2] for procedural
issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
https://www.apache.org/foundation/voting.html Following this retirement,
follow up steps are to be taken as described in [3] [3]
https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html | - 1. 
Get a formal vote on server-dev mailing list
 - 2. Place a RETIRED_PROJECT file marker in the git
 - 3. Add a note in the project README
 - 4. Retire the ISSUE trackers (Project names POSTAGE)
 - 5. Announce it on gene...@james.apache.org and announce@apache
 - 6. Add a notice to the Apache website, if present
 - 7. Remove releases from downloads.apache.org
 - 8. Add notices on the Apache release archives (example
https://archive.apache.org/dist/ant/antidote/ 
)

Best regards,

Benoit Tellier
||


-
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

[VOTE] Retire Apache James HUPA

[btell...@apache.org]

Hello all,

Following a first email on the topic [1] I would like to call for a
formal vote on Apache James Hupa retirement.

[1] https://www.mail-archive.com/server-dev@james.apache.org/msg70575.html

Rationnals:
 - The latest release (0.3.0) dates from 2012 which is an eternity in
computing.
 - The latest tag on Github is 0.0.3
 - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
lost :-(
 - This repository is crippled by multiple CVEs (quick dependabot review):
  - CVE-2021-29425 (commons-io)
      - GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
CVE-2019-10241 CVE-2019-10247 (Jetty server)
  - CVE-2020-9447 (gwtupload)
      - GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
  - CVE-2019-17571 (log4j)
  - CVE-2016-131 CVE-2016-3092 (commons-fileupload)
 - Sporadic activity since 2012
 - Zero to no exchanges for several years on the mailing lists.

Given that alternatives exists, given that the project is
likely not mature, unmaintained and unsecure, I propose to retire this
Apache James subproject.

|Voting rules: - This is a majority vote as stated in [2] for procedural
issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
https://www.apache.org/foundation/voting.html Following this retirement,
follow up steps are to be taken as described in [3] [3]
https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html | - 1. 
Get a formal vote on server-dev mailing list
 - 2. Place a RETIRED_PROJECT file marker in the git
 - 3. Add a note in the project README
 - 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE)
 - 5. Announce it on gene...@james.apache.org and announce@apache
 - 6. Add a notice to the Apache website, if present
 - 7. Remove releases from downloads.apache.org
 - 8. Add notices on the Apache release archives (example
https://archive.apache.org/dist/ant/antidote/ 
)

Best regards,

Benoit Tellier
||


-
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org