[GitHub] [james-hupa] chibenwa merged pull request #2: Retire Apache James HUPA

[GitBox]

chibenwa merged pull request #2:
URL: https://github.com/apache/james-hupa/pull/2


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



-
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

[GitHub] [james-hupa] chibenwa opened a new pull request #2: Retire Apache James HUPA

[GitBox]

chibenwa opened a new pull request #2:
URL: https://github.com/apache/james-hupa/pull/2


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



-
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

Re: [VOTE] Retire Apache James HUPA

[btell...@apache.org]

With 8 vote in favour, 4 of them being binding, this vote is a success.

I will carry over the follow up steps.

Regards,

Benoit

On 23/07/2021 16:00, btell...@apache.org wrote:
> Hello all,
>
> Following a first email on the topic [1] I would like to call for a
> formal vote on Apache James Hupa retirement.
>
> [1] https://www.mail-archive.com/server-dev@james.apache.org/msg70575.html
>
> Rationnals:
>  - The latest release (0.3.0) dates from 2012 which is an eternity in
> computing.
>  - The latest tag on Github is 0.0.3
>  - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
> lost :-(
>  - This repository is crippled by multiple CVEs (quick dependabot review):
>   - CVE-2021-29425 (commons-io)
>       - GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
> CVE-2019-10241 CVE-2019-10247 (Jetty server)
>   - CVE-2020-9447 (gwtupload)
>       - GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
>   - CVE-2019-17571 (log4j)
>   - CVE-2016-131 CVE-2016-3092 (commons-fileupload)
>  - Sporadic activity since 2012
>  - Zero to no exchanges for several years on the mailing lists.
>
> Given that alternatives exists, given that the project is
> likely not mature, unmaintained and unsecure, I propose to retire this
> Apache James subproject.
>
> |Voting rules: - This is a majority vote as stated in [2] for procedural
> issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
> vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
> https://www.apache.org/foundation/voting.html Following this retirement,
> follow up steps are to be taken as described in [3] [3]
> https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html | - 1. 
> Get a formal vote on server-dev mailing list
>  - 2. Place a RETIRED_PROJECT file marker in the git
>  - 3. Add a note in the project README
>  - 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE)
>  - 5. Announce it on gene...@james.apache.org and announce@apache
>  - 6. Add a notice to the Apache website, if present
>  - 7. Remove releases from downloads.apache.org
>  - 8. Add notices on the Apache release archives (example
> https://archive.apache.org/dist/ant/antidote/ 
> )
>
> Best regards,
>
> Benoit Tellier
> ||
>
>
> -
> To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
> For additional commands, e-mail: server-dev-h...@james.apache.org
>
>

-
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

Re: [VOTE] Retire Apache James HUPA

[Raphaël Ouazana-Sustowski]

+1

Le 23/07/2021 à 11:00, btell...@apache.org a écrit :

Hello all,

Following a first email on the topic [1] I would like to call for a
formal vote on Apache James Hupa retirement.

[1] https://www.mail-archive.com/server-dev@james.apache.org/msg70575.html

Rationnals:
  - The latest release (0.3.0) dates from 2012 which is an eternity in
computing.
  - The latest tag on Github is 0.0.3
  - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
lost :-(
  - This repository is crippled by multiple CVEs (quick dependabot review):
   - CVE-2021-29425 (commons-io)
       - GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
CVE-2019-10241 CVE-2019-10247 (Jetty server)
   - CVE-2020-9447 (gwtupload)
       - GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
   - CVE-2019-17571 (log4j)
   - CVE-2016-131 CVE-2016-3092 (commons-fileupload)
  - Sporadic activity since 2012
  - Zero to no exchanges for several years on the mailing lists.

Given that alternatives exists, given that the project is
likely not mature, unmaintained and unsecure, I propose to retire this
Apache James subproject.

|Voting rules: - This is a majority vote as stated in [2] for procedural
issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
https://www.apache.org/foundation/voting.html Following this retirement,
follow up steps are to be taken as described in [3] [3]
https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html | - 1. 
Get a formal vote on server-dev mailing list
  - 2. Place a RETIRED_PROJECT file marker in the git
  - 3. Add a note in the project README
  - 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE)
  - 5. Announce it on gene...@james.apache.org and announce@apache
  - 6. Add a notice to the Apache website, if present
  - 7. Remove releases from downloads.apache.org
  - 8. Add notices on the Apache release archives (example
https://archive.apache.org/dist/ant/antidote/ 
)

Best regards,

Benoit Tellier
||


-
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org




-
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

Re: [VOTE] Retire Apache James HUPA

[Manuel Carrasco Moñino]

I agree, there is no such interest in using and maintaining that piece of
software, let's retire it.

My vote is +1

Thanks
- Manolo

On Mon, Jul 26, 2021 at 1:39 PM Dongxu Wang  wrote:

> +1
>
> On Mon, Jul 26, 2021 at 7:38 PM Dongxu 王东旭  wrote:
>
> > +1
> >
> > ccing Manolo, thank you.
> >
> > On Mon, Jul 26, 2021 at 10:16 AM Rene Cordier 
> wrote:
> >
> >> +1,
> >>
> >> Rene.
> >>
> >> On 23/07/2021 16:00, btell...@apache.org wrote:
> >> > Hello all,
> >> >
> >> > Following a first email on the topic [1] I would like to call for a
> >> > formal vote on Apache James Hupa retirement.
> >> >
> >> > [1]
> >> https://www.mail-archive.com/server-dev@james.apache.org/msg70575.html
> >> >
> >> > Rationnals:
> >> >   - The latest release (0.3.0) dates from 2012 which is an eternity in
> >> > computing.
> >> >   - The latest tag on Github is 0.0.3
> >> >   - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
> >> > lost :-(
> >> >   - This repository is crippled by multiple CVEs (quick dependabot
> >> review):
> >> >- CVE-2021-29425 (commons-io)
> >> >- GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
> >> > CVE-2019-10241 CVE-2019-10247 (Jetty server)
> >> >- CVE-2020-9447 (gwtupload)
> >> >- GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
> >> >- CVE-2019-17571 (log4j)
> >> >- CVE-2016-131 CVE-2016-3092 (commons-fileupload)
> >> >   - Sporadic activity since 2012
> >> >   - Zero to no exchanges for several years on the mailing lists.
> >> >
> >> > Given that alternatives exists, given that the project is
> >> > likely not mature, unmaintained and unsecure, I propose to retire this
> >> > Apache James subproject.
> >> >
> >> > |Voting rules: - This is a majority vote as stated in [2] for
> procedural
> >> > issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
> >> > vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
> >> > https://www.apache.org/foundation/voting.html Following this
> >> retirement,
> >> > follow up steps are to be taken as described in [3] [3]
> >> >
> https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html
> >> | - 1. Get a formal vote on server-dev mailing list
> >> >   - 2. Place a RETIRED_PROJECT file marker in the git
> >> >   - 3. Add a note in the project README
> >> >   - 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE)
> >> >   - 5. Announce it on gene...@james.apache.org and announce@apache
> >> >   - 6. Add a notice to the Apache website, if present
> >> >   - 7. Remove releases from downloads.apache.org
> >> >   - 8. Add notices on the Apache release archives (example
> >> > https://archive.apache.org/dist/ant/antidote/ <
> >> https://archive.apache.org/dist/ant/antidote/>)
> >> >
> >> > Best regards,
> >> >
> >> > Benoit Tellier
> >> > ||
> >> >
> >> >
> >> > -
> >> > To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
> >> > For additional commands, e-mail: server-dev-h...@james.apache.org
> >> >
> >> >
> >>
> >> -
> >> To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
> >> For additional commands, e-mail: server-dev-h...@james.apache.org
> >>
> >>
>

Re: [VOTE] Retire Apache James HUPA

[Dongxu Wang]

+1

On Mon, Jul 26, 2021 at 7:38 PM Dongxu 王东旭  wrote:

> +1
>
> ccing Manolo, thank you.
>
> On Mon, Jul 26, 2021 at 10:16 AM Rene Cordier  wrote:
>
>> +1,
>>
>> Rene.
>>
>> On 23/07/2021 16:00, btell...@apache.org wrote:
>> > Hello all,
>> >
>> > Following a first email on the topic [1] I would like to call for a
>> > formal vote on Apache James Hupa retirement.
>> >
>> > [1]
>> https://www.mail-archive.com/server-dev@james.apache.org/msg70575.html
>> >
>> > Rationnals:
>> >   - The latest release (0.3.0) dates from 2012 which is an eternity in
>> > computing.
>> >   - The latest tag on Github is 0.0.3
>> >   - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
>> > lost :-(
>> >   - This repository is crippled by multiple CVEs (quick dependabot
>> review):
>> >- CVE-2021-29425 (commons-io)
>> >- GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
>> > CVE-2019-10241 CVE-2019-10247 (Jetty server)
>> >- CVE-2020-9447 (gwtupload)
>> >- GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
>> >- CVE-2019-17571 (log4j)
>> >- CVE-2016-131 CVE-2016-3092 (commons-fileupload)
>> >   - Sporadic activity since 2012
>> >   - Zero to no exchanges for several years on the mailing lists.
>> >
>> > Given that alternatives exists, given that the project is
>> > likely not mature, unmaintained and unsecure, I propose to retire this
>> > Apache James subproject.
>> >
>> > |Voting rules: - This is a majority vote as stated in [2] for procedural
>> > issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
>> > vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
>> > https://www.apache.org/foundation/voting.html Following this
>> retirement,
>> > follow up steps are to be taken as described in [3] [3]
>> > https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html
>> | - 1. Get a formal vote on server-dev mailing list
>> >   - 2. Place a RETIRED_PROJECT file marker in the git
>> >   - 3. Add a note in the project README
>> >   - 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE)
>> >   - 5. Announce it on gene...@james.apache.org and announce@apache
>> >   - 6. Add a notice to the Apache website, if present
>> >   - 7. Remove releases from downloads.apache.org
>> >   - 8. Add notices on the Apache release archives (example
>> > https://archive.apache.org/dist/ant/antidote/ <
>> https://archive.apache.org/dist/ant/antidote/>)
>> >
>> > Best regards,
>> >
>> > Benoit Tellier
>> > ||
>> >
>> >
>> > -
>> > To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
>> > For additional commands, e-mail: server-dev-h...@james.apache.org
>> >
>> >
>>
>> -
>> To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
>> For additional commands, e-mail: server-dev-h...@james.apache.org
>>
>>

Re: [VOTE] Retire Apache James HUPA

[Dongxu 王东旭]

+1

ccing Manolo, thank you.

On Mon, Jul 26, 2021 at 10:16 AM Rene Cordier  wrote:

> +1,
>
> Rene.
>
> On 23/07/2021 16:00, btell...@apache.org wrote:
> > Hello all,
> >
> > Following a first email on the topic [1] I would like to call for a
> > formal vote on Apache James Hupa retirement.
> >
> > [1]
> https://www.mail-archive.com/server-dev@james.apache.org/msg70575.html
> >
> > Rationnals:
> >   - The latest release (0.3.0) dates from 2012 which is an eternity in
> > computing.
> >   - The latest tag on Github is 0.0.3
> >   - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
> > lost :-(
> >   - This repository is crippled by multiple CVEs (quick dependabot
> review):
> >- CVE-2021-29425 (commons-io)
> >- GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
> > CVE-2019-10241 CVE-2019-10247 (Jetty server)
> >- CVE-2020-9447 (gwtupload)
> >- GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
> >- CVE-2019-17571 (log4j)
> >- CVE-2016-131 CVE-2016-3092 (commons-fileupload)
> >   - Sporadic activity since 2012
> >   - Zero to no exchanges for several years on the mailing lists.
> >
> > Given that alternatives exists, given that the project is
> > likely not mature, unmaintained and unsecure, I propose to retire this
> > Apache James subproject.
> >
> > |Voting rules: - This is a majority vote as stated in [2] for procedural
> > issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
> > vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
> > https://www.apache.org/foundation/voting.html Following this retirement,
> > follow up steps are to be taken as described in [3] [3]
> > https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html
> | - 1. Get a formal vote on server-dev mailing list
> >   - 2. Place a RETIRED_PROJECT file marker in the git
> >   - 3. Add a note in the project README
> >   - 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE)
> >   - 5. Announce it on gene...@james.apache.org and announce@apache
> >   - 6. Add a notice to the Apache website, if present
> >   - 7. Remove releases from downloads.apache.org
> >   - 8. Add notices on the Apache release archives (example
> > https://archive.apache.org/dist/ant/antidote/ <
> https://archive.apache.org/dist/ant/antidote/>)
> >
> > Best regards,
> >
> > Benoit Tellier
> > ||
> >
> >
> > -
> > To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
> > For additional commands, e-mail: server-dev-h...@james.apache.org
> >
> >
>
> -
> To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
> For additional commands, e-mail: server-dev-h...@james.apache.org
>
>

Re: [VOTE] Retire Apache James HUPA

[Rene Cordier]

+1,

Rene.

On 23/07/2021 16:00, btell...@apache.org wrote:

Hello all,

Following a first email on the topic [1] I would like to call for a
formal vote on Apache James Hupa retirement.

[1] https://www.mail-archive.com/server-dev@james.apache.org/msg70575.html

Rationnals:
  - The latest release (0.3.0) dates from 2012 which is an eternity in
computing.
  - The latest tag on Github is 0.0.3
  - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
lost :-(
  - This repository is crippled by multiple CVEs (quick dependabot review):
   - CVE-2021-29425 (commons-io)
       - GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
CVE-2019-10241 CVE-2019-10247 (Jetty server)
   - CVE-2020-9447 (gwtupload)
       - GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
   - CVE-2019-17571 (log4j)
   - CVE-2016-131 CVE-2016-3092 (commons-fileupload)
  - Sporadic activity since 2012
  - Zero to no exchanges for several years on the mailing lists.

Given that alternatives exists, given that the project is
likely not mature, unmaintained and unsecure, I propose to retire this
Apache James subproject.

|Voting rules: - This is a majority vote as stated in [2] for procedural
issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
https://www.apache.org/foundation/voting.html Following this retirement,
follow up steps are to be taken as described in [3] [3]
https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html | - 1. 
Get a formal vote on server-dev mailing list
  - 2. Place a RETIRED_PROJECT file marker in the git
  - 3. Add a note in the project README
  - 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE)
  - 5. Announce it on gene...@james.apache.org and announce@apache
  - 6. Add a notice to the Apache website, if present
  - 7. Remove releases from downloads.apache.org
  - 8. Add notices on the Apache release archives (example
https://archive.apache.org/dist/ant/antidote/ 
)

Best regards,

Benoit Tellier
||


-
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org




-
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

Re: [VOTE] Retire Apache James HUPA

[Eugen Stan]

+1

--
Eugen Stan
+40720 898 747 / netdava.com


-
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

Re: [VOTE] Retire Apache James HUPA

[Jean Helou]

+1

Le ven. 23 juil. 2021 à 11:28, Antoine Duprat  a écrit :

> +1
>
> Le ven. 23 juil. 2021 à 11:01, btell...@apache.org  a
> écrit :
>
> > Hello all,
> >
> > Following a first email on the topic [1] I would like to call for a
> > formal vote on Apache James Hupa retirement.
> >
> > [1]
> https://www.mail-archive.com/server-dev@james.apache.org/msg70575.html
> >
> > Rationnals:
> >  - The latest release (0.3.0) dates from 2012 which is an eternity in
> > computing.
> >  - The latest tag on Github is 0.0.3
> >  - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
> > lost :-(
> >  - This repository is crippled by multiple CVEs (quick dependabot
> review):
> >   - CVE-2021-29425 (commons-io)
> >   - GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
> > CVE-2019-10241 CVE-2019-10247 (Jetty server)
> >   - CVE-2020-9447 (gwtupload)
> >   - GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
> >   - CVE-2019-17571 (log4j)
> >   - CVE-2016-131 CVE-2016-3092 (commons-fileupload)
> >  - Sporadic activity since 2012
> >  - Zero to no exchanges for several years on the mailing lists.
> >
> > Given that alternatives exists, given that the project is
> > likely not mature, unmaintained and unsecure, I propose to retire this
> > Apache James subproject.
> >
> > |Voting rules: - This is a majority vote as stated in [2] for procedural
> > issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
> > vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
> > https://www.apache.org/foundation/voting.html Following this retirement,
> > follow up steps are to be taken as described in [3] [3]
> > https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html
> > | - 1. Get a formal vote on server-dev mailing list
> >  - 2. Place a RETIRED_PROJECT file marker in the git
> >  - 3. Add a note in the project README
> >  - 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE)
> >  - 5. Announce it on gene...@james.apache.org and announce@apache
> >  - 6. Add a notice to the Apache website, if present
> >  - 7. Remove releases from downloads.apache.org
> >  - 8. Add notices on the Apache release archives (example
> > https://archive.apache.org/dist/ant/antidote/ <
> > https://archive.apache.org/dist/ant/antidote/>)
> >
> > Best regards,
> >
> > Benoit Tellier
> > ||
> >
> >
> > -
> > To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
> > For additional commands, e-mail: server-dev-h...@james.apache.org
> >
> >
>

Re: [VOTE] Retire Apache James HUPA

[Antoine Duprat]

+1

Le ven. 23 juil. 2021 à 11:01, btell...@apache.org  a
écrit :

> Hello all,
>
> Following a first email on the topic [1] I would like to call for a
> formal vote on Apache James Hupa retirement.
>
> [1] https://www.mail-archive.com/server-dev@james.apache.org/msg70575.html
>
> Rationnals:
>  - The latest release (0.3.0) dates from 2012 which is an eternity in
> computing.
>  - The latest tag on Github is 0.0.3
>  - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
> lost :-(
>  - This repository is crippled by multiple CVEs (quick dependabot review):
>   - CVE-2021-29425 (commons-io)
>   - GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
> CVE-2019-10241 CVE-2019-10247 (Jetty server)
>   - CVE-2020-9447 (gwtupload)
>   - GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
>   - CVE-2019-17571 (log4j)
>   - CVE-2016-131 CVE-2016-3092 (commons-fileupload)
>  - Sporadic activity since 2012
>  - Zero to no exchanges for several years on the mailing lists.
>
> Given that alternatives exists, given that the project is
> likely not mature, unmaintained and unsecure, I propose to retire this
> Apache James subproject.
>
> |Voting rules: - This is a majority vote as stated in [2] for procedural
> issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
> vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
> https://www.apache.org/foundation/voting.html Following this retirement,
> follow up steps are to be taken as described in [3] [3]
> https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html
> | - 1. Get a formal vote on server-dev mailing list
>  - 2. Place a RETIRED_PROJECT file marker in the git
>  - 3. Add a note in the project README
>  - 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE)
>  - 5. Announce it on gene...@james.apache.org and announce@apache
>  - 6. Add a notice to the Apache website, if present
>  - 7. Remove releases from downloads.apache.org
>  - 8. Add notices on the Apache release archives (example
> https://archive.apache.org/dist/ant/antidote/ <
> https://archive.apache.org/dist/ant/antidote/>)
>
> Best regards,
>
> Benoit Tellier
> ||
>
>
> -
> To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
> For additional commands, e-mail: server-dev-h...@james.apache.org
>
>

Re: [VOTE] Retire Apache James HUPA

[btell...@linagora.com]

+1

On 23/07/2021 16:00, btell...@apache.org wrote:
> Hello all,
>
> Following a first email on the topic [1] I would like to call for a
> formal vote on Apache James Hupa retirement.
>
> [1] https://www.mail-archive.com/server-dev@james.apache.org/msg70575.html
>
> Rationnals:
>  - The latest release (0.3.0) dates from 2012 which is an eternity in
> computing.
>  - The latest tag on Github is 0.0.3
>  - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
> lost :-(
>  - This repository is crippled by multiple CVEs (quick dependabot review):
>   - CVE-2021-29425 (commons-io)
>       - GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
> CVE-2019-10241 CVE-2019-10247 (Jetty server)
>   - CVE-2020-9447 (gwtupload)
>       - GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
>   - CVE-2019-17571 (log4j)
>   - CVE-2016-131 CVE-2016-3092 (commons-fileupload)
>  - Sporadic activity since 2012
>  - Zero to no exchanges for several years on the mailing lists.
>
> Given that alternatives exists, given that the project is
> likely not mature, unmaintained and unsecure, I propose to retire this
> Apache James subproject.
>
> |Voting rules: - This is a majority vote as stated in [2] for procedural
> issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
> vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
> https://www.apache.org/foundation/voting.html Following this retirement,
> follow up steps are to be taken as described in [3] [3]
> https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html | - 1. 
> Get a formal vote on server-dev mailing list
>  - 2. Place a RETIRED_PROJECT file marker in the git
>  - 3. Add a note in the project README
>  - 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE)
>  - 5. Announce it on gene...@james.apache.org and announce@apache
>  - 6. Add a notice to the Apache website, if present
>  - 7. Remove releases from downloads.apache.org
>  - 8. Add notices on the Apache release archives (example
> https://archive.apache.org/dist/ant/antidote/ 
> )
>
> Best regards,
>
> Benoit Tellier
> ||
>
>
> -
> To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
> For additional commands, e-mail: server-dev-h...@james.apache.org
>
>

-
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

[VOTE] Retire Apache James HUPA

[btell...@apache.org]

Hello all,

Following a first email on the topic [1] I would like to call for a
formal vote on Apache James Hupa retirement.

[1] https://www.mail-archive.com/server-dev@james.apache.org/msg70575.html

Rationnals:
 - The latest release (0.3.0) dates from 2012 which is an eternity in
computing.
 - The latest tag on Github is 0.0.3
 - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
lost :-(
 - This repository is crippled by multiple CVEs (quick dependabot review):
  - CVE-2021-29425 (commons-io)
      - GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
CVE-2019-10241 CVE-2019-10247 (Jetty server)
  - CVE-2020-9447 (gwtupload)
      - GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
  - CVE-2019-17571 (log4j)
  - CVE-2016-131 CVE-2016-3092 (commons-fileupload)
 - Sporadic activity since 2012
 - Zero to no exchanges for several years on the mailing lists.

Given that alternatives exists, given that the project is
likely not mature, unmaintained and unsecure, I propose to retire this
Apache James subproject.

|Voting rules: - This is a majority vote as stated in [2] for procedural
issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
https://www.apache.org/foundation/voting.html Following this retirement,
follow up steps are to be taken as described in [3] [3]
https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html | - 1. 
Get a formal vote on server-dev mailing list
 - 2. Place a RETIRED_PROJECT file marker in the git
 - 3. Add a note in the project README
 - 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE)
 - 5. Announce it on gene...@james.apache.org and announce@apache
 - 6. Add a notice to the Apache website, if present
 - 7. Remove releases from downloads.apache.org
 - 8. Add notices on the Apache release archives (example
https://archive.apache.org/dist/ant/antidote/ 
)

Best regards,

Benoit Tellier
||


-
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

Re: Retire Apache James Hupa ?

[btell...@apache.org]

More on the retirement topic.

Getting inspired by
https://ant.apache.org/processes.html#Retire:%20Mailing%20List the
procedure would be to:

 - 1. Get a formal vote on server-dev mailing list
 - 2. Place a RETIRED_PROJECT file marker in the git
 - 3. Add a note in the project README
 - 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE)
 - 5. Announce it on gene...@james.apache.org and announce@apache
 - 6. Add a notice to the Apache website, if present
 - 7. Remove releases from downloads.apache.org
 - 8. Add notices on the Apache release archives (example
https://archive.apache.org/dist/ant/antidote/)

Note that there is also a procedure to re-activate a previously retired
sub-project.

Best regards,

Benoit TELLIER

On 19/07/2021 15:30, Jean Helou wrote:
> I think this is an excellent idea ! +1
>
> thank you benoit !
> jean
>
>
> On Mon, Jul 19, 2021 at 10:16 AM btell...@apache.org 
> wrote:
>
>> Hello all,
>>
>> While fixing our download pages following some infra bot complains, I
>> ended up fixing the downloads for Apache James Hupa.
>>
>>  - The latest release (0.3.0) dates from 2012 which is an eternity in
>> computing.
>>  - The latest tag on Github is 0.0.3
>>  - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
>> lost :-(
>>  - This repository is crippled by multiple CVEs (quick dependabot review):
>>   - CVE-2021-29425 (commons-io)
>>   - GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
>> CVE-2019-10241 CVE-2019-10247 (Jetty server)
>>   - CVE-2020-9447 (gwtupload)
>>   - GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
>>   - CVE-2019-17571 (log4j)
>>   - CVE-2016-131 CVE-2016-3092 (commons-fileupload)
>>  - Sporadic activity since 2012
>>  - Zero to no exchanges for several years on the mailing lists.
>>
>> From the Readme:
>>
>>> Hupa is able to discover most of the imap/smtp configuration based on
>> the email domain part. When you are prompted to login, type your email
>> address and wait few seconds, if you click on the gear button you can
>> see the configuration discovered by Hupa, you can modify it if it does
>> not match your email provider configuration. Then type your inbox
>> password and you will be logged into your email provider servers.
>>
>>> Hupa is compatible with most email providers, gmail, yahoo, hotmail,
>> outlook, exchange, james, etc.
>>
>> I fail to see the value added compared to other webmails like roundcube,
>> rainloops to quote a few...
>>
>> As such, given that alternatives exists, given that the project is
>> likely not mature, unmaintained and unsecure, I propose to retire this
>> Apache James subproject.
>>
>> I will do research on procedures and best practices to do so. I guess a
>> formal vote would be necessary. Likely contact Apache Labs were the
>> project originated from in 2009...
>>
>> Best regards,
>>
>> Benoit TELLIER
>>
>>
>> -
>> To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
>> For additional commands, e-mail: server-dev-h...@james.apache.org
>>
>>

-
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

Re: Retire Apache James Hupa ?

[Rene Cordier]

Nice catch, +1!

Rene.

On 19/07/2021 15:30, Jean Helou wrote:

I think this is an excellent idea ! +1

thank you benoit !
jean


On Mon, Jul 19, 2021 at 10:16 AM btell...@apache.org 
wrote:


Hello all,

While fixing our download pages following some infra bot complains, I
ended up fixing the downloads for Apache James Hupa.

  - The latest release (0.3.0) dates from 2012 which is an eternity in
computing.
  - The latest tag on Github is 0.0.3
  - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
lost :-(
  - This repository is crippled by multiple CVEs (quick dependabot review):
   - CVE-2021-29425 (commons-io)
   - GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
CVE-2019-10241 CVE-2019-10247 (Jetty server)
   - CVE-2020-9447 (gwtupload)
   - GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
   - CVE-2019-17571 (log4j)
   - CVE-2016-131 CVE-2016-3092 (commons-fileupload)
  - Sporadic activity since 2012
  - Zero to no exchanges for several years on the mailing lists.

 From the Readme:


Hupa is able to discover most of the imap/smtp configuration based on

the email domain part. When you are prompted to login, type your email
address and wait few seconds, if you click on the gear button you can
see the configuration discovered by Hupa, you can modify it if it does
not match your email provider configuration. Then type your inbox
password and you will be logged into your email provider servers.


Hupa is compatible with most email providers, gmail, yahoo, hotmail,

outlook, exchange, james, etc.

I fail to see the value added compared to other webmails like roundcube,
rainloops to quote a few...

As such, given that alternatives exists, given that the project is
likely not mature, unmaintained and unsecure, I propose to retire this
Apache James subproject.

I will do research on procedures and best practices to do so. I guess a
formal vote would be necessary. Likely contact Apache Labs were the
project originated from in 2009...

Best regards,

Benoit TELLIER


-
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org






-
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

Re: Retire Apache James Hupa ?

[Jean Helou]

I think this is an excellent idea ! +1

thank you benoit !
jean


On Mon, Jul 19, 2021 at 10:16 AM btell...@apache.org 
wrote:

> Hello all,
>
> While fixing our download pages following some infra bot complains, I
> ended up fixing the downloads for Apache James Hupa.
>
>  - The latest release (0.3.0) dates from 2012 which is an eternity in
> computing.
>  - The latest tag on Github is 0.0.3
>  - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
> lost :-(
>  - This repository is crippled by multiple CVEs (quick dependabot review):
>   - CVE-2021-29425 (commons-io)
>   - GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
> CVE-2019-10241 CVE-2019-10247 (Jetty server)
>   - CVE-2020-9447 (gwtupload)
>   - GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
>   - CVE-2019-17571 (log4j)
>   - CVE-2016-131 CVE-2016-3092 (commons-fileupload)
>  - Sporadic activity since 2012
>  - Zero to no exchanges for several years on the mailing lists.
>
> From the Readme:
>
> > Hupa is able to discover most of the imap/smtp configuration based on
> the email domain part. When you are prompted to login, type your email
> address and wait few seconds, if you click on the gear button you can
> see the configuration discovered by Hupa, you can modify it if it does
> not match your email provider configuration. Then type your inbox
> password and you will be logged into your email provider servers.
>
> > Hupa is compatible with most email providers, gmail, yahoo, hotmail,
> outlook, exchange, james, etc.
>
> I fail to see the value added compared to other webmails like roundcube,
> rainloops to quote a few...
>
> As such, given that alternatives exists, given that the project is
> likely not mature, unmaintained and unsecure, I propose to retire this
> Apache James subproject.
>
> I will do research on procedures and best practices to do so. I guess a
> formal vote would be necessary. Likely contact Apache Labs were the
> project originated from in 2009...
>
> Best regards,
>
> Benoit TELLIER
>
>
> -
> To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
> For additional commands, e-mail: server-dev-h...@james.apache.org
>
>

Retire Apache James Hupa ?

[btell...@apache.org]

Hello all,

While fixing our download pages following some infra bot complains, I
ended up fixing the downloads for Apache James Hupa.

 - The latest release (0.3.0) dates from 2012 which is an eternity in
computing.
 - The latest tag on Github is 0.0.3
 - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
lost :-(
 - This repository is crippled by multiple CVEs (quick dependabot review):
  - CVE-2021-29425 (commons-io)
      - GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
CVE-2019-10241 CVE-2019-10247 (Jetty server)
  - CVE-2020-9447 (gwtupload)
      - GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
  - CVE-2019-17571 (log4j)
  - CVE-2016-131 CVE-2016-3092 (commons-fileupload)
 - Sporadic activity since 2012
 - Zero to no exchanges for several years on the mailing lists.

>From the Readme:

> Hupa is able to discover most of the imap/smtp configuration based on
the email domain part. When you are prompted to login, type your email
address and wait few seconds, if you click on the gear button you can
see the configuration discovered by Hupa, you can modify it if it does
not match your email provider configuration. Then type your inbox
password and you will be logged into your email provider servers.

> Hupa is compatible with most email providers, gmail, yahoo, hotmail,
outlook, exchange, james, etc.

I fail to see the value added compared to other webmails like roundcube,
rainloops to quote a few...

As such, given that alternatives exists, given that the project is
likely not mature, unmaintained and unsecure, I propose to retire this
Apache James subproject.

I will do research on procedures and best practices to do so. I guess a
formal vote would be necessary. Likely contact Apache Labs were the
project originated from in 2009...

Best regards,

Benoit TELLIER


-
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org