Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-31 Thread Hervé BOUTEMY
I don't get the reasoning: what content do you expect in such a Maven 3.6.4 release compared to 3.8.1? for what benefit? Le mardi 30 mars 2021, 20:16:23 CEST Romain Manni-Bucau a écrit : > Le mar. 30 mars 2021 à 19:36, Robert Scholte a > > écrit : > > I'm preparing the 3.8.1 release > > So far

Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-30 Thread Romain Manni-Bucau
Le mar. 30 mars 2021 à 19:36, Robert Scholte a écrit : > I'm preparing the 3.8.1 release > So far I see no reason to backport some changes to a possible 3.6.4. > ...provide a fixed version to at least our most recent+used version to enable company policies to be respected with the security fix

Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-30 Thread Robert Scholte
I'm preparing the 3.8.1 release So far I see no reason to backport some changes to a possible 3.6.4. Only in case we get enough requests from the community to do so, we might consider creating a partial backport. thanks, Robert On 30-3-2021 18:53:17, Romain Manni-Bucau wrote: Ok so seems 3.8.1

Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-30 Thread Romain Manni-Bucau
Ok so seems 3.8.1 gets a lot of votes. Can we still do a 3.6.4/3.6.3.1 or whatever (3.6 branch is the important point as explained). Romain Manni-Bucau @rmannibucau | Blog | Old Blog | Github

Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-30 Thread Arnaud Héritier
Due to the distribution error, I agree that the next release can only be 3.8.1 today On Tue, Mar 30, 2021 at 6:39 PM TheCakeIsNaOH wrote: > Hi, > > I am the maintainer of the Maven Chocolatey package. > > Given that I uploaded a 3.8.0 package after seeing the binaries in the > release >

Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-30 Thread TheCakeIsNaOH
Hi, I am the maintainer of the Maven Chocolatey package. Given that I uploaded a 3.8.0 package after seeing the binaries in the release download area, there are around ~2,400 users which downloaded that version of the package. Therefore, on the Chocolatey side of things, it would be best if the

Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-29 Thread Jesper Udby
he local network, due to social engineering. -Markus -Ursprüngliche Nachricht- Von: Som Lima [mailto:somplastic...@gmail.com] Gesendet: Sonntag, 28. März 2021 15:06 An: Maven Developers List Betreff: Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other BTW there should be an

Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-29 Thread Romain Manni-Bucau
>>>> > >>>>> Social engineering is outside the scope of the discussion on the > >>>> subject > >>>>> of the algorithm devised in the invisible ( to API developers), > >> network > >>>>> layer impleme

Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-29 Thread Jesper Udby
-- Von: Som Lima [mailto:somplastic...@gmail.com] Gesendet: Sonntag, 28. März 2021 15:06 An: Maven Developers List Betreff: Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other BTW there should be an option to still use unsecure http as many people run http in their LANs. I cou

Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-29 Thread Romain Manni-Bucau
. > >> > > >> > > >> > Meanwhile the internet (loosely coupled) due to physical limitations > >> could > >> > not be implemented using the same algorithm. > >> > It was left to users to work out the security which can be done using &g

Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-29 Thread Som Lima
> encryption (HTTPS) as one means of security. Other strategies are also >> > available. Only the CHECKSUM was supplied as means of data integrity by >> the >> > network Gods. >> > >> > Anybody want to talk about intraprocess (tight coupling) and >> Interprocess >> > (l

Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-29 Thread Som Lima
> in > > > > their LANs. > > > > If it contains backwards-compatible features, it has to be 3.7.0. > > > > If it breaks backwards-compatibility, it has to be 4.0.0. > > > > In no case it can be 3.8.0. > > > > If mvnw was proposed for 3.7 b

Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-29 Thread Jesper Udby
achricht- Von: Som Lima [mailto:somplastic...@gmail.com] Gesendet: Sonntag, 28. März 2021 15:06 An: Maven Developers List Betreff: Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other BTW there should be an option to still use unsecure http as many people run http in their LA

Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-29 Thread Romain Manni-Bucau
ait with 3.7.0, or we have to tell people that we move mvnw to 3.8 or > > 4.0. > > > I do not see a need for any discussion at all, as SemVer is pretty > clear > > > about the sole correct answer. > > > -Markus > > > > > > -Ursprüngliche

Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-29 Thread Som Lima
gmail.com] > Gesendet: Sonntag, 28. März 2021 15:06 > An: Maven Developers List > Betreff: Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other > > > BTW there should be an option to still use unsecure http as many people > run http in their LANs. > > I coul

Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-28 Thread Gary Gregory
In my mind, this is simple: features go into major and minor versions, maintenance versions are only for bugs, therefore a feature change is not done in a maintenance version. Gary On Sun, Mar 28, 2021, 05:47 Romain Manni-Bucau wrote: > Hi all, > > Before we reroll the failed 3.8.0 I'd like we

Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-28 Thread Romain Manni-Bucau
ned from > within the local network, due to social engineering. > -Markus > > > -Ursprüngliche Nachricht- > Von: Som Lima [mailto:somplastic...@gmail.com] > Gesendet: Sonntag, 28. März 2021 15:06 > An: Maven Developers List > Betreff: Re: [DISCUSS] Next releas

AW: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-28 Thread Markus KARG
: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other > BTW there should be an option to still use unsecure http as many people run http in their LANs. I could be wrong but I think the intranet is a tightly coupled comm system therefore it is secure by design. On Sun, 28 Mar 2021, 13

Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-28 Thread Stephen Connolly
3.8.1 as we already burned and accidentally released 3.8.0 Though if we could go back in time to before the vote was started, it should have been 3.6.4 IMO... but since the release manager went with 3.8.0, that’s the train we’re on FTR the release manager’s decision on version number has always

Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-28 Thread Som Lima
on at all, as SemVer is pretty clear > about the sole correct answer. > -Markus > > -Ursprüngliche Nachricht- > Von: Romain Manni-Bucau [mailto:rmannibu...@gmail.com] > Gesendet: Sonntag, 28. März 2021 11:47 > An: Maven Developers List > Betreff: [DISCUSS] Next release ver

AW: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-28 Thread Markus KARG
>> - Why not 3.7.0? >> Apache Maven 3.7.0 has been advertised in the past that it would be the >> first release where you could optionally activate the build/consumer >> feature: the version containing this feature has been renamed to 4.0.0. >> Reusing 3.7.0 might lead to confusion, hence we

AW: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-28 Thread Markus KARG
is pretty clear about the sole correct answer. -Markus -Ursprüngliche Nachricht- Von: Romain Manni-Bucau [mailto:rmannibu...@gmail.com] Gesendet: Sonntag, 28. März 2021 11:47 An: Maven Developers List Betreff: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other Hi all, Before we

Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-28 Thread Michael Osipov
Am 2021-03-28 um 11:47 schrieb Romain Manni-Bucau: Hi all, Before we reroll the failed 3.8.0 I'd like we discuss openly the next versioning since it seems we didn't reach a consensus yet and trying to not create too much friction for users and in the community. As a reminder the only

Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-28 Thread Olivier Lamy
On Sun, 28 Mar 2021 at 8:07 pm, Hervé BOUTEMY wrote: > thank you Romain for your view > > current reasoning behind 3.8.0 choice is written in release notes [1] > > - Why not 3.6.4? > This is not just a bugfix as it contains three features that cause a > change of default behavior (external HTTP

Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-28 Thread Som Lima
Thanks for clearing that up. One step closer to choosing the version number. On Sun, 28 Mar 2021, 12:05 Tibor Digana, wrote: > Hi Som Lima, > > Regarding (1), the Maven Central works with HTTPS for some time already. > Regarding the Repository Managers, e.g. Nexus or JFrog they have to be >

Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-28 Thread Tibor Digana
Hi Som Lima, Regarding (1), the Maven Central works with HTTPS for some time already. Regarding the Repository Managers, e.g. Nexus or JFrog they have to be updated to HTTPS in companies which is normal work for the administrators and devops teams, not for the users or devs, but nowadays the

Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-28 Thread Romain Manni-Bucau
Side note: was reviewing TomEE versioning policy which is very very close to what we find in most companies having a versioning policy for security vulnerabilities (https://tomee.apache.org/security/) and it tends to show that the 3.6 handling would be a 3.6.3.1 with the security fix. Maybe an

Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-28 Thread Som Lima
As a user these points would be MAJOR concerns 1. external HTTP insecure URLs are now blocked by default 2. your builds may fail when using this new Maven release. I would say go for version 5.0 suggesting a fresh start. A clear separation. Leaving you enough versions to fix 3.6.3 bugs where

Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-28 Thread Romain Manni-Bucau
Hi Hervé, What about the 3.6.4 with this fix need anyway (to be clear: security fixes must be backported in ~LTS, ie 3.6 as of today - even if we can't have such statement it is needed in practise anyway? I don't clearly read in your answer what's would be the plan to manage it. To try to be very

Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-28 Thread Hervé BOUTEMY
thank you Romain for your view current reasoning behind 3.8.0 choice is written in release notes [1] - Why not 3.6.4? This is not just a bugfix as it contains three features that cause a change of default behavior (external HTTP insecure URLs are now blocked by default): your builds may fail

[DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other

2021-03-28 Thread Romain Manni-Bucau
Hi all, Before we reroll the failed 3.8.0 I'd like we discuss openly the next versioning since it seems we didn't reach a consensus yet and trying to not create too much friction for users and in the community. As a reminder the only feature the release will get is to prevent HTTP repo (in favor