Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
I am working on a removal of dom4j library and use of Java XML API. Sytwester, connect to the Slack pls. On Wed, Jun 5, 2019 at 8:28 AM Robert Scholte wrote: > > What stops us developing on Java 8? > > Maven project stops us. > > I think this deserves some clearance, because I have a different opinion > on this. > It is quite natural that plugins start picking up and requiring a more > recent version of Java before Maven does. > If there's a good reason to move forward (in this case to Java 8), I don't > mind doing that. > With our plugin system, if they can't use this because they run Maven on > an older version of Java, they can lock the plugin version to the last > compatible one. > Right now most environments are already running on Java 8 and won't notice > such upgrade. > Also keep in mind there's a difference between Java for Maven runtime and > JDK for the compiler, these can be separated. > I would love to hear from somebody that thinks he or she would be blocked > by such change, it shouldn't be an issue but maybe I'm missing a detail. > > So if we can stay Java 7 compatible, that's fine but is not a blocking > requirement (especially since this plugin is not a lifecycle plugin). > > Robert > On 4-6-2019 22:05:33, Tibor Digana wrote: > What stops us developing on Java 8? > Maven project stops us. > We wanted to use Java 7 and not higher. Therefore reworking the little code > with removed dom4j keeps javac still on java7 and we would not have a > problem when dom4j moves to java9+ because of non-applicable CVEs. We can > use Java XML Api instead of dom4j. > > On Tue, Jun 4, 2019 at 6:32 PM Tamás Cservenák wrote: > > > Just wondering: what stops you developing on more modern java, and > > targeting older java? Or in other words, why is using target java a must > on > > development? Just curious. > > > > Ps: sry for jumping the thread > > > > On Mon, Jun 3, 2019, 16:48 Elliotte Rusty Harold > > wrote: > > > > > I know there are plenty of places at Java 8+. There are also many who > > > haven't gotten that far. Some of my day job involves Java 7+ clients, > > > and I know of others even further back than that. > > > > > > On Mon, Jun 3, 2019 at 10:38 AM Gary Gregory > > > wrote: > > > > > > > > FWIW, we are talking at work about Java 8 and 11 only these days. > Java > > 7 > > > is > > > > in the distant past. Most people can't even get Java 7 updates since > it > > > is > > > > EOL unless you pay. > > > > > > > > Gary > > > > > > > > On Mon, Jun 3, 2019 at 10:35 AM Elliotte Rusty Harold > > > elh...@ibiblio.org> > > > > wrote: > > > > > > > > > I agree that this should be fixed. I'm not yet convinced that > > > > > requiring Java 8 and upgrading to dom4j 2.1 is the bets fix. > > > > > > > > > > On Mon, Jun 3, 2019 at 10:24 AM Enrico Olivelli > > > > > > > > wrote: > > > > > > > > > > > > Elliotte, > > > > > > > > > > > > Il giorno lun 3 giu 2019 alle ore 15:59 Elliotte Rusty Harold > > > > > > elh...@ibiblio.org> ha scritto: > > > > > > > > > > > > > Perhaps ask the dom4j developers first to see if a 2.0.3 > release > > > can > > > > > > > be scheduled. > > > > > > > > > > > > > > And if that doesn't work, how much effort is it to switch off > of > > > dom4j > > > > > > > completely? > > > > > > > > > > > > > > maven-archetype strikes me as too important to drop Java 7 > > > > > > > compatibility this soon. > > > > > > > > > > > > > > > > > > > Are you -1 with this change ? > > > > > > If an user wan't to use java 7 he can use current version of the > > > plugin. > > > > > > > > > > > > Enrico > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Fri, May 31, 2019 at 3:02 PM Homer, Tony > > tony.ho...@intel.com> > > > > > wrote: > > > > > > > > > > > > > > > > Currently maven-archetype depends on dom4j 1.6.1 which is > > > vulnerable > > > > > to > > > > > > > CVE-2018-1000632 [1]. > > > > > > > > I filed ARCHETYPE-567 [2] to track this. > > > > > > > > In order to mitigate this vulnerability, an update to dom4j > > > 2.1.1 is > > > > > > > needed. > > > > > > > > dom4j 2.1.x requires Java 8+ [3]. > > > > > > > > dom4j 2.0.x would retain compatibility with Java 7 (Java 5+) > > but > > > the > > > > > > > latest release (2.0.2) is vulnerable to CVE-2018-1000632. > > > > > > > > The current dev version (2.0.3) seems to contain a fix for > > > > > > > CVE-2018-1000632 but has been pending release for ~1 year. > > > > > > > > > > > > > > > > I opened PR #28 [4] to make these changes. > > > > > > > > What else I should do to advance this proposal? > > > > > > > > > > > > > > > > Thanks! > > > > > > > > Tony Homer > > > > > > > > > > > > > > > > [1] https://nvd.nist.gov/vuln/detail/CVE-2018-1000632 > > > > > > > > [2] https://issues.apache.org/jira/browse/ARCHETYPE-567 > > > > > > > > [3] https://dom4j.github.io > > > > > > > > [4] https://github.com/apache/maven-archetype/pull/28 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > >
Re: proposal for maven-archetype to switch to dom4j 2.1.1 (and Java 8)
> What stops us developing on Java 8? > Maven project stops us. I think this deserves some clearance, because I have a different opinion on this. It is quite natural that plugins start picking up and requiring a more recent version of Java before Maven does. If there's a good reason to move forward (in this case to Java 8), I don't mind doing that. With our plugin system, if they can't use this because they run Maven on an older version of Java, they can lock the plugin version to the last compatible one. Right now most environments are already running on Java 8 and won't notice such upgrade. Also keep in mind there's a difference between Java for Maven runtime and JDK for the compiler, these can be separated. I would love to hear from somebody that thinks he or she would be blocked by such change, it shouldn't be an issue but maybe I'm missing a detail. So if we can stay Java 7 compatible, that's fine but is not a blocking requirement (especially since this plugin is not a lifecycle plugin). Robert On 4-6-2019 22:05:33, Tibor Digana wrote: What stops us developing on Java 8? Maven project stops us. We wanted to use Java 7 and not higher. Therefore reworking the little code with removed dom4j keeps javac still on java7 and we would not have a problem when dom4j moves to java9+ because of non-applicable CVEs. We can use Java XML Api instead of dom4j. On Tue, Jun 4, 2019 at 6:32 PM Tamás Cservenák wrote: > Just wondering: what stops you developing on more modern java, and > targeting older java? Or in other words, why is using target java a must on > development? Just curious. > > Ps: sry for jumping the thread > > On Mon, Jun 3, 2019, 16:48 Elliotte Rusty Harold > wrote: > > > I know there are plenty of places at Java 8+. There are also many who > > haven't gotten that far. Some of my day job involves Java 7+ clients, > > and I know of others even further back than that. > > > > On Mon, Jun 3, 2019 at 10:38 AM Gary Gregory > > wrote: > > > > > > FWIW, we are talking at work about Java 8 and 11 only these days. Java > 7 > > is > > > in the distant past. Most people can't even get Java 7 updates since it > > is > > > EOL unless you pay. > > > > > > Gary > > > > > > On Mon, Jun 3, 2019 at 10:35 AM Elliotte Rusty Harold > > elh...@ibiblio.org> > > > wrote: > > > > > > > I agree that this should be fixed. I'm not yet convinced that > > > > requiring Java 8 and upgrading to dom4j 2.1 is the bets fix. > > > > > > > > On Mon, Jun 3, 2019 at 10:24 AM Enrico Olivelli > > > > > > wrote: > > > > > > > > > > Elliotte, > > > > > > > > > > Il giorno lun 3 giu 2019 alle ore 15:59 Elliotte Rusty Harold > > > > > elh...@ibiblio.org> ha scritto: > > > > > > > > > > > Perhaps ask the dom4j developers first to see if a 2.0.3 release > > can > > > > > > be scheduled. > > > > > > > > > > > > And if that doesn't work, how much effort is it to switch off of > > dom4j > > > > > > completely? > > > > > > > > > > > > maven-archetype strikes me as too important to drop Java 7 > > > > > > compatibility this soon. > > > > > > > > > > > > > > > > Are you -1 with this change ? > > > > > If an user wan't to use java 7 he can use current version of the > > plugin. > > > > > > > > > > Enrico > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Fri, May 31, 2019 at 3:02 PM Homer, Tony > tony.ho...@intel.com> > > > > wrote: > > > > > > > > > > > > > > Currently maven-archetype depends on dom4j 1.6.1 which is > > vulnerable > > > > to > > > > > > CVE-2018-1000632 [1]. > > > > > > > I filed ARCHETYPE-567 [2] to track this. > > > > > > > In order to mitigate this vulnerability, an update to dom4j > > 2.1.1 is > > > > > > needed. > > > > > > > dom4j 2.1.x requires Java 8+ [3]. > > > > > > > dom4j 2.0.x would retain compatibility with Java 7 (Java 5+) > but > > the > > > > > > latest release (2.0.2) is vulnerable to CVE-2018-1000632. > > > > > > > The current dev version (2.0.3) seems to contain a fix for > > > > > > CVE-2018-1000632 but has been pending release for ~1 year. > > > > > > > > > > > > > > I opened PR #28 [4] to make these changes. > > > > > > > What else I should do to advance this proposal? > > > > > > > > > > > > > > Thanks! > > > > > > > Tony Homer > > > > > > > > > > > > > > [1] https://nvd.nist.gov/vuln/detail/CVE-2018-1000632 > > > > > > > [2] https://issues.apache.org/jira/browse/ARCHETYPE-567 > > > > > > > [3] https://dom4j.github.io > > > > > > > [4] https://github.com/apache/maven-archetype/pull/28 > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Elliotte Rusty Harold > > > > > > elh...@ibiblio.org > > > > > > > > > > > > > > - > > > > > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > > > > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Elliotte Rusty Harold > > > > elh...@ibiblio.org > > > > > >
