More on the retirement topic. Getting inspired by https://ant.apache.org/processes.html#Retire:%20Mailing%20List the procedure would be to:
- 1. Get a formal vote on server-dev mailing list - 2. Place a RETIRED_PROJECT file marker in the git - 3. Add a note in the project README - 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE) - 5. Announce it on gene...@james.apache.org and announce@apache - 6. Add a notice to the Apache website, if present - 7. Remove releases from downloads.apache.org - 8. Add notices on the Apache release archives (example https://archive.apache.org/dist/ant/antidote/) Note that there is also a procedure to re-activate a previously retired sub-project. Best regards, Benoit TELLIER On 19/07/2021 15:30, Jean Helou wrote: > I think this is an excellent idea ! +1 > > thank you benoit ! > jean > > > On Mon, Jul 19, 2021 at 10:16 AM btell...@apache.org <btell...@apache.org> > wrote: > >> Hello all, >> >> While fixing our download pages following some infra bot complains, I >> ended up fixing the downloads for Apache James Hupa. >> >> - The latest release (0.3.0) dates from 2012 which is an eternity in >> computing. >> - The latest tag on Github is 0.0.3 >> - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is >> lost :-( >> - This repository is crippled by multiple CVEs (quick dependabot review): >> - CVE-2021-29425 (commons-io) >> - GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657 >> CVE-2019-10241 CVE-2019-10247 (Jetty server) >> - CVE-2020-9447 (gwtupload) >> - GHSA-g3wg-6mcf-8jj6 (jetty-webapp) >> - CVE-2019-17571 (log4j) >> - CVE-2016-1000031 CVE-2016-3092 (commons-fileupload) >> - Sporadic activity since 2012 >> - Zero to no exchanges for several years on the mailing lists. >> >> From the Readme: >> >>> Hupa is able to discover most of the imap/smtp configuration based on >> the email domain part. When you are prompted to login, type your email >> address and wait few seconds, if you click on the gear button you can >> see the configuration discovered by Hupa, you can modify it if it does >> not match your email provider configuration. Then type your inbox >> password and you will be logged into your email provider servers. >> >>> Hupa is compatible with most email providers, gmail, yahoo, hotmail, >> outlook, exchange, james, etc. >> >> I fail to see the value added compared to other webmails like roundcube, >> rainloops to quote a few... >> >> As such, given that alternatives exists, given that the project is >> likely not mature, unmaintained and unsecure, I propose to retire this >> Apache James subproject. >> >> I will do research on procedures and best practices to do so. I guess a >> formal vote would be necessary. Likely contact Apache Labs were the >> project originated from in 2009... >> >> Best regards, >> >> Benoit TELLIER >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org >> For additional commands, e-mail: server-dev-h...@james.apache.org >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org
