Hello all,

Following a first email on the topic [1] I would like to call for a
formal vote on Apache James Hupa retirement.

[1] https://www.mail-archive.com/server-dev@james.apache.org/msg70575.html

 - The latest release (0.3.0) dates from 2012 which is an eternity in
 - The latest tag on Github is 0.0.3
 - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
lost :-(
 - This repository is crippled by multiple CVEs (quick dependabot review):
      - CVE-2021-29425 (commons-io)
      - GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
CVE-2019-10241 CVE-2019-10247 (Jetty server)
      - CVE-2020-9447 (gwtupload)
      - GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
      - CVE-2019-17571 (log4j)
      - CVE-2016-1000031 CVE-2016-3092 (commons-fileupload)
 - Sporadic activity since 2012
 - Zero to no exchanges for several years on the mailing lists.

Given that alternatives exists, given that the project is
likely not mature, unmaintained and unsecure, I propose to retire this
Apache James subproject.

|Voting rules: - This is a majority vote as stated in [2] for procedural
issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
https://www.apache.org/foundation/voting.html Following this retirement,
follow up steps are to be taken as described in [3] [3]
https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html | - 1. 
Get a formal vote on server-dev mailing list
 - 2. Place a RETIRED_PROJECT file marker in the git
 - 3. Add a note in the project README
 - 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE)
 - 5. Announce it on gene...@james.apache.org and announce@apache
 - 6. Add a notice to the Apache website, if present
 - 7. Remove releases from downloads.apache.org
 - 8. Add notices on the Apache release archives (example

Best regards,

Benoit Tellier

To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

Reply via email to