Re: [VOTE] Retire Apache James HUPA

Wed, 28 Jul 2021 08:51:48 -0700 

+1

Le 23/07/2021 à 11:00, btell...@apache.org a écrit :

Hello all,

Following a first email on the topic [1] I would like to call for a
formal vote on Apache James Hupa retirement.

[1] https://www.mail-archive.com/server-dev@james.apache.org/msg70575.html

Rationnals:
  - The latest release (0.3.0) dates from 2012 which is an eternity in
computing.
  - The latest tag on Github is 0.0.3
  - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
lost :-(
  - This repository is crippled by multiple CVEs (quick dependabot review):
       - CVE-2021-29425 (commons-io)
       - GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
CVE-2019-10241 CVE-2019-10247 (Jetty server)
       - CVE-2020-9447 (gwtupload)
       - GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
       - CVE-2019-17571 (log4j)
       - CVE-2016-1000031 CVE-2016-3092 (commons-fileupload)
  - Sporadic activity since 2012
  - Zero to no exchanges for several years on the mailing lists.

Given that alternatives exists, given that the project is
likely not mature, unmaintained and unsecure, I propose to retire this
Apache James subproject.

|Voting rules: - This is a majority vote as stated in [2] for procedural
issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
https://www.apache.org/foundation/voting.html Following this retirement,
follow up steps are to be taken as described in [3] [3]
https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html | - 1. 
Get a formal vote on server-dev mailing list
  - 2. Place a RETIRED_PROJECT file marker in the git
  - 3. Add a note in the project README
  - 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE)
  - 5. Announce it on gene...@james.apache.org and announce@apache
  - 6. Add a notice to the Apache website, if present
  - 7. Remove releases from downloads.apache.org
  - 8. Add notices on the Apache release archives (example
https://archive.apache.org/dist/ant/antidote/ 
<https://archive.apache.org/dist/ant/antidote/>)

Best regards,

Benoit Tellier
||


---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

Reply via email to