I think we should just go with JSON-P since that's what Artemis is using and it seems like everyone agrees that will at least work for people who want to switch out the implementation.
On Wed, May 17, 2023 at 5:36 AM Jean-Louis Monteiro < jlmonte...@tomitribe.com> wrote: > The issue is that CVEs are frequent on Jackson and we can't always release > ActiveMQ quickly with just a Jackson version update. > It's also a pain on other Apache projects such as Apache TomEE for example. > If Jackson upgrades ActiveMQ upgrades, TomEE also needs to upgrade. > > I understand that relying on a JSON Mapper is easier and opens some doors. > How long have we been using Jackson in the WebConsole and how much have we > added over the last years? > > Our usage is pretty simple though, so if we can save our users the pain of > updating I think it's positive for the project and our user experience. > > If it's ready, let's rebase the PR and merge it so at least we can pick up > another provider. > > Thanks for all the follow up > > -- > Jean-Louis Monteiro > http://twitter.com/jlouismonteiro > http://www.tomitribe.com > > > On Wed, May 17, 2023 at 5:57 AM Jean-Baptiste Onofré <j...@nanthrax.net> > wrote: > > > FYI, Romain provided a PR to use Apache Johnson while ago: > > https://github.com/apache/activemq/pull/308 > > > > The PR is fine (I already tested when submitted), it just needs a rebase. > > If we agree, I can move forward on this one. > > > > Regards > > JB > > > > On Wed, May 17, 2023 at 4:04 AM Justin Bertram <jbert...@apache.org> > > wrote: > > > > > > For what it's worth, Artemis uses JSON-P [1] since it's a standard, > > simple > > > API. We use Apache Johnzon for the implementation. It does everything > we > > > need given our relatively basic use-cases. > > > > > > Additionally, we wrap the API so that all the broker code can use the > > > wrapper and the wrapper can be modified to work in Java EE or Jakarta > EE > > > environments. > > > > > > > > > Justin > > > > > > [1] > > > > > > https://javaee.github.io/javaee-spec/javadocs/javax/json/package-summary.html > > > > > > On Tue, May 16, 2023 at 6:02 PM Christopher Shannon < > > > christopher.l.shan...@gmail.com> wrote: > > > > > > > Yes, this keeps coming up and as JB said I don't see a problem with > > > > Jackson, it can be updated for CVEs and works very well and is quite > > > > feature rich in case we need it. > > > > > > > > If we are going to do any JSON serialization I don't want to > re-invent > > the > > > > wheel and create our own serializer, so we should at least use an > > existing > > > > library, even if we make it pluggable like JSON-B. > > > > > > > > There's alternatives too like Gson if we wanted something > > > > smaller/lightweight. > > > > > > > > On Tue, May 16, 2023 at 3:11 PM Jean-Baptiste Onofré < > j...@nanthrax.net> > > > > wrote: > > > > > > > > > Hi, > > > > > > > > > > We discussed this already in the past. IMHO, we can replace jackson > > by > > > > > just sax (no need to use JSON-B regarding our usage). > > > > > > > > > > That sasid, I don't see any huge issue with Jackson: it works fine > > and > > > > > we keep the versions up to date to fix CVE. > > > > > > > > > > The only interesting move would be to use SAX parsing directly > > instead > > > > > of a mapper. > > > > > > > > > > Regards > > > > > JB > > > > > > > > > > On Tue, May 16, 2023 at 12:17 PM Jean-Louis Monteiro > > > > > <jlmonte...@tomitribe.com> wrote: > > > > > > > > > > > > Hi all, > > > > > > > > > > > > Jackson seems to be frequently affected by CVEs and it's really a > > pain > > > > > for > > > > > > users. > > > > > > > > > > > > Looks like Jackson is only used in the WebConsole to read/write a > > few > > > > > > attributes. I'm sure we can get rid of it and either use a > > standard API > > > > > so > > > > > > one can plugin any implementation, or just write down a utility > > class > > > > to > > > > > > parse the small attribute we have to. > > > > > > > > > > > > thoughts? > > > > > > > > > > > > I'm happy to do a PR to remove it if that's the consensus. > > > > > > > > > > > > -- > > > > > > Jean-Louis Monteiro > > > > > > http://twitter.com/jlouismonteiro > > > > > > http://www.tomitribe.com > > > > > > > > > > > >
