I've rebased the pr. I have 1 failure I'm looking at Le ven. 19 mai 2023, 15:16, Christopher Shannon < christopher.l.shan...@gmail.com> a écrit :
> I think we should just go with JSON-P since that's what Artemis is using > and it seems like everyone agrees that will at least work for people who > want to switch out the implementation. > > On Wed, May 17, 2023 at 5:36 AM Jean-Louis Monteiro < > jlmonte...@tomitribe.com> wrote: > > > The issue is that CVEs are frequent on Jackson and we can't always > release > > ActiveMQ quickly with just a Jackson version update. > > It's also a pain on other Apache projects such as Apache TomEE for > example. > > If Jackson upgrades ActiveMQ upgrades, TomEE also needs to upgrade. > > > > I understand that relying on a JSON Mapper is easier and opens some > doors. > > How long have we been using Jackson in the WebConsole and how much have > we > > added over the last years? > > > > Our usage is pretty simple though, so if we can save our users the pain > of > > updating I think it's positive for the project and our user experience. > > > > If it's ready, let's rebase the PR and merge it so at least we can pick > up > > another provider. > > > > Thanks for all the follow up > > > > -- > > Jean-Louis Monteiro > > http://twitter.com/jlouismonteiro > > http://www.tomitribe.com > > > > > > On Wed, May 17, 2023 at 5:57 AM Jean-Baptiste Onofré <j...@nanthrax.net> > > wrote: > > > > > FYI, Romain provided a PR to use Apache Johnson while ago: > > > https://github.com/apache/activemq/pull/308 > > > > > > The PR is fine (I already tested when submitted), it just needs a > rebase. > > > If we agree, I can move forward on this one. > > > > > > Regards > > > JB > > > > > > On Wed, May 17, 2023 at 4:04 AM Justin Bertram <jbert...@apache.org> > > > wrote: > > > > > > > > For what it's worth, Artemis uses JSON-P [1] since it's a standard, > > > simple > > > > API. We use Apache Johnzon for the implementation. It does everything > > we > > > > need given our relatively basic use-cases. > > > > > > > > Additionally, we wrap the API so that all the broker code can use the > > > > wrapper and the wrapper can be modified to work in Java EE or Jakarta > > EE > > > > environments. > > > > > > > > > > > > Justin > > > > > > > > [1] > > > > > > > > > > https://javaee.github.io/javaee-spec/javadocs/javax/json/package-summary.html > > > > > > > > On Tue, May 16, 2023 at 6:02 PM Christopher Shannon < > > > > christopher.l.shan...@gmail.com> wrote: > > > > > > > > > Yes, this keeps coming up and as JB said I don't see a problem with > > > > > Jackson, it can be updated for CVEs and works very well and is > quite > > > > > feature rich in case we need it. > > > > > > > > > > If we are going to do any JSON serialization I don't want to > > re-invent > > > the > > > > > wheel and create our own serializer, so we should at least use an > > > existing > > > > > library, even if we make it pluggable like JSON-B. > > > > > > > > > > There's alternatives too like Gson if we wanted something > > > > > smaller/lightweight. > > > > > > > > > > On Tue, May 16, 2023 at 3:11 PM Jean-Baptiste Onofré < > > j...@nanthrax.net> > > > > > wrote: > > > > > > > > > > > Hi, > > > > > > > > > > > > We discussed this already in the past. IMHO, we can replace > jackson > > > by > > > > > > just sax (no need to use JSON-B regarding our usage). > > > > > > > > > > > > That sasid, I don't see any huge issue with Jackson: it works > fine > > > and > > > > > > we keep the versions up to date to fix CVE. > > > > > > > > > > > > The only interesting move would be to use SAX parsing directly > > > instead > > > > > > of a mapper. > > > > > > > > > > > > Regards > > > > > > JB > > > > > > > > > > > > On Tue, May 16, 2023 at 12:17 PM Jean-Louis Monteiro > > > > > > <jlmonte...@tomitribe.com> wrote: > > > > > > > > > > > > > > Hi all, > > > > > > > > > > > > > > Jackson seems to be frequently affected by CVEs and it's > really a > > > pain > > > > > > for > > > > > > > users. > > > > > > > > > > > > > > Looks like Jackson is only used in the WebConsole to > read/write a > > > few > > > > > > > attributes. I'm sure we can get rid of it and either use a > > > standard API > > > > > > so > > > > > > > one can plugin any implementation, or just write down a utility > > > class > > > > > to > > > > > > > parse the small attribute we have to. > > > > > > > > > > > > > > thoughts? > > > > > > > > > > > > > > I'm happy to do a PR to remove it if that's the consensus. > > > > > > > > > > > > > > -- > > > > > > > Jean-Louis Monteiro > > > > > > > http://twitter.com/jlouismonteiro > > > > > > > http://www.tomitribe.com > > > > > > > > > > > > > > > > >
