Mike, thanks for the research. Just committed javadoc plugin upgrade to all active branches (CAY-1845). I hope we are all set. (wonder if this can be verified by checking the generated javadocs somehow?)
Andrus On Jul 9, 2013, at 4:20 PM, Mike Kienenberger <[email protected]> wrote: > LUCENE's issue stated in the comments that the Oracle tool shouldn't > be used (apparently it can be integrated with maven). It also stated > that there was a simple way to duplicate the functionality using > maven, but I didn't immediately see what that was: > > Here's the thread it had on that: > > https://jira.codehaus.org/browse/MJAVADOC-370?focusedCommentId=327185&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-327185 > > This seems to point to https://issues.apache.org/jira/browse/MPOM-46 > as one solution later on in the comments > > Which seems to be a matter of updating the maven-javadoc-plugin > version from 2.9 to 2.9.1. Maybe that's all we need as well? If > not, I'm guessing you could diff the changes between versions 2.9 to > 2.9.1 and find the solution in a maven environment? > > http://svn.apache.org/viewvc/maven/pom/trunk/asf/pom.xml?r1=1497692&r2=1497691&pathrev=1497692 > > --- maven/pom/trunk/asf/pom.xml 2013/06/28 09:11:27 1497691 > +++ maven/pom/trunk/asf/pom.xml 2013/06/28 09:14:58 1497692 > @@ -184,7 +184,7 @@ > <plugin> > <groupId>org.apache.maven.plugins</groupId> > <artifactId>maven-javadoc-plugin</artifactId> > - <version>2.9</version> > + <version>2.9.1</version> > </plugin> > > On Tue, Jul 9, 2013 at 9:12 AM, Mike Kienenberger <[email protected]> wrote: >>> On Jul 9, 2013, at 2:57 AM, Aristedes Maniatis <[email protected]> wrote: >>>> Did we change the javadoc build process to avoid the javadoc security flaw >>>> recently discovered? I patched the website javadocs, but I'm not sure if >>>> we also have to change something in our maven build process or upgrade >>>> some plugin. >> >> On Tue, Jul 9, 2013 at 2:12 AM, Andrus Adamchik <[email protected]> >> wrote: >>> Me neither. Probably some research is in order. Should we take this to a >>> separate thread? >> >> Maybe you can copy what some other project has done. >> >> I saw a notice about it for tomcat but I believe it is built with ant. >> >> https://issues.apache.org/bugzilla/show_bug.cgi?id=55119 >> >> That notice pointed to Lucene, but it says it was built with ivy. >> >> https://issues.apache.org/jira/browse/LUCENE-5072 >> >> So I didn't find a pointer to a maven-based fix. >
