Thanks Chris! We need a volunteer to do the work to create a release for this.
I’ve never used BlazeDS, so I don’t feel comfortable doing it. Any takers? Thanks, Harbs > On Jun 17, 2022, at 12:44 PM, Christofer Dutz <christofer.d...@c-ware.de> > wrote: > > Hi all, > > I have created a branch: "security-updates" ... here I updated most of the > libraries to get rid of vulnerable artifacts. > All of the tomcat modules, I had to comment out as there's no invulnerable > tomcat version up to 7. > I also commented out the JMS related stuff as there's no active-mq version > without vulnerabilities. > And especially I commented out the spring-boot-starter, as it relies on the > spring-flex-core library which is discontinued on the spring side and greatly > out of date. Also did I try updating to the latest Spring version, it seems > there was not a single pre 6.0 version that wasn't reporting a lot of CVEs. > > One thing that needs changing before releasing a new version of BlazeDS, > would be to update from: > commons-httpclient: commons-httpclient to > org.apache.httpcomponents:httpclient ... however this was not just a small > update of the dependencies. Here the code would require some refactoring. > > I updated the build to the latest Apache parent pom, updated the plugins, had > to update the compiler to Java 1.8 as base-line version as 1.6 I can no > longer build. > > I added the rat-plugin as some files were missing Apache headers, I added the > owasp plugin to scan for vulnerabilities and to fail the build if something > above a score of 4.0 is found. > > Given my history with Flex and Roayle, I don't feel the desire to put any > more effort into this. You should now be on a good track to being able to > release a new version of BlazeDS. I don't care if this is in Apache Flex or > in Apache Royale. > > > Chris > > > -----Original Message----- > From: Rich Bowen <rbo...@apache.org> > Sent: Mittwoch, 15. Juni 2022 20:10 > To: dev@flex.apache.org > Subject: Project retiring and board discussion > > I wanted to follow up on today's discussion on the board of directors call, > but first I have read a little bit of your mailing list archive, and that has > changed what I was going to say. > > Over the past year, the project has reported, in almost every board report, > that the project is inactive and planning to retire. But then I read the last > few months of email to this list, and it appears that the actual project > community has no such desire. Mostly I want to commend you for having that > conversation and putting the user community first. > > To be clear, there is no obligation to produce releases in order to continue > to operate a user-centric project. If you have users that rely on you, and > you have an active community (where "active" is defined as 3+ PMC members > able to respond in the case of a CVE, and folks who are available to answer > user questions) then you still have an "active" project. > > That said, it's worth noting Chris Dutz's comment on your board report, > regarding the BlazeDS sub-project and its Log4J dependencies. He suggests > possibly investigating passing that sub-project over to Royale, if there are > not sufficient people here to address that concern. > > Anyways, please do reach out if you have any questions. But know that > "active" has many different possible definitions, and that projects are not > obligated to meet every bar in order to be serving their user community. > > --Rich, for the Board of Directors.
