Thanks for working on this. Chris gave some guidelines [2] for the release process.
Maybe the plc4x check-list [1] is helpful? [1] https://plc4x.apache.org/developers/release/release.html [2] The release itself should be the normal Maven release process … you can see in the plc4x release documentation on how you need to configure your system: https://plc4x.apache.org/developers/release/release.html The short version of a release should be: mvn release:prepare mvn elease:perform And the plc4x documentation describes what has to be done in the nexus repo for staging and releasing the maven artifacts. From: Josh Tynjala<mailto:joshtynj...@apache.org> Sent: Tuesday, January 10, 2023 2:03 AM To: dev@flex.apache.org<mailto:dev@flex.apache.org> Subject: Re: BlazeDS release Okay, some updates on my progress with BlazeDS. - I made the necessary changes to remove the vulnerable xalan dependency. - I looked at the proxy module issue, where we need to replace the obsolete commons-httpclient 3.x with its successor, httpcomponents-httpclient 4.x. It seems to be non-trivial to upgrade. I'm not sure that we have much test coverage either, so there would be a certain amount of risk. I can see why Piotr said that we should exclude the proxy module from the release instead. I want to do a little bit of testing/investigation to see how much impact removing the proxy module might have. - I moved the OWASP dependency checker into a 'with-owasp' profile. We don't want that being a default part of the build because a failing build will be confusing for users that want to build from source, if any new CVEs are issued in the future. It should be mainly for our CI and release managers instead. It can be enabled by adding `-P with-owasp` to the `mvn install` command. - I replaced the 'flex-ci-build' profile with a new 'with-distribution' profile. It builds not only the source distribution, but also a **new** binary distribution, which we didn't have before. The binary distribution is identical to the source distribution, except that it also has a 'lib' directory that contains all of the built .jar files and their required dependencies. - I merged everything from security-updates into develop. I'll continue any further work on develop. Folks, I need help with one thing: Do we have release manager instructions/checklist for BlazeDS? Thanks! - Josh On 2023/01/04 20:59:29 Josh Tynjala wrote: > I'd like to spend some time this month finishing up the recent BlazeDS > stuff so that we can get it released. > > Can someone confirm that the changes listed here are still what should be > done? It looks straightforward enough. > > https://lists.apache.org/thread/9h7th05wc57399jp7l7mj11c45nq8jbn > > And which branch should I commit to? security-updates? develop? master? > Something else? > > Thanks, > > -- > Josh Tynjala > Bowler Hat LLC <https://bowlerhat.dev> >
