After my commits today to remove the proxy module and clean up some things, I think we're pretty much ready to go for a new BlazeDS release. I don't have any further time to work on it this month, but I can make it happen in February.
- Josh On 2023/01/10 07:22:22 Yishay Weiss wrote: > Thanks for working on this. > > Chris gave some guidelines [2] for the release process. > > Maybe the plc4x check-list [1] is helpful? > > [1] https://plc4x.apache.org/developers/release/release.html > > [2] > The release itself should be the normal Maven release process … you can see > in the plc4x release documentation on how you need to configure your system: > https://plc4x.apache.org/developers/release/release.html > > > The short version of a release should be: > > > > mvn release:prepare > > > > mvn elease:perform > > And the plc4x documentation describes what has to be done in the nexus repo > for staging and releasing the maven artifacts. > > From: Josh Tynjala<mailto:joshtynj...@apache.org> > Sent: Tuesday, January 10, 2023 2:03 AM > To: dev@flex.apache.org<mailto:dev@flex.apache.org> > Subject: Re: BlazeDS release > > Okay, some updates on my progress with BlazeDS. > > - I made the necessary changes to remove the vulnerable xalan dependency. > - I looked at the proxy module issue, where we need to replace the obsolete > commons-httpclient 3.x with its successor, httpcomponents-httpclient 4.x. It > seems to be non-trivial to upgrade. I'm not sure that we have much test > coverage either, so there would be a certain amount of risk. I can see why > Piotr said that we should exclude the proxy module from the release instead. > I want to do a little bit of testing/investigation to see how much impact > removing the proxy module might have. > - I moved the OWASP dependency checker into a 'with-owasp' profile. We don't > want that being a default part of the build because a failing build will be > confusing for users that want to build from source, if any new CVEs are > issued in the future. It should be mainly for our CI and release managers > instead. It can be enabled by adding `-P with-owasp` to the `mvn install` > command. > - I replaced the 'flex-ci-build' profile with a new 'with-distribution' > profile. It builds not only the source distribution, but also a **new** > binary distribution, which we didn't have before. The binary distribution is > identical to the source distribution, except that it also has a 'lib' > directory that contains all of the built .jar files and their required > dependencies. > - I merged everything from security-updates into develop. I'll continue any > further work on develop. > > Folks, I need help with one thing: Do we have release manager > instructions/checklist for BlazeDS? Thanks! > > - Josh > > On 2023/01/04 20:59:29 Josh Tynjala wrote: > > I'd like to spend some time this month finishing up the recent BlazeDS > > stuff so that we can get it released. > > > > Can someone confirm that the changes listed here are still what should be > > done? It looks straightforward enough. > > > > https://lists.apache.org/thread/9h7th05wc57399jp7l7mj11c45nq8jbn > > > > And which branch should I commit to? security-updates? develop? master? > > Something else? > > > > Thanks, > > > > -- > > Josh Tynjala > > Bowler Hat LLC <https://bowlerhat.dev> > > > >
