Yes, we have to because we still support building on older JDKs (that's what we do on the CI server, build against multiple JDKs, even if it implies a degraded mode) and even with JDK 7 you cannot make sure that the version one uses actually has the fix.
2015-06-08 7:45 GMT+02:00 Pascal Schumacher <[email protected]>: > Do we still need this fix? Don't we use a version of the jdk 7 to build > which already includes this fix? > > Cheers, > Pascal > > > Am 08.06.2015 um 05:17 schrieb Paul King: > >> On 8/06/2015 8:56 AM, Roman Shaposhnik wrote: >> >>> 3. The wording around licensing on >>> buildSrc/src/main/java/JavadocFixTool.java >>> makes me worried. Has the licensing implications of this >>> file every been discussed? >>> >> >> We run this class on JavaDoc we produce to avoid security vulnerability >> CVE-2013-1571. We don't further distribute the class, i.e. it never >> becomes >> part of the built artifacts. In any case, it looks like other Apache >> projects step around the issue with a parallel-engineered Ant macro: >> >> https://issues.apache.org/jira/browse/LEGAL-171 >> >> Cheers, Paul. >> >> >> Thanks, >>> Roman. >>> >>> On Sun, Jun 7, 2015 at 8:48 AM, Cédric Champeau >>> <[email protected]> wrote: >>> >>>> Dear community, >>>> >>>> I am happy to start the first VOTE thread for a Groovy release under the >>>> Apache Incubator umbrella! >>>> This release both includes a lot of bugfixes, but also required some >>>> adjustments for the sake of conforming to the Apache Software >>>> Foundation and >>>> Apache Incubator guidelines. A big thank to all who contributed and >>>> helped >>>> us! >>>> >>>> The changelog for this release can be found here: >>>> >>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12318123&version=12331941 >>>> >>>> Tag for the release: >>>> >>>> https://git1-us-west.apache.org/repos/asf?p=incubator-groovy.git;a=tag;h=19f70958f39f0cc5c6b4d3e9471fd297400647d2 >>>> >>>> The artifacts to be voted on are located here: >>>> http://people.apache.org/~cchampeau/groovy/ >>>> >>>> Release artifacts are signed with the following keys: >>>> http://people.apache.org/~cchampeau/groovy/KEYS >>>> >>>> It is expected that voters check at least checksums and signatures, and >>>> of >>>> course much better if you can also verify the source package. >>>> >>>> Please vote on releasing this package as Apache Groovy 2.4.4-incubating. >>>> >>>> The vote is open for the next 72 hours and passes if a majority of at >>>> least >>>> three +1 PPMC votes are cast. >>>> >>>> [ ] +1 Release Apache Groovy 2.4.4-incubating >>>> [ ] 0 I don't have a strong opinion about this, but I assume it's ok >>>> [ ] -1 Do not release Apache Groovy 2.4.4-incubating because... >>>> >>>> Here is my vote: >>>> >>>> +1 (binding) >>>> >>>> >>> >> >> --- >> This email has been checked for viruses by Avast antivirus software. >> https://www.avast.com/antivirus >> >> >
