Agreed on the OSGi requirements as that matches the Java baseline requirements. As for the EE stuff, I’m less familiar with this area these days as the only EE thing I really use anymore is Tomcat (as part of Spring Boot).
— Matt Sicker > On May 28, 2022, at 03:04, Piotr P. Karwasz <[email protected]> wrote: > > Hi, > > Given the recent series of Dependabot proposals I was wondering what are > the baselines In Log4j2 for Java EE and OSGI technologies. We don't really > use them extensively, so we can tell Dependabot to stay at an older version > and don't propose any upgrades. > > Given the cheat sheet at: > > https://www.oracle.com/java/technologies/javaee/javaeetechnologies.html > <https://www.oracle.com/java/technologies/javaee/javaeetechnologies.html#javaee5> > > we are using: > > * from Java EE 5: the Server Pages API, > * from Java EE 6: the Servlet API, Message Service API > * from Java EE 8: the Mail API, Persistence API > > Maybe we should use a single version? For reference Tomcat stopped > supporting the 7.0 series (Java EE 6) last year, while the 8.5 (Java EE 7) > and 9.0 (Java/Jakarta EE 8) are still supported. The `log4j-web` artifact > uses Servlet 3.0 (Java EE 6) features, so we can not set the baseline lower > than that. What do you think about setting the baseline to Java EE 8 (or > use the Jakarta EE 8 artifacts) for the 2.x series and Jakarta EE 9 for the > 3.x series? > > Another question is the OSGI baseline. I don't know what are the current > version distribution of OSGI servers, but looking at PAX Logging: > > * the 1.10.x series (May 2017-current) is using OSGI 4.3 and our 2.12.x > series, > * the 1.11.x series (July 2019-current) is using OSGI 6.0 and our current > 2.x version, > * the 2.x series (January 2020-current) is using OSGI 7.0 and our current > 2.x version. > > Therefore my proposal would be to use OSGI 6.0 for the 2.x series (Matt > just upgraded it) and OSGI 7.0 for the 3.x series. > > Piotr
