>>Who's the maintainer? https://github.com/FilipJirsak
>> Sometimes a friendly ping through back channels can work wonders. I don't know him but I sent him an email and cc:ed you (Rusty). On 6/3/19 , 10:12 AM, "Elliotte Rusty Harold" <elh...@ibiblio.org> wrote: Who's the maintainer? Sometimes a friendly ping through back channels can work wonders. On Mon, Jun 3, 2019 at 12:46 PM Homer, Tony <tony.ho...@intel.com> wrote: > > >>Perhaps ask the dom4j developers first to see if a 2.0.3 release can be scheduled. > FWIW, there was an issue logged asking for that on 6 December 2018 [1]. > I noted this in the PR as well [2] as an explanation for the bump to 2.1.1 and Java 8. > Just making sure this information is part of the discussion. ( > > [1] https://github.com/dom4j/dom4j/issues/55 > [2] https://github.com/apache/maven-archetype/pull/28 > > > On 6/3/19 , 7:59 AM, "Tibor Digana" <tibordig...@apache.org> wrote: > > First of all, this PR was create because of vulnerability CVE-2018-1000632. > Vulner or non-vulnerability, the version of javac for dom4j:1.6.1 is not an > argument for me. > If some code was broken in that version, it would be an argument. But it is > not an argument to infinitely grow versions only because somebody in CVE > wants to. This really is pushing hard to sell technologies and not a common > sense. > > T > > On Mon, Jun 3, 2019 at 4:48 PM Elliotte Rusty Harold <elh...@ibiblio.org> > wrote: > > > I know there are plenty of places at Java 8+. There are also many who > > haven't gotten that far. Some of my day job involves Java 7+ clients, > > and I know of others even further back than that. > > > > On Mon, Jun 3, 2019 at 10:38 AM Gary Gregory <garydgreg...@gmail.com> > > wrote: > > > > > > FWIW, we are talking at work about Java 8 and 11 only these days. Java 7 > > is > > > in the distant past. Most people can't even get Java 7 updates since it > > is > > > EOL unless you pay. > > > > > > Gary > > > > > > On Mon, Jun 3, 2019 at 10:35 AM Elliotte Rusty Harold < > > elh...@ibiblio.org> > > > wrote: > > > > > > > I agree that this should be fixed. I'm not yet convinced that > > > > requiring Java 8 and upgrading to dom4j 2.1 is the bets fix. > > > > > > > > On Mon, Jun 3, 2019 at 10:24 AM Enrico Olivelli <eolive...@gmail.com> > > > > wrote: > > > > > > > > > > Elliotte, > > > > > > > > > > Il giorno lun 3 giu 2019 alle ore 15:59 Elliotte Rusty Harold < > > > > > elh...@ibiblio.org> ha scritto: > > > > > > > > > > > Perhaps ask the dom4j developers first to see if a 2.0.3 release > > can > > > > > > be scheduled. > > > > > > > > > > > > And if that doesn't work, how much effort is it to switch off of > > dom4j > > > > > > completely? > > > > > > > > > > > > maven-archetype strikes me as too important to drop Java 7 > > > > > > compatibility this soon. > > > > > > > > > > > > > > > > Are you -1 with this change ? > > > > > If an user wan't to use java 7 he can use current version of the > > plugin. > > > > > > > > > > Enrico > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Fri, May 31, 2019 at 3:02 PM Homer, Tony <tony.ho...@intel.com> > > > > wrote: > > > > > > > > > > > > > > Currently maven-archetype depends on dom4j 1.6.1 which is > > vulnerable > > > > to > > > > > > CVE-2018-1000632 [1]. > > > > > > > I filed ARCHETYPE-567 [2] to track this. > > > > > > > In order to mitigate this vulnerability, an update to dom4j > > 2.1.1 is > > > > > > needed. > > > > > > > dom4j 2.1.x requires Java 8+ [3]. > > > > > > > dom4j 2.0.x would retain compatibility with Java 7 (Java 5+) but > > the > > > > > > latest release (2.0.2) is vulnerable to CVE-2018-1000632. > > > > > > > The current dev version (2.0.3) seems to contain a fix for > > > > > > CVE-2018-1000632 but has been pending release for ~1 year. > > > > > > > > > > > > > > I opened PR #28 [4] to make these changes. > > > > > > > What else I should do to advance this proposal? > > > > > > > > > > > > > > Thanks! > > > > > > > Tony Homer > > > > > > > > > > > > > > [1] https://nvd.nist.gov/vuln/detail/CVE-2018-1000632 > > > > > > > [2] https://issues.apache.org/jira/browse/ARCHETYPE-567 > > > > > > > [3] https://dom4j.github.io > > > > > > > [4] https://github.com/apache/maven-archetype/pull/28 > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Elliotte Rusty Harold > > > > > > elh...@ibiblio.org > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > > > > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Elliotte Rusty Harold > > > > elh...@ibiblio.org > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > > > > > > > > > > > > > -- > > Elliotte Rusty Harold > > elh...@ibiblio.org > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org -- Elliotte Rusty Harold elh...@ibiblio.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org