I am working on a removal of dom4j library and use of Java XML API. Sytwester, connect to the Slack pls.
On Wed, Jun 5, 2019 at 8:28 AM Robert Scholte <[email protected]> wrote: > > What stops us developing on Java 8? > > Maven project stops us. > > I think this deserves some clearance, because I have a different opinion > on this. > It is quite natural that plugins start picking up and requiring a more > recent version of Java before Maven does. > If there's a good reason to move forward (in this case to Java 8), I don't > mind doing that. > With our plugin system, if they can't use this because they run Maven on > an older version of Java, they can lock the plugin version to the last > compatible one. > Right now most environments are already running on Java 8 and won't notice > such upgrade. > Also keep in mind there's a difference between Java for Maven runtime and > JDK for the compiler, these can be separated. > I would love to hear from somebody that thinks he or she would be blocked > by such change, it shouldn't be an issue but maybe I'm missing a detail. > > So if we can stay Java 7 compatible, that's fine but is not a blocking > requirement (especially since this plugin is not a lifecycle plugin). > > Robert > On 4-6-2019 22:05:33, Tibor Digana <[email protected]> wrote: > What stops us developing on Java 8? > Maven project stops us. > We wanted to use Java 7 and not higher. Therefore reworking the little code > with removed dom4j keeps javac still on java7 and we would not have a > problem when dom4j moves to java9+ because of non-applicable CVEs. We can > use Java XML Api instead of dom4j. > > On Tue, Jun 4, 2019 at 6:32 PM Tamás Cservenák wrote: > > > Just wondering: what stops you developing on more modern java, and > > targeting older java? Or in other words, why is using target java a must > on > > development? Just curious. > > > > Ps: sry for jumping the thread > > > > On Mon, Jun 3, 2019, 16:48 Elliotte Rusty Harold > > wrote: > > > > > I know there are plenty of places at Java 8+. There are also many who > > > haven't gotten that far. Some of my day job involves Java 7+ clients, > > > and I know of others even further back than that. > > > > > > On Mon, Jun 3, 2019 at 10:38 AM Gary Gregory > > > wrote: > > > > > > > > FWIW, we are talking at work about Java 8 and 11 only these days. > Java > > 7 > > > is > > > > in the distant past. Most people can't even get Java 7 updates since > it > > > is > > > > EOL unless you pay. > > > > > > > > Gary > > > > > > > > On Mon, Jun 3, 2019 at 10:35 AM Elliotte Rusty Harold > > > [email protected]> > > > > wrote: > > > > > > > > > I agree that this should be fixed. I'm not yet convinced that > > > > > requiring Java 8 and upgrading to dom4j 2.1 is the bets fix. > > > > > > > > > > On Mon, Jun 3, 2019 at 10:24 AM Enrico Olivelli > > > > > > > > wrote: > > > > > > > > > > > > Elliotte, > > > > > > > > > > > > Il giorno lun 3 giu 2019 alle ore 15:59 Elliotte Rusty Harold > > > > > > [email protected]> ha scritto: > > > > > > > > > > > > > Perhaps ask the dom4j developers first to see if a 2.0.3 > release > > > can > > > > > > > be scheduled. > > > > > > > > > > > > > > And if that doesn't work, how much effort is it to switch off > of > > > dom4j > > > > > > > completely? > > > > > > > > > > > > > > maven-archetype strikes me as too important to drop Java 7 > > > > > > > compatibility this soon. > > > > > > > > > > > > > > > > > > > Are you -1 with this change ? > > > > > > If an user wan't to use java 7 he can use current version of the > > > plugin. > > > > > > > > > > > > Enrico > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Fri, May 31, 2019 at 3:02 PM Homer, Tony > > [email protected]> > > > > > wrote: > > > > > > > > > > > > > > > > Currently maven-archetype depends on dom4j 1.6.1 which is > > > vulnerable > > > > > to > > > > > > > CVE-2018-1000632 [1]. > > > > > > > > I filed ARCHETYPE-567 [2] to track this. > > > > > > > > In order to mitigate this vulnerability, an update to dom4j > > > 2.1.1 is > > > > > > > needed. > > > > > > > > dom4j 2.1.x requires Java 8+ [3]. > > > > > > > > dom4j 2.0.x would retain compatibility with Java 7 (Java 5+) > > but > > > the > > > > > > > latest release (2.0.2) is vulnerable to CVE-2018-1000632. > > > > > > > > The current dev version (2.0.3) seems to contain a fix for > > > > > > > CVE-2018-1000632 but has been pending release for ~1 year. > > > > > > > > > > > > > > > > I opened PR #28 [4] to make these changes. > > > > > > > > What else I should do to advance this proposal? > > > > > > > > > > > > > > > > Thanks! > > > > > > > > Tony Homer > > > > > > > > > > > > > > > > [1] https://nvd.nist.gov/vuln/detail/CVE-2018-1000632 > > > > > > > > [2] https://issues.apache.org/jira/browse/ARCHETYPE-567 > > > > > > > > [3] https://dom4j.github.io > > > > > > > > [4] https://github.com/apache/maven-archetype/pull/28 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Elliotte Rusty Harold > > > > > > > [email protected] > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > > To unsubscribe, e-mail: [email protected] > > > > > > > For additional commands, e-mail: [email protected] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > Elliotte Rusty Harold > > > > > [email protected] > > > > > > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: [email protected] > > > > > For additional commands, e-mail: [email protected] > > > > > > > > > > > > > > > > > > > > > > -- > > > Elliotte Rusty Harold > > > [email protected] > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [email protected] > > > For additional commands, e-mail: [email protected] > > > > > > > > >
