On 04 Jul 2019, at 13:12, Tibor Digana <[email protected]> wrote:
> Did you read the Jira and the commit in Git? > It was written in the way to push Java 8 without any strong reason, sorry > for that but it's truth. I’m not following. Jetty is a compile time dependency of the maven-site-plugin, I believe it’s used to make site:run work. [INFO] +- org.eclipse.jetty:jetty-server:jar:9.4.12.v20180830:compile [INFO] | +- javax.servlet:javax.servlet-api:jar:3.1.0:compile [INFO] | +- org.eclipse.jetty:jetty-http:jar:9.4.12.v20180830:compile [INFO] | \- org.eclipse.jetty:jetty-io:jar:9.4.12.v20180830:compile [INFO] +- org.eclipse.jetty:jetty-servlet:jar:9.4.12.v20180830:compile [INFO] | \- org.eclipse.jetty:jetty-security:jar:9.4.12.v20180830:compile [INFO] +- org.eclipse.jetty:jetty-webapp:jar:9.4.12.v20180830:compile [INFO] | \- org.eclipse.jetty:jetty-xml:jar:9.4.12.v20180830:compile [INFO] +- org.eclipse.jetty:jetty-util:jar:9.4.12.v20180830:compile Old versions of jetty pull in insecure dependencies (that’s the point of the ticket and patch, as I read it). The outstanding question is, what is the minimum java version supported by the oldest jetty that has fixed secure dependencies? You’ve confirmed Jetty 9.2.9.v20150224 works with java7 - does that version also have secure dependencies? > I would like to see v9.2 first (after v6) in 3.8.1 and then wait for Maven > 3.7.0 which will go most probably with J8. We can release Site 3.9.0 and > use it in bindings in Maven 3.7.0. So we will have strictly segregated > Maven and plugins before MVN 3.7 and embedded plugins for MVN 3.7+. If we > move one plugin to J8 then move all but do it for MVN 3.7+. So would you say you’d prefer to delay fixing https://issues.apache.org/jira/browse/MSITE-829 until maven 3.7.0 is a thing? (I have no opinion at this point, if there are two maven-site-plugin releases, one with the fix deferred, and another with the fix, that seems reasonable to me). Regards, Graham —
smime.p7s
Description: S/MIME cryptographic signature
