Hello Graham, I agree with Herve who said in MSITE-837 that the goal "site:run" is temporarily used by developers when he wants to see the web content in browser. This goal should not be used in permanent deployment and of course not in public or production where the security has to be the important point. There are many very good webcontainers with good security guarantees which can be installed even for public use and I believe the organizations would not run Maven goal only because of publishing web content in public and so they would use Tomcat or Wildfly for instance.
>> 9.2.9.v20150224 works with java7 - does that version also have secure dependencies? Not sure which artifact you mean. The version 9.2.9 has the artifact "jetty-security" too, so perhaps this is the one expected. Reading MSITE-837 does not list details about the security patches. Not sure what criteria you guys have, perhaps TLS version or HTTPS or some security issues, not sure exactly. Is the security related to Java compiler version or Java runtime version? Because if it is runtime then it's even easier and we can write a hint in documentation to use JDK8+.Hello Graham, Cheers Tibor17 On Thu, Jul 4, 2019 at 1:48 PM Graham Leggett <[email protected]> wrote: > On 04 Jul 2019, at 13:12, Tibor Digana <[email protected]> wrote: > > Did you read the Jira and the commit in Git? > It was written in the way to push Java 8 without any strong reason, sorry > for that but it's truth. > > > I’m not following. > > Jetty is a compile time dependency of the maven-site-plugin, I believe > it’s used to make site:run work. > > [INFO] +- org.eclipse.jetty:jetty-server:jar:9.4.12.v20180830:compile > [INFO] | +- javax.servlet:javax.servlet-api:jar:3.1.0:compile > [INFO] | +- org.eclipse.jetty:jetty-http:jar:9.4.12.v20180830:compile > [INFO] | \- org.eclipse.jetty:jetty-io:jar:9.4.12.v20180830:compile > [INFO] +- org.eclipse.jetty:jetty-servlet:jar:9.4.12.v20180830:compile > [INFO] | \- org.eclipse.jetty:jetty-security:jar:9.4.12.v20180830:compile > [INFO] +- org.eclipse.jetty:jetty-webapp:jar:9.4.12.v20180830:compile > [INFO] | \- org.eclipse.jetty:jetty-xml:jar:9.4.12.v20180830:compile > [INFO] +- org.eclipse.jetty:jetty-util:jar:9.4.12.v20180830:compile > > Old versions of jetty pull in insecure dependencies (that’s the point of > the ticket and patch, as I read it). > > The outstanding question is, what is the minimum java version supported by > the oldest jetty that has fixed secure dependencies? You’ve confirmed Jetty > 9.2.9.v20150224 works with java7 - does that version also have secure > dependencies? > > I would like to see v9.2 first (after v6) in 3.8.1 and then wait for Maven > 3.7.0 which will go most probably with J8. We can release Site 3.9.0 and > use it in bindings in Maven 3.7.0. So we will have strictly segregated > Maven and plugins before MVN 3.7 and embedded plugins for MVN 3.7+. If we > move one plugin to J8 then move all but do it for MVN 3.7+. > > > So would you say you’d prefer to delay fixing > https://issues.apache.org/jira/browse/MSITE-829 until maven 3.7.0 is a > thing? > > (I have no opinion at this point, if there are two maven-site-plugin > releases, one with the fix deferred, and another with the fix, that seems > reasonable to me). > > Regards, > Graham > — > >
