Nonsense. It is common sense that most criminal acts are spawned from within the local network, due to social engineering. -Markus
-----Ursprüngliche Nachricht----- Von: Som Lima [mailto:[email protected]] Gesendet: Sonntag, 28. März 2021 15:06 An: Maven Developers List Betreff: Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other > BTW there should be an option to still use unsecure http as many people run http in their LANs. I could be wrong but I think the intranet is a tightly coupled comm system therefore it is secure by design. On Sun, 28 Mar 2021, 13:31 Markus KARG, <[email protected]> wrote: > We should not do any tricks or unexpected behavior but just stick with > SemVer. > If there is a need for a security fix, it has to be 3.6.4 and BTW there > should be an option to still use unsecure http as many people run http in > their LANs. > If it contains backwards-compatible features, it has to be 3.7.0. > If it breaks backwards-compatibility, it has to be 4.0.0. > In no case it can be 3.8.0. > If mvnw was proposed for 3.7 but is not here now, then we either have to > wait with 3.7.0, or we have to tell people that we move mvnw to 3.8 or 4.0. > I do not see a need for any discussion at all, as SemVer is pretty clear > about the sole correct answer. > -Markus > > -----Ursprüngliche Nachricht----- > Von: Romain Manni-Bucau [mailto:[email protected]] > Gesendet: Sonntag, 28. März 2021 11:47 > An: Maven Developers List > Betreff: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other > > Hi all, > > Before we reroll the failed 3.8.0 I'd like we discuss openly the next > versioning since it seems we didn't reach a consensus yet and trying to not > create too much friction for users and in the community. > > As a reminder the only feature the release will get is to prevent HTTP repo > (in favor of HTTPS ones). In that regard it is a breaking change if users > rely on HTTP repo but a security fix (I don't come back on the HTTP -> > HTTPS move IT ecosystem got recently here). > > So it seems there are multiple versioning options: > > 1. 3.6.4: seems natural since it is a security fix, enables companies to > get this fix respecting a project versioning policy without having to > upgrade and avoids us to have to maintain 3.6 + 3.7/3.8 and soon 4.x. > Indeed it requires a very well documented paragraph about this change and > how to workaround it (local proxy/mirror is a trivial one for example) but > it will be the case whatever version we pick anyway IMHO. > 2. 3.7.0: since it is a breaking change it can seem natural too (but has > the pitfall to likely require a backport in 3.6 anyway, due to the > versioning policies which can prevent some users to upgrade to a 3.7) > 3. 3.8.0: was the vote, seems the rational was that originally we > targetting mvnw in 3.7 and since we didn't make it 3.8 was used. Have to > admit I'm not sure of this reasoning more than that (cause for me if we > don't have a planned feature we can either try to push/wait for it or > postpone it but not skip a version due to that) so if anyone wants to > complete the reasoning here it would be great. > > Indeed my preference is for 3.6.4 which has the most advantages for > everyone and no additional drawbacks compared to 3.7 or 3.8 options until > we try to push to get mvnw in which would mean 3.7 becomes more natural > (and likely imply a 3.6.x maintenance version). > > Goal of this thread is to feel the overall trend and see if we can refine > the proposals (for example: can we drop 3.8 one and only keep 3.7 and 3.6 > or - best - can we refine it to a single version after some exchanges). > If we keep a few proposals after some days, what about a vote where the > majority wins - we would just need to define how we count, > bindings/committers/all (my preference being last one indeed)? > > Romain Manni-Bucau > @rmannibucau <https://twitter.com/rmannibucau> | Blog > <https://rmannibucau.metawerx.net/> | Old Blog > <http://rmannibucau.wordpress.com> | Github < > https://github.com/rmannibucau> | > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book > < > https://www.packtpub.com/application-development/java-ee-8-high-performance > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
