So seems there are two points to refine: 1. Is the http change *without as such toggle* a security fix (3.6) or feature (3.7 or 3.8) 2. Do we fully reject semver and use 2 digit versioning (seems it is what we often do).
On 1 im clearly for the security fix. On 2 i dont care but we should explicit it for users to let them write relevant versioning policies (use 3.N vs use 3.6.N for ex). Trust me, it costs a lot for nothing to integrators/users and long term projects. Le dim. 28 mars 2021 à 16:39, Markus KARG <[email protected]> a écrit : > Nonsense. It is common sense that most criminal acts are spawned from > within the local network, due to social engineering. > -Markus > > > -----Ursprüngliche Nachricht----- > Von: Som Lima [mailto:[email protected]] > Gesendet: Sonntag, 28. März 2021 15:06 > An: Maven Developers List > Betreff: Re: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other > > > BTW there should be an option to still use unsecure http as many people > run http in their LANs. > > I could be wrong but I think the intranet is a tightly coupled comm system > therefore it is secure by design. > > > > On Sun, 28 Mar 2021, 13:31 Markus KARG, <[email protected]> wrote: > > > We should not do any tricks or unexpected behavior but just stick with > > SemVer. > > If there is a need for a security fix, it has to be 3.6.4 and BTW there > > should be an option to still use unsecure http as many people run http in > > their LANs. > > If it contains backwards-compatible features, it has to be 3.7.0. > > If it breaks backwards-compatibility, it has to be 4.0.0. > > In no case it can be 3.8.0. > > If mvnw was proposed for 3.7 but is not here now, then we either have to > > wait with 3.7.0, or we have to tell people that we move mvnw to 3.8 or > 4.0. > > I do not see a need for any discussion at all, as SemVer is pretty clear > > about the sole correct answer. > > -Markus > > > > -----Ursprüngliche Nachricht----- > > Von: Romain Manni-Bucau [mailto:[email protected]] > > Gesendet: Sonntag, 28. März 2021 11:47 > > An: Maven Developers List > > Betreff: [DISCUSS] Next release version: 3.6.4, 3.7.0, 3.8.0 or other > > > > Hi all, > > > > Before we reroll the failed 3.8.0 I'd like we discuss openly the next > > versioning since it seems we didn't reach a consensus yet and trying to > not > > create too much friction for users and in the community. > > > > As a reminder the only feature the release will get is to prevent HTTP > repo > > (in favor of HTTPS ones). In that regard it is a breaking change if users > > rely on HTTP repo but a security fix (I don't come back on the HTTP -> > > HTTPS move IT ecosystem got recently here). > > > > So it seems there are multiple versioning options: > > > > 1. 3.6.4: seems natural since it is a security fix, enables companies to > > get this fix respecting a project versioning policy without having to > > upgrade and avoids us to have to maintain 3.6 + 3.7/3.8 and soon 4.x. > > Indeed it requires a very well documented paragraph about this change and > > how to workaround it (local proxy/mirror is a trivial one for example) > but > > it will be the case whatever version we pick anyway IMHO. > > 2. 3.7.0: since it is a breaking change it can seem natural too (but has > > the pitfall to likely require a backport in 3.6 anyway, due to the > > versioning policies which can prevent some users to upgrade to a 3.7) > > 3. 3.8.0: was the vote, seems the rational was that originally we > > targetting mvnw in 3.7 and since we didn't make it 3.8 was used. Have to > > admit I'm not sure of this reasoning more than that (cause for me if we > > don't have a planned feature we can either try to push/wait for it or > > postpone it but not skip a version due to that) so if anyone wants to > > complete the reasoning here it would be great. > > > > Indeed my preference is for 3.6.4 which has the most advantages for > > everyone and no additional drawbacks compared to 3.7 or 3.8 options until > > we try to push to get mvnw in which would mean 3.7 becomes more natural > > (and likely imply a 3.6.x maintenance version). > > > > Goal of this thread is to feel the overall trend and see if we can refine > > the proposals (for example: can we drop 3.8 one and only keep 3.7 and 3.6 > > or - best - can we refine it to a single version after some exchanges). > > If we keep a few proposals after some days, what about a vote where the > > majority wins - we would just need to define how we count, > > bindings/committers/all (my preference being last one indeed)? > > > > Romain Manni-Bucau > > @rmannibucau <https://twitter.com/rmannibucau> | Blog > > <https://rmannibucau.metawerx.net/> | Old Blog > > <http://rmannibucau.wordpress.com> | Github < > > https://github.com/rmannibucau> | > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book > > < > > > https://www.packtpub.com/application-development/java-ee-8-high-performance > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
