On Wed, 2024-02-28 at 11:22 +0100, Carsten Ziegeler wrote: > Can we do this without creating a new git repo? Creating a separate > new > repo gives a different message than what we intend it to be. > > It would be great if we could do this directly in SVN :)
I think that would be pretty complex; the SVN repo is read-only and we haven't done a release from SVN for years - not sure if the plug-in / SVN versions we used back then still work with the current Maven versions. I also am not very concerned about people misintepreting Sling git repo number 347 :-) But if we want to be extra careful, we could create it a and immediately deprecate it [1]. Any potential contributions would land in the 'maintenance' branch and any potential releases would be created from the same place. Robert [1]: https://sling.apache.org/documentation/development/deprecating-sling-modules.html > > Regards > Carsten > > On 28.02.2024 10:52, Robert Munteanu wrote: > > Hi Jörg > > > > On Tue, 2024-02-27 at 11:06 +0100, Jörg Hoh wrote: > > > Hi Robert, > > > > > > makes sense. > > > > > > To clarify: We just provide this final version of commons.json as > > > a > > > convenience for all users who are still depending on > > > commons.json; > > > but > > > there is no intention to continue development of commons.json or > > > to > > > re-introducing this dependency again into other areas of Sling. > > > > > > There is no intention to use this again in any other modules, add > > it to > > the Starter, etc. We will keep the code deprecated. At the same > > time, > > we may choose to apply fixes for the reported CVEs, if those are > > already available upstream, and cut a new release. > > > > Thanks, > > Robert > > > > > > > > Correct? > > > > > > Jörg > > > > > > > > > Am Mo., 26. Feb. 2024 um 16:30 Uhr schrieb Robert Munteanu < > > > romb...@apache.org>: > > > > > > > Hi, > > > > > > > > A long time ago we retired the commons.json module for legal > > > > reasons > > > > [1], leaving it only in the SVN attic [2]. > > > > > > > > After some time a CVE was reported against this module [3] > > > > which we > > > > could not fix as we could not release new versions. > > > > > > > > In the meantime, the JSON library we have been using has > > > > changed > > > > its > > > > license to 'Public domain', which makes it acceptable for use > > > > at > > > > the > > > > ASF. [4] > > > > > > > > I would like to create a GitHub repository for this module and > > > > include > > > > the current state from the attic. This opens up the way for > > > > creating a > > > > final service release, allowing consumers of this bundle that > > > > have > > > > not > > > > cleaned up their usages to use non-vulnerable versions. > > > > > > > > I will leave this thread open for comments for 72 hours. > > > > > > > > Thanks, > > > > Robert > > > > > > > > > > > > [1]: > > > > https://lists.apache.org/thread/p9rmd9dvgk04h36dtm6vn0bj6dkx0hkk > > > > [2]: https://svn.apache.org/repos/asf/sling/attic/commons.json/ > > > > [3]: https://www.cve.org/CVERecord?id=CVE-2022-47937 > > > > [4]: https://issues.apache.org/jira/browse/LEGAL-666 > > > > > > > > > > > > >
