Given no other comments came in, I will create the git repository as already 'deprecated' and we'll figure out the release process changes, if needed, at the time of the potential release.
I kicked off a `git svn clone` for commons.json since we don't have it mirrorred as part of https://github.com/apache/sling-old-svn-mirror/tree/trunk . I hope it will finish today. Thanks, Robert On Thu, 2024-02-29 at 13:12 +0100, Robert Munteanu wrote: > On Wed, 2024-02-28 at 11:22 +0100, Carsten Ziegeler wrote: > > Can we do this without creating a new git repo? Creating a separate > > new > > repo gives a different message than what we intend it to be. > > > > It would be great if we could do this directly in SVN :) > > I think that would be pretty complex; the SVN repo is read-only and > we > haven't done a release from SVN for years - not sure if the plug-in / > SVN versions we used back then still work with the current Maven > versions. > > I also am not very concerned about people misintepreting Sling git > repo > number 347 :-) But if we want to be extra careful, we could create it > a > and immediately deprecate it [1]. Any potential contributions would > land in the 'maintenance' branch and any potential releases would be > created from the same place. > > Robert > > [1]: > https://sling.apache.org/documentation/development/deprecating-sling-modules.html > > > > > Regards > > Carsten > > > > On 28.02.2024 10:52, Robert Munteanu wrote: > > > Hi Jörg > > > > > > On Tue, 2024-02-27 at 11:06 +0100, Jörg Hoh wrote: > > > > Hi Robert, > > > > > > > > makes sense. > > > > > > > > To clarify: We just provide this final version of commons.json > > > > as > > > > a > > > > convenience for all users who are still depending on > > > > commons.json; > > > > but > > > > there is no intention to continue development of commons.json > > > > or > > > > to > > > > re-introducing this dependency again into other areas of Sling. > > > > > > > > > There is no intention to use this again in any other modules, add > > > it to > > > the Starter, etc. We will keep the code deprecated. At the same > > > time, > > > we may choose to apply fixes for the reported CVEs, if those are > > > already available upstream, and cut a new release. > > > > > > Thanks, > > > Robert > > > > > > > > > > > Correct? > > > > > > > > Jörg > > > > > > > > > > > > Am Mo., 26. Feb. 2024 um 16:30 Uhr schrieb Robert Munteanu < > > > > romb...@apache.org>: > > > > > > > > > Hi, > > > > > > > > > > A long time ago we retired the commons.json module for legal > > > > > reasons > > > > > [1], leaving it only in the SVN attic [2]. > > > > > > > > > > After some time a CVE was reported against this module [3] > > > > > which we > > > > > could not fix as we could not release new versions. > > > > > > > > > > In the meantime, the JSON library we have been using has > > > > > changed > > > > > its > > > > > license to 'Public domain', which makes it acceptable for use > > > > > at > > > > > the > > > > > ASF. [4] > > > > > > > > > > I would like to create a GitHub repository for this module > > > > > and > > > > > include > > > > > the current state from the attic. This opens up the way for > > > > > creating a > > > > > final service release, allowing consumers of this bundle that > > > > > have > > > > > not > > > > > cleaned up their usages to use non-vulnerable versions. > > > > > > > > > > I will leave this thread open for comments for 72 hours. > > > > > > > > > > Thanks, > > > > > Robert > > > > > > > > > > > > > > > [1]: > > > > > https://lists.apache.org/thread/p9rmd9dvgk04h36dtm6vn0bj6dkx0hkk > > > > > [2]: > > > > > https://svn.apache.org/repos/asf/sling/attic/commons.json/ > > > > > [3]: https://www.cve.org/CVERecord?id=CVE-2022-47937 > > > > > [4]: https://issues.apache.org/jira/browse/LEGAL-666 > > > > > > > > > > > > > > > > > > >