Just to make sure I understand - (3) would be your preference, but if that's difficult you'd live with (1) if it came to it, with (2) being your least favorite.
We should only need to pick one - I can confirm that option (1) on its own works, as does option (2) on its own. I'm definitely happy to have a crack at option (3) and present a PR for each and let the community decide which it likes the best. Thanks for your input, I appreciate it. Jon On Thu, Aug 31, 2017 at 4:42 PM, Romain Manni-Bucau <[email protected]> wrote: > yep, 3, 1, 2 for the complete order (a mix of compatibility and > influence/asf consistence). > > > Romain Manni-Bucau > @rmannibucau <https://twitter.com/rmannibucau> | Blog > <https://blog-rmannibucau.rhcloud.com> | Old Blog > <http://rmannibucau.wordpress.com> | Github <https://github.com/ > rmannibucau> | > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory > <https://javaeefactory-rmannibucau.rhcloud.com> > > 2017-08-31 16:53 GMT+02:00 Jonathan Gallimore < > [email protected]> > : > > > Uh, yeah, I think I misunderstood. I think we agree that the code I > > attached should work out of the box, requiring no changes to TomEE. That > > leaves us with a few options: > > > > 1. Use the taglibs-standard-jstlel jars as we are now, and add the > > dependency for Xalan -> trivial change, but adds 3MB to our binaries. > > 2. Switch to org.glassfish.web:javax.servlet.jsp.jstl which uses a > > CDDL/GPL > > + CP exception licence. Does not require Xalan -> easy change to make and > > appears to work (I believe the license is ok for us to use it). Not sure > if > > there are other restrictions or issues with us using that. > > 3. Patch the Tomcat taglibs libraries to use the XPath support built into > > the JVM as opposed to Xalan. I did have a look at this yesterday, and it > > didn't look like a straightforward change at the time. I'm happy to look > at > > it again though if we feel that's the way forward. > > > > I think you're stating a preference for (3) - is that correct? > > > > Cheers > > > > Jon > > > > On Thu, Aug 31, 2017 at 3:25 PM, Romain Manni-Bucau < > [email protected] > > > > > wrote: > > > > > Hmm, shout if wrong but think you misunderstood the "optional" in my > > > sentence. I meant we patch trunk to remove the adherence to xalan. > > > > > > > > > Romain Manni-Bucau > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog > > > <http://rmannibucau.wordpress.com> | Github <https://github.com/ > > > rmannibucau> | > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory > > > <https://javaeefactory-rmannibucau.rhcloud.com> > > > > > > 2017-08-31 15:41 GMT+02:00 Jonathan Gallimore < > > > [email protected]> > > > : > > > > > > > Thanks Romain. That is definitely the simplest path - xalan is > already > > > > marked as an optional dependency, so we wouldn't need to do anything. > > > From > > > > a compliance perspective, where would this leave us? Wouldn't we need > > > this > > > > to work out of the box without adding libraries to be compliant? If > it > > > > doesn't affect us in that respect, then I think we're probably good > to > > > go. > > > > > > > > Jon > > > > > > > > On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau < > > > [email protected] > > > > > > > > > wrote: > > > > > > > > > Hi Jon > > > > > > > > > > there is another thread on it (probably on user@) > > > > > > > > > > I think we should just make xalan optional in the lib and upgrade. > > > > > > > > > > > > > > > Romain Manni-Bucau > > > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog > > > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog > > > > > <http://rmannibucau.wordpress.com> | Github <https://github.com/ > > > > > rmannibucau> | > > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE > Factory > > > > > <https://javaeefactory-rmannibucau.rhcloud.com> > > > > > > > > > > 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore < > > > > > [email protected]> > > > > > : > > > > > > > > > > > Correction - that should be: "CDDL or GPL with classpath > > exception". > > > > > > > > > > > > On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore < > > > > > > [email protected]> wrote: > > > > > > > > > > > > > Great question. CDDL _or_ GPL, by the look of it. > > > > > > > https://github.com/javaee/jstl-api/blob/master/LICENSE - same > as > > > > JAXB > > > > > I > > > > > > > believe. > > > > > > > > > > > > > > Jon > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro < > > > > > > > [email protected]> wrote: > > > > > > > > > > > > > >> What is the licence for GlassFish one? > > > > > > >> > > > > > > >> Le 31 août 2017 12:38, "Jonathan Gallimore" < > > > > > > [email protected] > > > > > > >> > > > > > > > >> a écrit : > > > > > > >> > > > > > > >> > Hi > > > > > > >> > > > > > > > >> > On master we shifted from openejb-jstl to > > > > taglibs-standard-jstlel. I > > > > > > >> have > > > > > > >> > done the same on the 1.7.x branch, specifically to move on > > from > > > > the > > > > > > old > > > > > > >> > openejb-jstl (looking at > > > > > > >> > https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The > > > > > > >> > taglibs-standard-jstlel > > > > > > >> > library does seem to depend on xalan, which we currently do > > not > > > > > > include > > > > > > >> in > > > > > > >> > TomEE. > > > > > > >> > > > > > > > >> > The impact is that some XML functions in JSP code does not > > work, > > > > for > > > > > > >> > example: > > > > > > >> > > > > > > > >> > <%@ taglib prefix="x" uri="http://java.sun.com/jstl/xml"; %> > > > > > > >> > > > > > > > >> > <x:parse var="movies"> > > > > > > >> > <movies> > > > > > > >> > <movie id="1" name="Wedding Crashers" director="David > > > > Dobkin" > > > > > > >> > genre="Comedy" rating="7" year="2005" /> > > > > > > >> > <movie id="2" name="Starsky & Hutch" > director="Todd > > > > > > Phillips" > > > > > > >> > genre="Action" rating="6" year="2004" /> > > > > > > >> > <movie id="3" name="Shanghai Knights" director="David > > > > Dobkin" > > > > > > >> > genre="Action" rating="6" year="2003" /> > > > > > > >> > <movie id="4" name="I-Spy" director="Betty Thomas" > > > > > > >> genre="Adventure" > > > > > > >> > rating="5" year="2002" /> > > > > > > >> > <movie id="5" name="The Royal Tenenbaums" > director="Wes > > > > > > Anderson" > > > > > > >> > genre="Comedy" rating="8" year="2001" /> > > > > > > >> > <movie id="6" name="Zoolander" director="Ben Stiller" > > > > > > >> genre="Comedy" > > > > > > >> > rating="6" year="2001" /> > > > > > > >> > <movie id="7" name="Shanghai Noon" director="Tom Dey" > > > > > > >> genre="Comedy" > > > > > > >> > rating="7" year="2000" /> > > > > > > >> > </movies> > > > > > > >> > </x:parse> > > > > > > >> > > > > > > > >> > Movie 1 Genre: <x:out select="$movies//movie[@id='1' > ]/@genre" > > > > /><br > > > > > > /> > > > > > > >> > > > > > > > >> > fails with java.lang.NoClassDefFoundError: > > > org/apache/xpath/XPath > > > > > > >> (this on > > > > > > >> > both 1.7.x and master) > > > > > > >> > > > > > > > >> > Including Xalan does fix this, but its a 3MB dependency. > > > > > > >> > > > > > > > >> > The alternative is to use org.glassfish.web:javax. > > > > servlet.jsp.jstl > > > > > > >> > instead, > > > > > > >> > which I have tested and seems to work. Anyone have any > > thoughts? > > > > > > >> > > > > > > > >> > Jon > > > > > > >> > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
