+1 side note: we should pby link this to the user thread, can try to find it back later this week if needed
Romain Manni-Bucau @rmannibucau <https://twitter.com/rmannibucau> | Blog <https://blog-rmannibucau.rhcloud.com> | Old Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory <https://javaeefactory-rmannibucau.rhcloud.com> 2017-08-31 17:54 GMT+02:00 Jonathan Gallimore <jonathan.gallim...@gmail.com> : > Just to make sure I understand - (3) would be your preference, but if > that's difficult you'd live with (1) if it came to it, with (2) being your > least favorite. > > We should only need to pick one - I can confirm that option (1) on its own > works, as does option (2) on its own. I'm definitely happy to have a crack > at option (3) and present a PR for each and let the community decide which > it likes the best. > > Thanks for your input, I appreciate it. > > Jon > > On Thu, Aug 31, 2017 at 4:42 PM, Romain Manni-Bucau <rmannibu...@gmail.com > > > wrote: > > > yep, 3, 1, 2 for the complete order (a mix of compatibility and > > influence/asf consistence). > > > > > > Romain Manni-Bucau > > @rmannibucau <https://twitter.com/rmannibucau> | Blog > > <https://blog-rmannibucau.rhcloud.com> | Old Blog > > <http://rmannibucau.wordpress.com> | Github <https://github.com/ > > rmannibucau> | > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory > > <https://javaeefactory-rmannibucau.rhcloud.com> > > > > 2017-08-31 16:53 GMT+02:00 Jonathan Gallimore < > > jonathan.gallim...@gmail.com> > > : > > > > > Uh, yeah, I think I misunderstood. I think we agree that the code I > > > attached should work out of the box, requiring no changes to TomEE. > That > > > leaves us with a few options: > > > > > > 1. Use the taglibs-standard-jstlel jars as we are now, and add the > > > dependency for Xalan -> trivial change, but adds 3MB to our binaries. > > > 2. Switch to org.glassfish.web:javax.servlet.jsp.jstl which uses a > > > CDDL/GPL > > > + CP exception licence. Does not require Xalan -> easy change to make > and > > > appears to work (I believe the license is ok for us to use it). Not > sure > > if > > > there are other restrictions or issues with us using that. > > > 3. Patch the Tomcat taglibs libraries to use the XPath support built > into > > > the JVM as opposed to Xalan. I did have a look at this yesterday, and > it > > > didn't look like a straightforward change at the time. I'm happy to > look > > at > > > it again though if we feel that's the way forward. > > > > > > I think you're stating a preference for (3) - is that correct? > > > > > > Cheers > > > > > > Jon > > > > > > On Thu, Aug 31, 2017 at 3:25 PM, Romain Manni-Bucau < > > rmannibu...@gmail.com > > > > > > > wrote: > > > > > > > Hmm, shout if wrong but think you misunderstood the "optional" in my > > > > sentence. I meant we patch trunk to remove the adherence to xalan. > > > > > > > > > > > > Romain Manni-Bucau > > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog > > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog > > > > <http://rmannibucau.wordpress.com> | Github <https://github.com/ > > > > rmannibucau> | > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory > > > > <https://javaeefactory-rmannibucau.rhcloud.com> > > > > > > > > 2017-08-31 15:41 GMT+02:00 Jonathan Gallimore < > > > > jonathan.gallim...@gmail.com> > > > > : > > > > > > > > > Thanks Romain. That is definitely the simplest path - xalan is > > already > > > > > marked as an optional dependency, so we wouldn't need to do > anything. > > > > From > > > > > a compliance perspective, where would this leave us? Wouldn't we > need > > > > this > > > > > to work out of the box without adding libraries to be compliant? If > > it > > > > > doesn't affect us in that respect, then I think we're probably good > > to > > > > go. > > > > > > > > > > Jon > > > > > > > > > > On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau < > > > > rmannibu...@gmail.com > > > > > > > > > > > wrote: > > > > > > > > > > > Hi Jon > > > > > > > > > > > > there is another thread on it (probably on user@) > > > > > > > > > > > > I think we should just make xalan optional in the lib and > upgrade. > > > > > > > > > > > > > > > > > > Romain Manni-Bucau > > > > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog > > > > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog > > > > > > <http://rmannibucau.wordpress.com> | Github <https://github.com/ > > > > > > rmannibucau> | > > > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE > > Factory > > > > > > <https://javaeefactory-rmannibucau.rhcloud.com> > > > > > > > > > > > > 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore < > > > > > > jonathan.gallim...@gmail.com> > > > > > > : > > > > > > > > > > > > > Correction - that should be: "CDDL or GPL with classpath > > > exception". > > > > > > > > > > > > > > On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore < > > > > > > > jonathan.gallim...@gmail.com> wrote: > > > > > > > > > > > > > > > Great question. CDDL _or_ GPL, by the look of it. > > > > > > > > https://github.com/javaee/jstl-api/blob/master/LICENSE - > same > > as > > > > > JAXB > > > > > > I > > > > > > > > believe. > > > > > > > > > > > > > > > > Jon > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro < > > > > > > > > jlmonte...@tomitribe.com> wrote: > > > > > > > > > > > > > > > >> What is the licence for GlassFish one? > > > > > > > >> > > > > > > > >> Le 31 août 2017 12:38, "Jonathan Gallimore" < > > > > > > > jonathan.gallim...@gmail.com > > > > > > > >> > > > > > > > > >> a écrit : > > > > > > > >> > > > > > > > >> > Hi > > > > > > > >> > > > > > > > > >> > On master we shifted from openejb-jstl to > > > > > taglibs-standard-jstlel. I > > > > > > > >> have > > > > > > > >> > done the same on the 1.7.x branch, specifically to move on > > > from > > > > > the > > > > > > > old > > > > > > > >> > openejb-jstl (looking at > > > > > > > >> > https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The > > > > > > > >> > taglibs-standard-jstlel > > > > > > > >> > library does seem to depend on xalan, which we currently > do > > > not > > > > > > > include > > > > > > > >> in > > > > > > > >> > TomEE. > > > > > > > >> > > > > > > > > >> > The impact is that some XML functions in JSP code does not > > > work, > > > > > for > > > > > > > >> > example: > > > > > > > >> > > > > > > > > >> > <%@ taglib prefix="x" uri="http://java.sun.com/jstl/xml"; > %> > > > > > > > >> > > > > > > > > >> > <x:parse var="movies"> > > > > > > > >> > <movies> > > > > > > > >> > <movie id="1" name="Wedding Crashers" > director="David > > > > > Dobkin" > > > > > > > >> > genre="Comedy" rating="7" year="2005" /> > > > > > > > >> > <movie id="2" name="Starsky & Hutch" > > director="Todd > > > > > > > Phillips" > > > > > > > >> > genre="Action" rating="6" year="2004" /> > > > > > > > >> > <movie id="3" name="Shanghai Knights" > director="David > > > > > Dobkin" > > > > > > > >> > genre="Action" rating="6" year="2003" /> > > > > > > > >> > <movie id="4" name="I-Spy" director="Betty Thomas" > > > > > > > >> genre="Adventure" > > > > > > > >> > rating="5" year="2002" /> > > > > > > > >> > <movie id="5" name="The Royal Tenenbaums" > > director="Wes > > > > > > > Anderson" > > > > > > > >> > genre="Comedy" rating="8" year="2001" /> > > > > > > > >> > <movie id="6" name="Zoolander" director="Ben > Stiller" > > > > > > > >> genre="Comedy" > > > > > > > >> > rating="6" year="2001" /> > > > > > > > >> > <movie id="7" name="Shanghai Noon" director="Tom > Dey" > > > > > > > >> genre="Comedy" > > > > > > > >> > rating="7" year="2000" /> > > > > > > > >> > </movies> > > > > > > > >> > </x:parse> > > > > > > > >> > > > > > > > > >> > Movie 1 Genre: <x:out select="$movies//movie[@id='1' > > ]/@genre" > > > > > /><br > > > > > > > /> > > > > > > > >> > > > > > > > > >> > fails with java.lang.NoClassDefFoundError: > > > > org/apache/xpath/XPath > > > > > > > >> (this on > > > > > > > >> > both 1.7.x and master) > > > > > > > >> > > > > > > > > >> > Including Xalan does fix this, but its a 3MB dependency. > > > > > > > >> > > > > > > > > >> > The alternative is to use org.glassfish.web:javax. > > > > > servlet.jsp.jstl > > > > > > > >> > instead, > > > > > > > >> > which I have tested and seems to work. Anyone have any > > > thoughts? > > > > > > > >> > > > > > > > > >> > Jon > > > > > > > >> > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
