I'm +1. This feels like a reasonable approach to get the release going sooner rather than later, without a breaking change from 7.0.3. I am also in favour of coming back to this soon after release to try use the functionality in the JDK.
Jon On Thu, Sep 14, 2017 at 8:31 PM, Andy Gumbrecht <[email protected]> wrote: > Yes it's just xalan-2.7.2, and this solution seems to be/is painless > regarding the build and TCK. The Apache Standard Taglib requires it, along > with serializer-2.7.2. What makes adding this a breaking issue Mark? If it > helps get a release out now to resolve a known CVE then it's +1 from me > (hmm that rhymes). Once it is out then we can spend several weeks working > on a better solution. > > Andy. > > > > On 14/09/17 21:00, Jonathan Gallimore wrote: > >> I believe its only xalan required, and not xerces as well. >> >> What's the rationale for the -1? >> >> We'd like to release 7.0.4, and the community appears to want a release >> based on feedback we have seen on the users list. >> >> Changing the jstlel library appears to be not-entirely-trivial (unless >> someone better than me wants to give some pointers). I'd like to try it, >> but I don't want it to drag on for ages and hold up a release. >> >> We already established that we'd like this to work out the box without >> requiring the user to add anything earlier in this thread. >> >> So, how do we want to proceed? The other option appears to be picking up >> an >> updated version of the glassfish library we had before. >> >> Jon >> >> On 14 Sep 2017 13:26, "Mark Struberg" <[email protected]> wrote: >> >> +1 to NOT have a hard xalan and xerces dependency. >>> Usually we don't need it but use the version which is packaged within the >>> JRE. >>> It should really remain optional pretty please. >>> >>> LieGrue, >>> strub >>> >>> >>> Am 31.08.2017 um 16:25 schrieb Romain Manni-Bucau <[email protected] >>>> : >>>> >>>> Hmm, shout if wrong but think you misunderstood the "optional" in my >>>> sentence. I meant we patch trunk to remove the adherence to xalan. >>>> >>>> >>>> Romain Manni-Bucau >>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>> <https://blog-rmannibucau.rhcloud.com> | Old Blog >>>> <http://rmannibucau.wordpress.com> | Github <https://github.com/ >>>> >>> rmannibucau> | >>> >>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory >>>> <https://javaeefactory-rmannibucau.rhcloud.com> >>>> >>>> 2017-08-31 15:41 GMT+02:00 Jonathan Gallimore < >>>> >>> [email protected]> >>> >>>> : >>>> >>>> Thanks Romain. That is definitely the simplest path - xalan is already >>>>> marked as an optional dependency, so we wouldn't need to do anything. >>>>> >>>> From >>> >>>> a compliance perspective, where would this leave us? Wouldn't we need >>>>> >>>> this >>> >>>> to work out of the box without adding libraries to be compliant? If it >>>>> doesn't affect us in that respect, then I think we're probably good to >>>>> >>>> go. >>> >>>> Jon >>>>> >>>>> On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau < >>>>> >>>> [email protected] >>> >>>> wrote: >>>>> >>>>> Hi Jon >>>>>> >>>>>> there is another thread on it (probably on user@) >>>>>> >>>>>> I think we should just make xalan optional in the lib and upgrade. >>>>>> >>>>>> >>>>>> Romain Manni-Bucau >>>>>> @rmannibucau <https://twitter.com/rmannibucau> | Blog >>>>>> <https://blog-rmannibucau.rhcloud.com> | Old Blog >>>>>> <http://rmannibucau.wordpress.com> | Github <https://github.com/ >>>>>> rmannibucau> | >>>>>> LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory >>>>>> <https://javaeefactory-rmannibucau.rhcloud.com> >>>>>> >>>>>> 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore < >>>>>> [email protected]> >>>>>> : >>>>>> >>>>>> Correction - that should be: "CDDL or GPL with classpath exception". >>>>>>> >>>>>>> On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>> Great question. CDDL _or_ GPL, by the look of it. >>>>>>>> https://github.com/javaee/jstl-api/blob/master/LICENSE - same as >>>>>>>> >>>>>>> JAXB >>>>> >>>>>> I >>>>>> >>>>>>> believe. >>>>>>>> >>>>>>>> Jon >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>> What is the licence for GlassFish one? >>>>>>>>> >>>>>>>>> Le 31 août 2017 12:38, "Jonathan Gallimore" < >>>>>>>>> >>>>>>>> [email protected] >>>>>>> >>>>>>>> a écrit : >>>>>>>>> >>>>>>>>> Hi >>>>>>>>>> >>>>>>>>>> On master we shifted from openejb-jstl to >>>>>>>>>> >>>>>>>>> taglibs-standard-jstlel. I >>>>> >>>>>> have >>>>>>>>> >>>>>>>>>> done the same on the 1.7.x branch, specifically to move on from >>>>>>>>>> >>>>>>>>> the >>>>> >>>>>> old >>>>>>> >>>>>>>> openejb-jstl (looking at >>>>>>>>>> https://nvd.nist.gov/vuln/detail/CVE-2015-0254). The >>>>>>>>>> taglibs-standard-jstlel >>>>>>>>>> library does seem to depend on xalan, which we currently do not >>>>>>>>>> >>>>>>>>> include >>>>>>> >>>>>>>> in >>>>>>>>> >>>>>>>>>> TomEE. >>>>>>>>>> >>>>>>>>>> The impact is that some XML functions in JSP code does not work, >>>>>>>>>> >>>>>>>>> for >>>>> >>>>>> example: >>>>>>>>>> >>>>>>>>>> <%@ taglib prefix="x" uri="http://java.sun.com/jstl/xml"; %> >>>>>>>>>> >>>>>>>>>> <x:parse var="movies"> >>>>>>>>>> <movies> >>>>>>>>>> <movie id="1" name="Wedding Crashers" director="David >>>>>>>>>> >>>>>>>>> Dobkin" >>>>> >>>>>> genre="Comedy" rating="7" year="2005" /> >>>>>>>>>> <movie id="2" name="Starsky & Hutch" director="Todd >>>>>>>>>> >>>>>>>>> Phillips" >>>>>>> >>>>>>>> genre="Action" rating="6" year="2004" /> >>>>>>>>>> <movie id="3" name="Shanghai Knights" director="David >>>>>>>>>> >>>>>>>>> Dobkin" >>>>> >>>>>> genre="Action" rating="6" year="2003" /> >>>>>>>>>> <movie id="4" name="I-Spy" director="Betty Thomas" >>>>>>>>>> >>>>>>>>> genre="Adventure" >>>>>>>>> >>>>>>>>>> rating="5" year="2002" /> >>>>>>>>>> <movie id="5" name="The Royal Tenenbaums" director="Wes >>>>>>>>>> >>>>>>>>> Anderson" >>>>>>> >>>>>>>> genre="Comedy" rating="8" year="2001" /> >>>>>>>>>> <movie id="6" name="Zoolander" director="Ben Stiller" >>>>>>>>>> >>>>>>>>> genre="Comedy" >>>>>>>>> >>>>>>>>>> rating="6" year="2001" /> >>>>>>>>>> <movie id="7" name="Shanghai Noon" director="Tom Dey" >>>>>>>>>> >>>>>>>>> genre="Comedy" >>>>>>>>> >>>>>>>>>> rating="7" year="2000" /> >>>>>>>>>> </movies> >>>>>>>>>> </x:parse> >>>>>>>>>> >>>>>>>>>> Movie 1 Genre: <x:out select="$movies//movie[@id='1']/@genre" >>>>>>>>>> >>>>>>>>> /><br >>>>> >>>>>> /> >>>>>>> >>>>>>>> fails with java.lang.NoClassDefFoundError: org/apache/xpath/XPath >>>>>>>>>> >>>>>>>>> (this on >>>>>>>>> >>>>>>>>>> both 1.7.x and master) >>>>>>>>>> >>>>>>>>>> Including Xalan does fix this, but its a 3MB dependency. >>>>>>>>>> >>>>>>>>>> The alternative is to use org.glassfish.web:javax. >>>>>>>>>> >>>>>>>>> servlet.jsp.jstl >>>>> >>>>>> instead, >>>>>>>>>> which I have tested and seems to work. Anyone have any thoughts? >>>>>>>>>> >>>>>>>>>> Jon >>>>>>>>>> >>>>>>>>>> >>>>>>>> >>> . >>> >>> >
