I trust you Jon that it was broken in 7.0.4, but it is not OK to keep it. This particular dep can just be drop (so easy fix).
The java-support issue is more impacting and was completely missed in last release cycles (guess we dont test saml?) Romain Manni-Bucau @rmannibucau <https://twitter.com/rmannibucau> | Blog <https://rmannibucau.metawerx.net/> | Old Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book <https://www.packtpub.com/application-development/java-ee-8-high-performance> Le lun. 9 juil. 2018 à 11:35, Jonathan Gallimore < jonathan.gallim...@gmail.com> a écrit : > I will note that I am of course happy to either: > > a) track down why that is now included, and remove it if appropriate > b) modify the license/notice files as appropriate > > and re-roll. > > A note on dependencies - there a is legal report in the original post which > should contain all the details for review. The following dependencies have > been upgraded since 7.0.4: > > Tomcat => 8.5.30 > CXF => 3.1.15 > Johnzon => 1.0.1 > OWB => 1.7.5 > XBean => 4.9 > XmlSchema core => 2.2.3 > > No other libraries have changed, but I do suggest you verify for yourself > (I have the zips for both 7.0.4 and 7.0.5 in a diff viewer here). > > Jon > > On Mon, Jul 9, 2018 at 10:27 AM, Jonathan Gallimore < > jonathan.gallim...@gmail.com> wrote: > > > That library was also present in 7.0.4 Plus. > > > > Jon > > > > On Mon, Jul 9, 2018 at 10:01 AM, Romain Manni-Bucau < > rmannibu...@gmail.com > > > wrote: > > > >> Hi, > >> > >> It seems we bundle javax.xml.soap-api-1.3.5.jar now in plus flavor > (guess > >> it is a "leak" due to some dep upgrade), its license is CDDL+GPL1.1. I > >> didn't see the notice/license work done. Was it intended or as I'm > >> thinking > >> a silent transitive issue? > >> > >> Romain Manni-Bucau > >> @rmannibucau <https://twitter.com/rmannibucau> | Blog > >> <https://rmannibucau.metawerx.net/> | Old Blog > >> <http://rmannibucau.wordpress.com> | Github < > >> https://github.com/rmannibucau> | > >> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book > >> <https://www.packtpub.com/application-development/java-ee-8- > >> high-performance> > >> > >> > >> Le lun. 9 juil. 2018 à 10:55, Jean-Louis Monteiro < > >> jlmonte...@tomitribe.com> > >> a écrit : > >> > >> > +1 > >> > > >> > Build ok > >> > Small demo and test applications running. > >> > > >> > -- > >> > Jean-Louis Monteiro > >> > http://twitter.com/jlouismonteiro > >> > http://www.tomitribe.com > >> > > >> > On Mon, Jul 9, 2018 at 9:57 AM, Alex The Rocker <alex.m3...@gmail.com > > > >> > wrote: > >> > > >> > > Hello, > >> > > > >> > > +1 (non binding) > >> > > > >> > > Used this 7.0.5 release candidate to deploy 15+ different web apps > >> > > (including one on Windows, all others on Linux) using very different > >> > > aspects of Java EE. > >> > > All running with ORACLE Server JRE 8 update 172. > >> > > And got no regression as far as we're checking tests results. > >> > > > >> > > But if there's another 7.0.5 build + vote cycle, then upgrading > Tomcat > >> > > dependency to Tomcat 8.5.32 (instead of Tomcat 8.5.30 part of this > >> > > vote cycle) would be nice to include this security fix: > >> > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014 > >> > > > >> > > Kind regards, > >> > > Alexandre > >> > > > >> > > > >> > > 2018-07-04 10:33 GMT+02:00 Jonathan Gallimore < > >> > > jonathan.gallim...@gmail.com>: > >> > > > Hi Everyone, > >> > > > > >> > > > Here is the initial roll of TomEE 7.0.5. Please can you take a > look > >> and > >> > > > vote? Everyone, committer or not, is encouraged to test and vote. > >> > > > > >> > > > Staging repo: > >> > > > https://repository.apache.org/content/repositories/orgapache > >> tomee-1113 > >> > > > > >> > > > Source zip: > >> > > > /org/apache/tomee/tomee-project/7.0.5/tomee-project-7. > >> > > 0.5-source-release.zip > >> > > > <https://repository.apache.org/service/local/ > >> > > repositories/orgapachetomee-1113/content/org/apache/tomee/ > >> > > tomee-project/7.0.5/tomee-project-7.0.5-source-release.zip> > >> > > > > >> > > > Dist area: > >> > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1113/ > >> > > > > >> > > > Legal: > >> > > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1113/legal.zip > >> > > > > >> > > > Keys: > >> > > > https://dist.apache.org/repos/dist/release/tomee/KEYS > >> > > > > >> > > > Changelog: > >> > > > https://issues.apache.org/jira/browse/TOMEE-2175?jql= > >> > > > project%20%3D%20TOMEE%20AND%20(status%20%3D%20Resolved% > >> > > > 20OR%20status%20%3D%20CLOSED)%20AND%20fixVersion%20%3D%207. > >> > > > 0.5%20ORDER%20BY%20priority%20DESC%2C%20updated%20DESC > >> > > > > >> > > > (If anyone knows a better way to get that list, let me know ;-) ) > >> > > > > >> > > > Please vote: > >> > > > +1: Release > >> > > > -1 Do not release because ... > >> > > > > >> > > > The vote will be open for 3 days or the consensus is binding (At > >> least > >> > 3 > >> > > > binding votes). > >> > > > > >> > > > Many thanks > >> > > > > >> > > > Jon > >> > > > >> > > >> > > > > >
