I'll apply the change and get ready for the re-roll. I'll leave this open for a few hours in case anyone wants to get any other feedback in. Should have new binaries up for fresh vote tonight.
Thanks for the review Romain! Jon On Mon, Jul 9, 2018 at 10:49 AM, Romain Manni-Bucau <rmannibu...@gmail.com> wrote: > Le lun. 9 juil. 2018 à 11:44, Jonathan Gallimore < > jonathan.gallim...@gmail.com> a écrit : > > > I'm happy to re-roll without that library. > > > > I don't know what the CXF/SAML issue is - I am happy to have a go at > fixing > > it if there is some detail somewhere (pointers appreciated). > > > > IIRC java-support.jar is used by cxf to impl saml support but depends on > guava and we dont want to provide it so we excluded it but then it can be > used :(. > > > > > > Is this a regression, or are we looking to improve something? > > > > Was reported against the 7.0.4 but 7.0.5 has the same issue. > > > > > > If my opinion counts for anything, I'd suggest we re-roll without > > the javax.xml.soap-api-1.3.5.jar dependency, as that should be > > straightforward, and I'll happily volunteer to be fix the CXF/SAML issue > > and roll a 7.0.6 to deliver it to the community when done (along with any > > other fixes). I'd like to see a speedup in our releases and am happy to > > work on getting us there. > > > > Works for me. Thanks a lot Jon. > > > > > > Jon > > > > > > On Mon, Jul 9, 2018 at 10:39 AM, Romain Manni-Bucau < > rmannibu...@gmail.com > > > > > wrote: > > > > > I trust you Jon that it was broken in 7.0.4, but it is not OK to keep > it. > > > This particular dep can just be drop (so easy fix). > > > > > > The java-support issue is more impacting and was completely missed in > > last > > > release cycles (guess we dont test saml?) > > > > > > Romain Manni-Bucau > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog > > > <https://rmannibucau.metawerx.net/> | Old Blog > > > <http://rmannibucau.wordpress.com> | Github <https://github.com/ > > > rmannibucau> | > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book > > > <https://www.packtpub.com/application-development/java- > > > ee-8-high-performance> > > > > > > > > > Le lun. 9 juil. 2018 à 11:35, Jonathan Gallimore < > > > jonathan.gallim...@gmail.com> a écrit : > > > > > > > I will note that I am of course happy to either: > > > > > > > > a) track down why that is now included, and remove it if appropriate > > > > b) modify the license/notice files as appropriate > > > > > > > > and re-roll. > > > > > > > > A note on dependencies - there a is legal report in the original post > > > which > > > > should contain all the details for review. The following dependencies > > > have > > > > been upgraded since 7.0.4: > > > > > > > > Tomcat => 8.5.30 > > > > CXF => 3.1.15 > > > > Johnzon => 1.0.1 > > > > OWB => 1.7.5 > > > > XBean => 4.9 > > > > XmlSchema core => 2.2.3 > > > > > > > > No other libraries have changed, but I do suggest you verify for > > yourself > > > > (I have the zips for both 7.0.4 and 7.0.5 in a diff viewer here). > > > > > > > > Jon > > > > > > > > On Mon, Jul 9, 2018 at 10:27 AM, Jonathan Gallimore < > > > > jonathan.gallim...@gmail.com> wrote: > > > > > > > > > That library was also present in 7.0.4 Plus. > > > > > > > > > > Jon > > > > > > > > > > On Mon, Jul 9, 2018 at 10:01 AM, Romain Manni-Bucau < > > > > rmannibu...@gmail.com > > > > > > wrote: > > > > > > > > > >> Hi, > > > > >> > > > > >> It seems we bundle javax.xml.soap-api-1.3.5.jar now in plus flavor > > > > (guess > > > > >> it is a "leak" due to some dep upgrade), its license is > > CDDL+GPL1.1. I > > > > >> didn't see the notice/license work done. Was it intended or as I'm > > > > >> thinking > > > > >> a silent transitive issue? > > > > >> > > > > >> Romain Manni-Bucau > > > > >> @rmannibucau <https://twitter.com/rmannibucau> | Blog > > > > >> <https://rmannibucau.metawerx.net/> | Old Blog > > > > >> <http://rmannibucau.wordpress.com> | Github < > > > > >> https://github.com/rmannibucau> | > > > > >> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book > > > > >> <https://www.packtpub.com/application-development/java-ee-8- > > > > >> high-performance> > > > > >> > > > > >> > > > > >> Le lun. 9 juil. 2018 à 10:55, Jean-Louis Monteiro < > > > > >> jlmonte...@tomitribe.com> > > > > >> a écrit : > > > > >> > > > > >> > +1 > > > > >> > > > > > >> > Build ok > > > > >> > Small demo and test applications running. > > > > >> > > > > > >> > -- > > > > >> > Jean-Louis Monteiro > > > > >> > http://twitter.com/jlouismonteiro > > > > >> > http://www.tomitribe.com > > > > >> > > > > > >> > On Mon, Jul 9, 2018 at 9:57 AM, Alex The Rocker < > > > alex.m3...@gmail.com > > > > > > > > > >> > wrote: > > > > >> > > > > > >> > > Hello, > > > > >> > > > > > > >> > > +1 (non binding) > > > > >> > > > > > > >> > > Used this 7.0.5 release candidate to deploy 15+ different web > > apps > > > > >> > > (including one on Windows, all others on Linux) using very > > > different > > > > >> > > aspects of Java EE. > > > > >> > > All running with ORACLE Server JRE 8 update 172. > > > > >> > > And got no regression as far as we're checking tests results. > > > > >> > > > > > > >> > > But if there's another 7.0.5 build + vote cycle, then > upgrading > > > > Tomcat > > > > >> > > dependency to Tomcat 8.5.32 (instead of Tomcat 8.5.30 part of > > this > > > > >> > > vote cycle) would be nice to include this security fix: > > > > >> > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014 > > > > >> > > > > > > >> > > Kind regards, > > > > >> > > Alexandre > > > > >> > > > > > > >> > > > > > > >> > > 2018-07-04 10:33 GMT+02:00 Jonathan Gallimore < > > > > >> > > jonathan.gallim...@gmail.com>: > > > > >> > > > Hi Everyone, > > > > >> > > > > > > > >> > > > Here is the initial roll of TomEE 7.0.5. Please can you > take a > > > > look > > > > >> and > > > > >> > > > vote? Everyone, committer or not, is encouraged to test and > > > vote. > > > > >> > > > > > > > >> > > > Staging repo: > > > > >> > > > https://repository.apache.org/ > content/repositories/orgapache > > > > >> tomee-1113 > > > > >> > > > > > > > >> > > > Source zip: > > > > >> > > > /org/apache/tomee/tomee-project/7.0.5/tomee-project-7. > > > > >> > > 0.5-source-release.zip > > > > >> > > > <https://repository.apache.org/service/local/ > > > > >> > > repositories/orgapachetomee-1113/content/org/apache/tomee/ > > > > >> > > tomee-project/7.0.5/tomee-project-7.0.5-source-release.zip> > > > > >> > > > > > > > >> > > > Dist area: > > > > >> > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1113/ > > > > >> > > > > > > > >> > > > Legal: > > > > >> > > > > > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1113/legal.zip > > > > >> > > > > > > > >> > > > Keys: > > > > >> > > > https://dist.apache.org/repos/dist/release/tomee/KEYS > > > > >> > > > > > > > >> > > > Changelog: > > > > >> > > > https://issues.apache.org/jira/browse/TOMEE-2175?jql= > > > > >> > > > project%20%3D%20TOMEE%20AND%20(status%20%3D%20Resolved% > > > > >> > > > 20OR%20status%20%3D%20CLOSED)%20AND%20fixVersion%20%3D%207. > > > > >> > > > 0.5%20ORDER%20BY%20priority%20DESC%2C%20updated%20DESC > > > > >> > > > > > > > >> > > > (If anyone knows a better way to get that list, let me know > > ;-) > > > ) > > > > >> > > > > > > > >> > > > Please vote: > > > > >> > > > +1: Release > > > > >> > > > -1 Do not release because ... > > > > >> > > > > > > > >> > > > The vote will be open for 3 days or the consensus is binding > > (At > > > > >> least > > > > >> > 3 > > > > >> > > > binding votes). > > > > >> > > > > > > > >> > > > Many thanks > > > > >> > > > > > > > >> > > > Jon > > > > >> > > > > > > >> > > > > > >> > > > > > > > > > > > > > > > > > > > >
