+1 on spending time to finish EE9 compliance and work on EE10 + MicroProfile
Patching CXF with patch plugin will probably not get the report better because the jar file will be the same with the same version. Even if we can maintain a list of fixed CVE using this approach, we'll have to exclude those from the final report which may lead to manual tasks +1 on the work involved in reviews and the actual release. And +1 with EOL comments. Happy to keep it using inactive and keep accepting patches. -- Jean-Louis Monteiro http://twitter.com/jlouismonteiro http://www.tomitribe.com On Wed, Aug 3, 2022 at 12:00 PM Jonathan Gallimore < jonathan.gallim...@gmail.com> wrote: > My general thoughts on this are: > > * While I understand the desire for a patched release, forking the CXF > project feels like a lot of work, particularly if we're only looking to do > one final release from this branch. I personally would prefer to spend my > time working on Jakarta EE 9/10 support and MicroProfile support in the > more recent branches. > > * It may be possible to use the patch plugin to patch CXF (assuming it > would work on the TomEE 7.1.x build) in the TomEE build, but that's also a > chunk of work. > > * In either case, to get a release out the committers and PMC would need to > understand what all this is doing and ensure that releases are legal and > don't introduce bad behaviour through poor patches, so it isn't quite a > simple as one person showing up to do the work - we'd also need to be sure > we can review what's done. > > * I don't really like the "EOL" label. If someone wanted to send TomEE > patches on this branch through the usual processes, I don't see any reason > why we'd reject them. I'd be ok with simply labelling it as "inactive" or > similar. > > This is probably most aligned with option "D". > > Jon > > On Tue, Aug 2, 2022 at 7:19 PM Richard Zowalla <r...@apache.org> wrote: > > > Hi all, > > > > thanks for the thread, JL! Sorry, a bit longer than anticipated ;) > > > > As promised in the other thread, I took a look at the grype scan > > results. While were are many false positives (mostly related to the > > Geronimo specs and ActiveMQ), there are indeed some CVEs of interest: > > > > - cxf > > - tomcat (will be fixed in the next tomcat release) > > - xmlsec (should most likely be possible to update) > > - jackson-databind (should most likely be possible to update) > > > > Imho, the most important ones originate from cxf 3.1.18 for which we > > won’t get patches anymore, i.e. we would need to fork, backport the > > relevant CVE fixes and release it as shaded dependency within TomEE. > > > > I think the main issue arises from the fact, that we never communicated > > or announced some sort of EOL statement for any of the older branches > > (1.7.x, 7.0.x or 7.1.x) like it is done for example for Tomcat [1]. > > > > The silent reader or the wise developer will know, that no release > > withing the last two years most certainly means eol for the respective > > series but there will be a (perhaps rather small) community of people > > waiting for a release while running with their vulnerable TomEE for > > the last years. > > > > Therefore, I see the following options (no ordering, no preferences, > > just a listing): > > > > #### > > > > ## Option (A) > > > > We decide to do a release without patching the known CXF CVEs and > > announce the EOL of the 7.1.x series in a similar manner as it done in > > Tomcat [1]. > > > > In this announcement, we state that security vulnerability reports will > > not be checked against the 7.1.x branch, bugs affecting only the 7.1.x > > branch will not be addressed and releases of the 7.1.x branch are > > highly unlikely. After a certain grace period, we remove the 7.1.x > > download links, the documentation from the website and the artifacts > > from the cdn. Note, that all 7.1.x releases will always be available > > from the archive. > > > > ## Option (B) > > > > We decide to do a release, patch the known CXF CVEs by forking CXF and > > release it as shaded dependency within TomEE. Subsequently, we announce > > the EOL of the 7.1.x similar to option (A). > > > > ## Option (C) > > > > We decide, that 7.1.4 from 2020 was the final release of the 7.1.x > > series. Subsequently, we announce the EOL of the 7.1.x similar to > > option (A). > > > > ## Option (D) > > > > We don’t release a new version of the 7.1.x series and do not announce > > any sort of EOL statement (status quo). We agree to not put much effort > > into the 7.1.x series and stop maintaining it. > > > > ## Option (E) > > > > We don’t release a new version of the 7.1.x series and do not announce > > any sort of EOL statement (status quo). We agree to not put much effort > > into the 7.1.x series and stop maintaining it. To avoid user confusion, > > we remove the download links, the documentation and the artifacts from > > the cdn but all 7.1.x release will always be available from the > > archive. > > > > ## Option (F) – (Z) > > > > » Your Input Here « > > > > #### > > > > Perhaps there are other options as well, but that are the ones, which > > directly went into my mind while thinking about it. A similar > > discussion needs to be done for 1.7.x and 7.0.x if we find some > > consensus for the 7.1.x series. > > > > I am a bit torn apart in this discussion. On the one hand, I am > > thinking: “Hey, we somehow “owe” the community one last release before > > declaring it eol and stop maintaining it”. On the other hand, this > > rational could also be used as an excuse to ask for a “last” 7.0.x or a > > “last” 1.7.x. > > > > I agree, that releasing a TomEE 7.1.5 with known CXF vulnerabilities > > isn’t really desirable and we cannot maintain 3rd party libs > > indefinitely. We might be better in investing resources in 8.0.x and a > > stable 9.0.x release in order to later shift our attention to EE10 ;) > > > > Gruß > > Richard > > > > > > > > [1] https://tomcat.apache.org/tomcat-80-eol.html > > > > > > Am Dienstag, dem 02.08.2022 um 16:07 +0200 schrieb Jean-Louis Monteiro: > > > Hi all, > > > > > > Don't want to hijack the other thread, so starting a new one based on > > > the > > > discussion. > > > > > > I don't think releasing a "last 7.1.x" version with CVEs would be of > > > > any good > > > > > > I join Alex on this one. Does it really make sense to release a TomEE > > > app > > > server with known CVEs? > > > > > > I'm not arguing on the grype output and the validity or not of the > > > report. > > > But overall, we do have EOL libraries in there and we know we won't > > > get > > > patches even for CVEs for CXF and other libraries. > > > > > > > @Alex Thanks. We might not be able to address all CVEs as some of > > > > the > > > libs used for EE7 aren't patched / updated anymore. I will have a > > > look. > > > > > > This is also your point Richard. > > > > > > Based on this, does it mean we should call 7.1.x EOL and stop > > > producing > > > releases? > > > The path to TomEE 8.x is pretty straightforward and backward > > > compatible so > > > it's not like moving from 8.x to 9.x. > > > > > > What do you think? > > > > > > -- > > > Jean-Louis Monteiro > > > http://twitter.com/jlouismonteiro > > > http://www.tomitribe.com > > > > > > > > > ---------- Forwarded message --------- > > > From: Zowalla, Richard <richard.zowa...@hs-heilbronn.de> > > > Date: Tue, Aug 2, 2022 at 3:48 PM > > > Subject: [CANCEL] [VOTE] Apache TomEE 7.1.5 > > > To: dev@tomee.apache.org <dev@tomee.apache.org> > > > > > > > > > Hi, > > > > > > thanks for the concerns raised. Better to check the CVE report and do > > > a > > > re-roll ;-) > > > > > > @JL: Will take a look. > > > > > > @Alex Thanks. We might not be able to address all CVEs as some of the > > > libs > > > used for EE7 aren't patched / updated anymore. I will have a look. > > > > > > Gruß > > > Richard > > > ________________________________ > > > Von: Jean-Louis Monteiro <jlmonte...@tomitribe.com> > > > Gesendet: Dienstag, 2. August 2022 15:30:31 > > > An: dev@tomee.apache.org > > > Betreff: Re: [VOTE] Apache TomEE 7.1.5 > > > > > > -1 (binding) > > > > > > Something went bad during the release. Looks like our libs are still > > > 1.7.5-SNAPSHOT. > > > -- > > > Jean-Louis Monteiro > > > http://twitter.com/jlouismonteiro > > > http://www.tomitribe.com > > > > > > > > > On Tue, Aug 2, 2022 at 2:37 PM Alex The Rocker <alex.m3...@gmail.com> > > > wrote: > > > > > > > Hello, > > > > > > > > [-1] (non binding) > > > > > > > > Indeed, I downloaded TomEE+ 7.1.5 binary (from > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1206/tomee-7.1.5/apache-tomee-7.1.5-plus.tar.gz > > > > ) > > > > and then I ran Grype (https://github.com/anchore/grype) on TomEE+'s > > > > archive extract directory. > > > > > > > > That gives 2 Critical and 125 High CVEs (see attached Grype output > > > > for > > > > this scan). > > > > > > > > I agree with whoever will say that Grype isn't quite smart, but > > > > nevertheless the world is now paranoid with security matter. > > > > > > > > I don't think releasing a "last 7.1.x" version with CVEs would be > > > > of > > > > any good, so Grype's output is all false positive, then at least we > > > > need a statement to avoid confusion in this page: > > > > https://tomee.apache.org/security/tomee.html > > > > > > > > Please also note in attached Grype output the Warning lines related > > > > to > > > > archive-xbean-asm6-shaded-4.8.jar: isn't that showing a somehow > > > > malformed MANIFEST ? > > > > > > > > Thanks, > > > > Alex > > > > > > > > Le lun. 1 août 2022 à 19:35, Richard Zowalla <r...@apache.org> a > > > > écrit : > > > > > Hi all, > > > > > > > > > > this is a first attempt at a vote for a release of Apache TomEE > > > > > 7.1.5 > > > > > > > > > > It is a maintenance release with some bug fixes and dependencies > > > > > upgrades for which were was some interest on the list. > > > > > > > > > > Yet, a discussion, if this will be the last release of the 7.1.x > > > > > series, is pending. > > > > > > > > > > Here are some infos: > > > > > > > > > > Maven Repo: > > > > > > > https://repository.apache.org/content/repositories/orgapachetomee-1206 > > > > > > > > > > <repositories> > > > > > <repository> > > > > > <id>tomee-7.1.5-release-test</id> > > > > > <name>Testing TomEE 7.1.5 release candidate</name> > > > > > <url> > > > > > > > https://repository.apache.org/content/repositories/orgapachetomee-1206 > > > > > </url> > > > > > </repository> > > > > > </repositories> > > > > > > > > > > > > > > > Binaries & Source: > > > > > https://dist.apache.org/repos/dist/dev/tomee/staging-1206/ > > > > > > > > > > Tag: > > > > > https://github.com/apache/tomee/tree/tomee-project-7.1.5 > > > > > > > > > > Latest (green) CI/CD build: > > > > > > > > > > https://ci-builds.apache.org/job/Tomee/job/tomee-7.1.x/19/ > > > > > > > > > > Release notes: > > > > > > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12349482 > > > > > > > > > > Here is an adoc generated version of the changelog as well: > > > > > > > > > > > > > > > == Dependency upgrade > > > > > > > > > > [.compact] > > > > > - link: > > > > > https://issues.apache.org/jira/browse/TOMEE-2959[TOMEE-959]2 j > > > > > ackson 2.12.0 > > > > > - link: > > > > > https://issues.apache.org/jira/browse/TOMEE-3941[TOMEE-3941] > > > > > ActiveMQ 5.16.5 > > > > > - link: > > > > > https://issues.apache.org/jira/browse/TOMEE-3985[TOMEE-3985] > > > > > BatchEE 1.0.2 > > > > > - link: > > > > > https://issues.apache.org/jira/browse/TOMEE-3772[TOMEE-3772] > > > > > JUnit 4.13.2 > > > > > - link: > > > > > https://issues.apache.org/jira/browse/TOMEE-2979[TOMEE-2979] > > > > > MyFaces 2.2.14 > > > > > - link: > > > > > https://issues.apache.org/jira/browse/TOMEE-4016[TOMEE-4016] > > > > > Myfaces 2.2.15 > > > > > - link: > > > > > https://issues.apache.org/jira/browse/TOMEE-2958[TOMEE-2958] > > > > > Tomcat 8.5.61 > > > > > - link: > > > > > https://issues.apache.org/jira/browse/TOMEE-4017[TOMEE-4017] > > > > > Tomcat 8.5.81 > > > > > - link: > > > > > https://issues.apache.org/jira/browse/TOMEE-2939[TOMEE-2939] > > > > > bcprov-jdk15on 1.67 > > > > > - link: > > > > > https://issues.apache.org/jira/browse/TOMEE-4018[TOMEE-4018] > > > > > bcprov-jdk15on 1.70 > > > > > - link: > > > > > https://issues.apache.org/jira/browse/TOMEE-3719[TOMEE-3719] > > > > > commons-io 2.8 > > > > > > > > > > == Bug > > > > > > > > > > [.compact] > > > > > - link: > > > > > https://issues.apache.org/jira/browse/TOMEE-2919[TOMEE-2919] > > > > > java.util.ConcurrentModificationException error deploying ear in > > > > > TomEE > > > > Plus 7.1.4 > > > > > - link: > > > > > https://issues.apache.org/jira/browse/TOMEE-2968[TOMEE-2968] > > > > > Postgres connection error when a password contains "}" > > > > > - link: > > > > > https://issues.apache.org/jira/browse/TOMEE-2125[TOMEE-2125] > > > > > Datasource config: MaxWait, timeBetweenEvictionRunsMillis and > > > > MinEvictableIdleTimeMillis are ignored > > > > > - link: > > > > > https://issues.apache.org/jira/browse/TOMEE-3718[TOMEE-3718] > > > > > Missing mime mappings > > > > > > > > > > == Improvement > > > > > > > > > > [.compact] > > > > > - link: > > > > > https://issues.apache.org/jira/browse/TOMEE-2957[TOMEE-2957] > > > > > Fix OWASP Checks on ASF Jenkins Environment > > > > > - link: > > > > > https://issues.apache.org/jira/browse/TOMEE-2973[TOMEE-2973] > > > > > TomEE :: Examples :: JSF2/CDI/BV/JPA/DeltaSpike uses too old > > > > > version of > > > > commons-lang3 > > > > > > > > > > Please VOTE > > > > > > > > > > [+1] go ship it > > > > > [+0] meh, don't care > > > > > [-1] stop, there is a ${showstopper} > > > > > > > > > > The VOTE is open for 72h or as long as needed. > > > > > > > > > > Gruß > > > > > Richard > > > > > > > > > >