Thanks a lot Jean-Louis, if you could trigger a vote over this
week-end then it would be fantastic !

Alex

Le mer. 3 avr. 2024 à 15:07, Jean-Louis Monteiro
<jlmonte...@tomitribe.com> a écrit :
>
> Being a bit busy, I have no time for it in the upcoming weeks to do a 9.1.3.
>
> I'll try to do the release check and vote over the weekend.
>
>
>
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>
>
> On Wed, Apr 3, 2024 at 2:31 PM Richard Zowalla <r...@apache.org> wrote:
>
> > To answer that question, we are currently waiting for
> >
> > (1) Someone from the committership/PMC to do the mechanical work (as
> > mentioned above, ~1h) - so far no one has shown interest in doing a
> > release (this may change once we have M1 available).
> >
> > (2) It takes the time of at least 3 PMC people to vote, as they have to
> > do the necessary checks, etc. - which also ties up their
> > capacity/volunteer time/spare time. As we are currently running a VOTE
> > for TomEE 10-M1 and no PMC votes have been cast yet, it doesn't make
> > much sense to start another VOTE thread right now, IMHO.
> >
> > Personally, I don't have the time to do another release right now, but
> > I would review a release candidate and support a committer taking over
> > as release manager, helping them through all the necessary steps (if
> > needed).
> >
> > Gruß
> > Richard
> >
> > Am Mittwoch, dem 03.04.2024 um 10:57 +0200 schrieb Alex The Rocker:
> > > Hello,
> > >
> > > So is it possible to run a TomEE 9.1.3 vote soon, or are we waiting
> > > for more inputs?
> > >
> > > Thanks
> > > Alex
> > >
> > > Le ven. 29 mars 2024 à 21:11, Richard Zowalla <r...@apache.org> a
> > > écrit :
> > > >
> > > > FYI: apache-mime4j-core is a shaded dependency of the Jakarta Mail
> > > > spec
> > > > jar inside of Geronimo Mail. I did a quick search in IDE and it's
> > > > code
> > > > doesn't seem to be actually used, so no big deal here (aside from
> > > > confusing vulnerability scanners).
> > > >
> > > > Am Freitag, dem 29.03.2024 um 13:07 +0100 schrieb Alex The Rocker:
> > > > > Hi Richard,
> > > > >
> > > > > Maybe not fully answering your request to get dependencies
> > > > > analysis
> > > > > on
> > > > > lib/, but running latest grype led to this small finding:
> > > > >
> > > > > NAME                INSTALLED  FIXED-IN  TYPE
> > > > > VULNERABILITY
> > > > >      SEVERITY
> > > > > apache-mime4j-core  0.8.7      0.8.10    java-archive
> > > > > GHSA-jw7r-rxff-gv24  Medium
> > > > >
> > > > > The use of apache-mime4j-core comes from: geronimo-mail_2.1_spec-
> > > > > 1.0.0-M1.jar
> > > > >
> > > > > This vulnerability is accociated to CVE-2024-21742 in Maven
> > > > > central.
> > > > >
> > > > > If not trivial to fix in 9.1.3 then I guess its medium severity
> > > > > doesn't make it vital to update.
> > > > >
> > > > > Should I check other dependencies against non-vulnerabilities
> > > > > related
> > > > > criteria ?
> > > > >
> > > > > Thanks,
> > > > > Alex
> > > > >
> > > > > Le ven. 29 mars 2024 à 12:44, Richard Zowalla <r...@apache.org> a
> > > > > écrit :
> > > > > >
> > > > > > Hi,
> > > > > >
> > > > > > I have nothing against doing a TomEE 9.1.3, which is merely a
> > > > > > time
> > > > > > thing. Doing the actual release preperation, starting the vote,
> > > > > > etc.
> > > > > > takes ~ 30-60min depending on a machine.
> > > > > >
> > > > > > If we need to do additional library upgrades, it might take
> > > > > > some
> > > > > > additional time to wait until CI is complete and to fix
> > > > > > potential
> > > > > > issues. Good thing is, that current CI build is happy.
> > > > > >
> > > > > > What would help to speed things up:
> > > > > >
> > > > > > Are there any additional dependencies we need to update for
> > > > > > 9.1.3 ?
> > > > > >
> > > > > > If someone can have a quick look into /lib of a 9.1.3-SNAPSHOT,
> > > > > > we
> > > > > > might be able to do the updates quickly and get some CI
> > > > > > feedback,
> > > > > > so we
> > > > > > can start with release preperations.
> > > > > >
> > > > > > Gruß
> > > > > > Richard
> > > > > >
> > > > > > Am Freitag, dem 29.03.2024 um 11:01 +0100 schrieb Alex The
> > > > > > Rocker:
> > > > > > > Hi there,
> > > > > > >
> > > > > > > It's been more than 3 monthes since TomEE 9.1.2 was released.
> > > > > > > Couples of updates have been delivered in 9.1.3 in-work,
> > > > > > > including 2
> > > > > > > CVE fixes.
> > > > > > > Wouln't it be a good thing to release a 9.1.3 within coming
> > > > > > > weeks?
> > > > > > >
> > > > > > > (I know we would like to have 10.0.0 asap, but a small patch
> > > > > > > release
> > > > > > > on 9.2.x with depdendencies / security fixes could help
> > > > > > > keeping
> > > > > > > community users confortable with not too old versions)
> > > > > > >
> > > > > > > (my 2 cents ;)
> > > > > > >
> > > > > > > Alex
> > > > > >
> > > >
> >
> >

Reply via email to