Hi Jeffery, I started yesterday to release Turbine Parent 10, but only half the way. I would rollback and update to log4j 2.16.0.
Yes, it's a bit a hassle, each Fulcrum has the same parent, but that's it. If unversioned "joint"-modules, "indirections" exist nobody would know, which version currently is build.. The fast fix for everyone is just to replace the log4j libs, we are in each module at version above 2.14 (> 2.12, which is Java 7 and has a separate fix), that means it the new ones are binary compatible IMO. The "fix"-Releases take some time, but we proceed as fast as could be done: First Turbine parent -> most Fulcrum SNAPSHOTs then will be "releasable, then Turbine Core (5.1.1), Turbine Archetype. The question is if Torque 5.1 (or 5.0.1?) will get a release in between, that is before Turbine Core. I would suggest and hope for it (part of Turbine PMc is also in DB Torque PMC). Then finally the remainder components could be released, but this will take some time. Might be we announce on the site, how to fix this? If parent POM v10 is compatible with all components, this would be the first choice IMO, how to recommend, what to do (after just hard replace the libs)... Might be there are better ideas or suggestions or I am missing some important information? Best regards, Georg Von: Jeffery Painter <[email protected]> An: [email protected] Datum: 14.12.2021 22:09 Betreff: Re: [turbine-parent] 02/02: Update parent for release, set dependency scan for profile apache-release only Hi Georg, I am sure you saw they have already released log4j 2.16.0 - should we wait and update to this before doing another vote? Also - kind of confusing now how to update each fulcrum sub-module (each pom references the parent individually) - not sure if there is an easier way so that they are all referencing a single turbine-parent ? And of course -we still rely on torque-5.0 (release) which is stuck at log4j 2.14.x - I updated the pom.xml there, but I am heading out on vacation in a day or two and unfortunately won't have internet until I come back in January :-) - Jeff On 12/14/21 6:38 AM, [email protected] wrote: > This is an automated email from the ASF dual-hosted git repository. > > gk pushed a commit to branch master > in repository https://gitbox.apache.org/repos/asf/turbine-parent.git > > commit 6ff3eaff7796e17ada95bd0618d2ea0076ef3bf1 > Author: Georg Kallidis <[email protected]> > AuthorDate: Tue Dec 14 11:36:49 2021 +0100 > > Update parent for release, set dependency scan for profile apache-release only > --- > pom.xml | 8 ++++++-- > src/changes/changes.xml | 11 ++++++++++- > 2 files changed, 16 insertions(+), 3 deletions(-) > > diff --git a/pom.xml b/pom.xml > index a3e6ec9..fe9ea6c 100644 > --- a/pom.xml > +++ b/pom.xml > @@ -243,11 +243,12 @@ > <jvm>${turbine.surefire.java}</jvm> > </configuration> > </plugin> > - > <plugin> <!-- Thanks to Apache Commons --> > <groupId>org.apache.maven.plugins</groupId> > <artifactId>maven-scm-publish-plugin</artifactId> > <configuration> > + <!-- mono-module doesn't require site:stage --> > + <!--content>${project.build.directory}/staging</content--> > <content>${project.reporting.outputDirectory}</content> > <pubScmUrl>scm:git:${turbine.scmPubUrl}</pubScmUrl> > <checkoutDirectory>${turbine.scmPubCheckoutDirectory}</checkoutDirectory> > @@ -258,7 +259,7 @@ > <executions> > <execution> > <id>scm-publish</id> > - <phase>site-deploy</phase><!-- deploy site with maven-scm-publish-plugin --> > + <phase>site-deploy</phase><!-- deploy site with mvn scm-publish:publish-scm --> > <goals> > <goal>publish-scm</goal> > </goals> > @@ -396,6 +397,9 @@ > to better suit the requirements of Apache Turbine. (Thanks to Apache Commons) --> > <profile> > <id>apache-release</id> > + <properties> > + <dependency.check.skip>true</dependency.check.skip> > + </properties> > <build> > <plugins> > <plugin> > diff --git a/src/changes/changes.xml b/src/changes/changes.xml > index 51fa1cb..a23ed59 100644 > --- a/src/changes/changes.xml > +++ b/src/changes/changes.xml > @@ -25,8 +25,17 @@ > > <body> > <release version="10" date="in version control"> > + <action dev="gk" type="update" date="2021-12-13"> > + - activate dependency check/scan in profile apache-release only. > + </action> > + <action dev="gk" type="update" date="2021-12-13"> > + - site with github banner > + </action> > + <action dev="gk" type="fix" date="2021-12-11"> > + - Security patch CVE-2021-44228, update log4j2 to 2.15.0 > + </action> > <action dev="gk" type="update" date="2021-12-08"> > - - update apache pom v24, removed maven3 profile, disabled dependency check/scan by default, > + - update apache pom v24, removed maven3 profile, disable dependency check/scan by default. > - updated site header > </action> > <action dev="gk" type="update" date="2021-11-04"> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
smime.p7s
Description: S/MIME Cryptographic Signature
