On Sat, Sep 14, 2019 at 6:58 AM Daniel Beck <m...@beckweb.net> wrote:
> > > > On 11. Aug 2019, at 04:45, Tatu Saloranta <t...@fasterxml.com> wrote: > > > > Thoughts? > > Thanks for your response. These plans sound great! > > > - Question: should replacement methods use different naming from > > old methods, to allow easier searching for "dangerous" methods, > > without having to check argument lists? > > > I see this is already implemented as #activateDefaultTyping. Making it > easier to discover/ban unsafe methods seems like a major benefit. > > Yes, I figured that there isn't that much downside and that many larger codebases still rely on textual search for finding out usages. > (I tried to let more active Jackson users respond first, but this doesn't > seem like a topic of much interest on this list.) > Unfortunately participation does ebb and flow a lot. But I appreciate giving others a chance to have a say, that is a good practice to get wide coverage of opinions. So: as of now, I plan on starting to request that submitters only include versions up to 2.9, and in case 2.10 is added try to rectify classification. My understanding is that maintainers at Mitre are pretty good in this, and are aware of challenges of classifications, metadata. Also: on somewhat related news -- as per my email on `jackson-dev`, I decided try try out Tidelift (https://tidelift.com), and sign up as maintainer of (some) Jackson packages. They provide managed subscriptions to sort of curated OSS library versions, and share some of revenue with maintainers. My hope is that this could help both me (and other lead maintainers that might be interested in joining, f.ex for Kotlin, Scala, Java 8 date/time, Hibernate, JSON Schema) spend more on doing OSS and also due to work I have to do as "Lifter" -- add more version metadata, release notes, issue notes, security notifications, clarify licensing, vuln disclosure practices -- hopefully improve Jackson usage experience by subscribers (at first I assume, bigger companies). So I think that there will be more documentation on expected flow of security disclosures, too. -+ Tatu +- > > -- > You received this message because you are subscribed to the Google Groups > "jackson-user" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jackson-user+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jackson-user/64DD9CFD-4CBF-4928-B62B-C48441B62DBC%40beckweb.net > . > -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/CAGrxA279Pe5iNUvWtXxnyK-OeOhPzs9t_0JN-7VBJ22bTGt%2B0Q%40mail.gmail.com.
