[jira] [Commented] (TIKA-2536) Move to later edu.ucar version to avoid EOL dependencies
[
https://issues.apache.org/jira/browse/TIKA-2536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17630019#comment-17630019
]
Tim Allison commented on TIKA-2536:
---
Thank you!
It looks like we include this in our README, but do not explain that it fixes
dependency convergence as well!
I just confirmed that it does fix dependency convergence.
{noformat}
org.apache.tika
tika-bom
${tika.version>
pom
import
{noformat}
> Move to later edu.ucar version to avoid EOL dependencies
>
>
> Key: TIKA-2536
> URL: https://issues.apache.org/jira/browse/TIKA-2536
> Project: Tika
> Issue Type: Improvement
> Components: parser
>Affects Versions: 1.16, 1.17
> Environment: All
>Reporter: Richard Jones
>Priority: Major
> Attachments: screenshot-1.png, screenshot-2.png
>
>
> The currently referenced 4.5.5 versions of edu.ucar:grib and edu.ucar:cdm
> (released in Mar 2015), as well as being branch EOL themselves, depend on
> many other project/branch/version EOL artifacts for which much later and
> active versions are often available. The list is as follows:
> - edu.ucar:grib depends on the project EOL bzip2. Much more recent versions
> of edu.ucar:grib exist that no longer depend on bzip2 (note: Jbzip2 is hosted
> on the Google Code site, which was shut down for active development in 2015.
> The project was never migrated to another site, e.g. Github).
> - edu.ucar:grib depends on the 2.0.4 EOL version of org.jdom:jdom2
> - edu.ucar:cdm depends on the 2.6.2 branch EOL version of
> net.sf.ehcache:ehcache-core
> - edu.ucar:cdm depends on the 2.2.0 EOL version of
> org.quartz-scheduler:quartz for which active versions are available. In turn
> org.quartz-scheduler:quartz depends on the 0.9.1.1 branch EOL version of
> c3p0:c3p0. Later versions of quartz have moved to the active com.mchange:c3p0
> - edu.ucar:grib depends on the 2.5.0 branch EOL version of
> com.google.protobuf:protobuf-java for which active versions are available.
> Request moving to a much later version of edu.ucar, or alternative artifacts
> to address all the above EOL issues (lack of active support for
> vulnerabilities and bugs).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (TIKA-2536) Move to later edu.ucar version to avoid EOL dependencies
[
https://issues.apache.org/jira/browse/TIKA-2536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17629794#comment-17629794
]
David Pilato commented on TIKA-2536:
For future readers, the workaround to depend on Tika BOM is to add this in your
{{{}pom.xml{}}}:
{code:java}
org.apache.tika
tika-parent
${tika.version}
pom
import
{code}
> Move to later edu.ucar version to avoid EOL dependencies
>
>
> Key: TIKA-2536
> URL: https://issues.apache.org/jira/browse/TIKA-2536
> Project: Tika
> Issue Type: Improvement
> Components: parser
>Affects Versions: 1.16, 1.17
> Environment: All
>Reporter: Richard Jones
>Priority: Major
> Attachments: screenshot-1.png, screenshot-2.png
>
>
> The currently referenced 4.5.5 versions of edu.ucar:grib and edu.ucar:cdm
> (released in Mar 2015), as well as being branch EOL themselves, depend on
> many other project/branch/version EOL artifacts for which much later and
> active versions are often available. The list is as follows:
> - edu.ucar:grib depends on the project EOL bzip2. Much more recent versions
> of edu.ucar:grib exist that no longer depend on bzip2 (note: Jbzip2 is hosted
> on the Google Code site, which was shut down for active development in 2015.
> The project was never migrated to another site, e.g. Github).
> - edu.ucar:grib depends on the 2.0.4 EOL version of org.jdom:jdom2
> - edu.ucar:cdm depends on the 2.6.2 branch EOL version of
> net.sf.ehcache:ehcache-core
> - edu.ucar:cdm depends on the 2.2.0 EOL version of
> org.quartz-scheduler:quartz for which active versions are available. In turn
> org.quartz-scheduler:quartz depends on the 0.9.1.1 branch EOL version of
> c3p0:c3p0. Later versions of quartz have moved to the active com.mchange:c3p0
> - edu.ucar:grib depends on the 2.5.0 branch EOL version of
> com.google.protobuf:protobuf-java for which active versions are available.
> Request moving to a much later version of edu.ucar, or alternative artifacts
> to address all the above EOL issues (lack of active support for
> vulnerabilities and bugs).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (TIKA-2536) Move to later edu.ucar version to avoid EOL dependencies
[ https://issues.apache.org/jira/browse/TIKA-2536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17628032#comment-17628032 ] Lewis John McGibbney commented on TIKA-2536: The may appreciate a contribution which allows them to [accommodate dual publication|https://docs.unidata.ucar.edu/netcdf-java/current/userguide/building_from_source.html#publishing]. If you can look at the question above [~nick], then I'll go ahead and ask. I'm trying to anticipate them asking why we can't just reference their repository... > Move to later edu.ucar version to avoid EOL dependencies > > > Key: TIKA-2536 > URL: https://issues.apache.org/jira/browse/TIKA-2536 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.16, 1.17 > Environment: All >Reporter: Richard Jones >Priority: Major > Attachments: screenshot-1.png, screenshot-2.png > > > The currently referenced 4.5.5 versions of edu.ucar:grib and edu.ucar:cdm > (released in Mar 2015), as well as being branch EOL themselves, depend on > many other project/branch/version EOL artifacts for which much later and > active versions are often available. The list is as follows: > - edu.ucar:grib depends on the project EOL bzip2. Much more recent versions > of edu.ucar:grib exist that no longer depend on bzip2 (note: Jbzip2 is hosted > on the Google Code site, which was shut down for active development in 2015. > The project was never migrated to another site, e.g. Github). > - edu.ucar:grib depends on the 2.0.4 EOL version of org.jdom:jdom2 > - edu.ucar:cdm depends on the 2.6.2 branch EOL version of > net.sf.ehcache:ehcache-core > - edu.ucar:cdm depends on the 2.2.0 EOL version of > org.quartz-scheduler:quartz for which active versions are available. In turn > org.quartz-scheduler:quartz depends on the 0.9.1.1 branch EOL version of > c3p0:c3p0. Later versions of quartz have moved to the active com.mchange:c3p0 > - edu.ucar:grib depends on the 2.5.0 branch EOL version of > com.google.protobuf:protobuf-java for which active versions are available. > Request moving to a much later version of edu.ucar, or alternative artifacts > to address all the above EOL issues (lack of active support for > vulnerabilities and bugs). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (TIKA-2536) Move to later edu.ucar version to avoid EOL dependencies
[ https://issues.apache.org/jira/browse/TIKA-2536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17628029#comment-17628029 ] Lewis John McGibbney commented on TIKA-2536: As of version 5.0, netCDF-Java is released under the [BSD-3 licence|https://github.com/Unidata/netcdf-java/blob/master/LICENSE] * tika main branch relies on v4.5.5 * current netCDF-java release appears to be 5.5.2 [~nick] I think I used to know the answer to this question but what conditions/restriuctions result in the following statement "...We can only depend on versions in maven central, we can't depend on versions hosted elsewhere"? Please remind me. Thanks > Move to later edu.ucar version to avoid EOL dependencies > > > Key: TIKA-2536 > URL: https://issues.apache.org/jira/browse/TIKA-2536 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.16, 1.17 > Environment: All >Reporter: Richard Jones >Priority: Major > Attachments: screenshot-1.png, screenshot-2.png > > > The currently referenced 4.5.5 versions of edu.ucar:grib and edu.ucar:cdm > (released in Mar 2015), as well as being branch EOL themselves, depend on > many other project/branch/version EOL artifacts for which much later and > active versions are often available. The list is as follows: > - edu.ucar:grib depends on the project EOL bzip2. Much more recent versions > of edu.ucar:grib exist that no longer depend on bzip2 (note: Jbzip2 is hosted > on the Google Code site, which was shut down for active development in 2015. > The project was never migrated to another site, e.g. Github). > - edu.ucar:grib depends on the 2.0.4 EOL version of org.jdom:jdom2 > - edu.ucar:cdm depends on the 2.6.2 branch EOL version of > net.sf.ehcache:ehcache-core > - edu.ucar:cdm depends on the 2.2.0 EOL version of > org.quartz-scheduler:quartz for which active versions are available. In turn > org.quartz-scheduler:quartz depends on the 0.9.1.1 branch EOL version of > c3p0:c3p0. Later versions of quartz have moved to the active com.mchange:c3p0 > - edu.ucar:grib depends on the 2.5.0 branch EOL version of > com.google.protobuf:protobuf-java for which active versions are available. > Request moving to a much later version of edu.ucar, or alternative artifacts > to address all the above EOL issues (lack of active support for > vulnerabilities and bugs). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (TIKA-2536) Move to later edu.ucar version to avoid EOL dependencies
[ https://issues.apache.org/jira/browse/TIKA-2536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17628028#comment-17628028 ] Tim Allison commented on TIKA-2536: --- Thank you [~lewismc]! > Move to later edu.ucar version to avoid EOL dependencies > > > Key: TIKA-2536 > URL: https://issues.apache.org/jira/browse/TIKA-2536 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.16, 1.17 > Environment: All >Reporter: Richard Jones >Priority: Major > Attachments: screenshot-1.png, screenshot-2.png > > > The currently referenced 4.5.5 versions of edu.ucar:grib and edu.ucar:cdm > (released in Mar 2015), as well as being branch EOL themselves, depend on > many other project/branch/version EOL artifacts for which much later and > active versions are often available. The list is as follows: > - edu.ucar:grib depends on the project EOL bzip2. Much more recent versions > of edu.ucar:grib exist that no longer depend on bzip2 (note: Jbzip2 is hosted > on the Google Code site, which was shut down for active development in 2015. > The project was never migrated to another site, e.g. Github). > - edu.ucar:grib depends on the 2.0.4 EOL version of org.jdom:jdom2 > - edu.ucar:cdm depends on the 2.6.2 branch EOL version of > net.sf.ehcache:ehcache-core > - edu.ucar:cdm depends on the 2.2.0 EOL version of > org.quartz-scheduler:quartz for which active versions are available. In turn > org.quartz-scheduler:quartz depends on the 0.9.1.1 branch EOL version of > c3p0:c3p0. Later versions of quartz have moved to the active com.mchange:c3p0 > - edu.ucar:grib depends on the 2.5.0 branch EOL version of > com.google.protobuf:protobuf-java for which active versions are available. > Request moving to a much later version of edu.ucar, or alternative artifacts > to address all the above EOL issues (lack of active support for > vulnerabilities and bugs). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (TIKA-2536) Move to later edu.ucar version to avoid EOL dependencies
[ https://issues.apache.org/jira/browse/TIKA-2536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17628027#comment-17628027 ] Lewis John McGibbney commented on TIKA-2536: As [~nick] mentioned referencing 3rd-party artifact repos is a no-go. [UCAR provides documentation on the repos and how to do exactly that|https://docs.unidata.ucar.edu/netcdf-java/current/userguide/using_netcdf_java_artifacts.html] but that doesn't help us as we would need to reference their repos... I will attempt to contact the UCAR team and see where I get... I'll write back here. > Move to later edu.ucar version to avoid EOL dependencies > > > Key: TIKA-2536 > URL: https://issues.apache.org/jira/browse/TIKA-2536 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.16, 1.17 > Environment: All >Reporter: Richard Jones >Priority: Major > Attachments: screenshot-1.png, screenshot-2.png > > > The currently referenced 4.5.5 versions of edu.ucar:grib and edu.ucar:cdm > (released in Mar 2015), as well as being branch EOL themselves, depend on > many other project/branch/version EOL artifacts for which much later and > active versions are often available. The list is as follows: > - edu.ucar:grib depends on the project EOL bzip2. Much more recent versions > of edu.ucar:grib exist that no longer depend on bzip2 (note: Jbzip2 is hosted > on the Google Code site, which was shut down for active development in 2015. > The project was never migrated to another site, e.g. Github). > - edu.ucar:grib depends on the 2.0.4 EOL version of org.jdom:jdom2 > - edu.ucar:cdm depends on the 2.6.2 branch EOL version of > net.sf.ehcache:ehcache-core > - edu.ucar:cdm depends on the 2.2.0 EOL version of > org.quartz-scheduler:quartz for which active versions are available. In turn > org.quartz-scheduler:quartz depends on the 0.9.1.1 branch EOL version of > c3p0:c3p0. Later versions of quartz have moved to the active com.mchange:c3p0 > - edu.ucar:grib depends on the 2.5.0 branch EOL version of > com.google.protobuf:protobuf-java for which active versions are available. > Request moving to a much later version of edu.ucar, or alternative artifacts > to address all the above EOL issues (lack of active support for > vulnerabilities and bugs). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (TIKA-2536) Move to later edu.ucar version to avoid EOL dependencies
[ https://issues.apache.org/jira/browse/TIKA-2536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17627763#comment-17627763 ] Tim Allison commented on TIKA-2536: --- Plan B is that we move to docker-only releases . LOL... > Move to later edu.ucar version to avoid EOL dependencies > > > Key: TIKA-2536 > URL: https://issues.apache.org/jira/browse/TIKA-2536 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.16, 1.17 > Environment: All >Reporter: Richard Jones >Priority: Major > Attachments: screenshot-1.png, screenshot-2.png > > > The currently referenced 4.5.5 versions of edu.ucar:grib and edu.ucar:cdm > (released in Mar 2015), as well as being branch EOL themselves, depend on > many other project/branch/version EOL artifacts for which much later and > active versions are often available. The list is as follows: > - edu.ucar:grib depends on the project EOL bzip2. Much more recent versions > of edu.ucar:grib exist that no longer depend on bzip2 (note: Jbzip2 is hosted > on the Google Code site, which was shut down for active development in 2015. > The project was never migrated to another site, e.g. Github). > - edu.ucar:grib depends on the 2.0.4 EOL version of org.jdom:jdom2 > - edu.ucar:cdm depends on the 2.6.2 branch EOL version of > net.sf.ehcache:ehcache-core > - edu.ucar:cdm depends on the 2.2.0 EOL version of > org.quartz-scheduler:quartz for which active versions are available. In turn > org.quartz-scheduler:quartz depends on the 0.9.1.1 branch EOL version of > c3p0:c3p0. Later versions of quartz have moved to the active com.mchange:c3p0 > - edu.ucar:grib depends on the 2.5.0 branch EOL version of > com.google.protobuf:protobuf-java for which active versions are available. > Request moving to a much later version of edu.ucar, or alternative artifacts > to address all the above EOL issues (lack of active support for > vulnerabilities and bugs). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (TIKA-2536) Move to later edu.ucar version to avoid EOL dependencies
[ https://issues.apache.org/jira/browse/TIKA-2536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17627762#comment-17627762 ] Tim Allison commented on TIKA-2536: --- It turns out that you can inherit our dependency management if you'd like: https://stackoverflow.com/questions/53804722/does-a-project-inherit-dependencymanagement-from-dependencys-parent I'm going to play with this and see if we should improve our documentation. This has been an annoying thing that has hit others. > Move to later edu.ucar version to avoid EOL dependencies > > > Key: TIKA-2536 > URL: https://issues.apache.org/jira/browse/TIKA-2536 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.16, 1.17 > Environment: All >Reporter: Richard Jones >Priority: Major > Attachments: screenshot-1.png, screenshot-2.png > > > The currently referenced 4.5.5 versions of edu.ucar:grib and edu.ucar:cdm > (released in Mar 2015), as well as being branch EOL themselves, depend on > many other project/branch/version EOL artifacts for which much later and > active versions are often available. The list is as follows: > - edu.ucar:grib depends on the project EOL bzip2. Much more recent versions > of edu.ucar:grib exist that no longer depend on bzip2 (note: Jbzip2 is hosted > on the Google Code site, which was shut down for active development in 2015. > The project was never migrated to another site, e.g. Github). > - edu.ucar:grib depends on the 2.0.4 EOL version of org.jdom:jdom2 > - edu.ucar:cdm depends on the 2.6.2 branch EOL version of > net.sf.ehcache:ehcache-core > - edu.ucar:cdm depends on the 2.2.0 EOL version of > org.quartz-scheduler:quartz for which active versions are available. In turn > org.quartz-scheduler:quartz depends on the 0.9.1.1 branch EOL version of > c3p0:c3p0. Later versions of quartz have moved to the active com.mchange:c3p0 > - edu.ucar:grib depends on the 2.5.0 branch EOL version of > com.google.protobuf:protobuf-java for which active versions are available. > Request moving to a much later version of edu.ucar, or alternative artifacts > to address all the above EOL issues (lack of active support for > vulnerabilities and bugs). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (TIKA-2536) Move to later edu.ucar version to avoid EOL dependencies
[ https://issues.apache.org/jira/browse/TIKA-2536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17627673#comment-17627673 ] Tim Allison commented on TIKA-2536: --- You're not seeing it because our parent pom's dependency management is not inherited by your project. I don't know if there is a workaround for this or if you have to duplicate our dependency management section. The *-package is shaded. You're using *-module, right? Try the *-package and see if you have greater success? > Move to later edu.ucar version to avoid EOL dependencies > > > Key: TIKA-2536 > URL: https://issues.apache.org/jira/browse/TIKA-2536 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.16, 1.17 > Environment: All >Reporter: Richard Jones >Priority: Major > Attachments: screenshot-1.png, screenshot-2.png > > > The currently referenced 4.5.5 versions of edu.ucar:grib and edu.ucar:cdm > (released in Mar 2015), as well as being branch EOL themselves, depend on > many other project/branch/version EOL artifacts for which much later and > active versions are often available. The list is as follows: > - edu.ucar:grib depends on the project EOL bzip2. Much more recent versions > of edu.ucar:grib exist that no longer depend on bzip2 (note: Jbzip2 is hosted > on the Google Code site, which was shut down for active development in 2015. > The project was never migrated to another site, e.g. Github). > - edu.ucar:grib depends on the 2.0.4 EOL version of org.jdom:jdom2 > - edu.ucar:cdm depends on the 2.6.2 branch EOL version of > net.sf.ehcache:ehcache-core > - edu.ucar:cdm depends on the 2.2.0 EOL version of > org.quartz-scheduler:quartz for which active versions are available. In turn > org.quartz-scheduler:quartz depends on the 0.9.1.1 branch EOL version of > c3p0:c3p0. Later versions of quartz have moved to the active com.mchange:c3p0 > - edu.ucar:grib depends on the 2.5.0 branch EOL version of > com.google.protobuf:protobuf-java for which active versions are available. > Request moving to a much later version of edu.ucar, or alternative artifacts > to address all the above EOL issues (lack of active support for > vulnerabilities and bugs). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (TIKA-2536) Move to later edu.ucar version to avoid EOL dependencies
[ https://issues.apache.org/jira/browse/TIKA-2536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17627657#comment-17627657 ] David Pilato commented on TIKA-2536: But wait, it's shaded now??? So I should not have it as a dependency then, right? > Move to later edu.ucar version to avoid EOL dependencies > > > Key: TIKA-2536 > URL: https://issues.apache.org/jira/browse/TIKA-2536 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.16, 1.17 > Environment: All >Reporter: Richard Jones >Priority: Major > Attachments: screenshot-1.png, screenshot-2.png > > > The currently referenced 4.5.5 versions of edu.ucar:grib and edu.ucar:cdm > (released in Mar 2015), as well as being branch EOL themselves, depend on > many other project/branch/version EOL artifacts for which much later and > active versions are often available. The list is as follows: > - edu.ucar:grib depends on the project EOL bzip2. Much more recent versions > of edu.ucar:grib exist that no longer depend on bzip2 (note: Jbzip2 is hosted > on the Google Code site, which was shut down for active development in 2015. > The project was never migrated to another site, e.g. Github). > - edu.ucar:grib depends on the 2.0.4 EOL version of org.jdom:jdom2 > - edu.ucar:cdm depends on the 2.6.2 branch EOL version of > net.sf.ehcache:ehcache-core > - edu.ucar:cdm depends on the 2.2.0 EOL version of > org.quartz-scheduler:quartz for which active versions are available. In turn > org.quartz-scheduler:quartz depends on the 0.9.1.1 branch EOL version of > c3p0:c3p0. Later versions of quartz have moved to the active com.mchange:c3p0 > - edu.ucar:grib depends on the 2.5.0 branch EOL version of > com.google.protobuf:protobuf-java for which active versions are available. > Request moving to a much later version of edu.ucar, or alternative artifacts > to address all the above EOL issues (lack of active support for > vulnerabilities and bugs). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (TIKA-2536) Move to later edu.ucar version to avoid EOL dependencies
[
https://issues.apache.org/jira/browse/TIKA-2536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17627656#comment-17627656
]
David Pilato commented on TIKA-2536:
That's weird... I'm not seeing the same thing... I need to check again...
{noformat}
[INFO] | +- edu.ucar:grib:jar:4.5.5:compile
[INFO] | | +- com.google.protobuf:protobuf-java:jar:2.5.0:compile
[INFO] | | +- org.jdom:jdom2:jar:2.0.6.1:compile
[INFO] | | +- edu.ucar:jj2000:jar:5.2:compile
[INFO] | | \- org.itadaki:bzip2:jar:0.9.1:compile{noformat}
> Move to later edu.ucar version to avoid EOL dependencies
>
>
> Key: TIKA-2536
> URL: https://issues.apache.org/jira/browse/TIKA-2536
> Project: Tika
> Issue Type: Improvement
> Components: parser
>Affects Versions: 1.16, 1.17
> Environment: All
>Reporter: Richard Jones
>Priority: Major
> Attachments: screenshot-1.png, screenshot-2.png
>
>
> The currently referenced 4.5.5 versions of edu.ucar:grib and edu.ucar:cdm
> (released in Mar 2015), as well as being branch EOL themselves, depend on
> many other project/branch/version EOL artifacts for which much later and
> active versions are often available. The list is as follows:
> - edu.ucar:grib depends on the project EOL bzip2. Much more recent versions
> of edu.ucar:grib exist that no longer depend on bzip2 (note: Jbzip2 is hosted
> on the Google Code site, which was shut down for active development in 2015.
> The project was never migrated to another site, e.g. Github).
> - edu.ucar:grib depends on the 2.0.4 EOL version of org.jdom:jdom2
> - edu.ucar:cdm depends on the 2.6.2 branch EOL version of
> net.sf.ehcache:ehcache-core
> - edu.ucar:cdm depends on the 2.2.0 EOL version of
> org.quartz-scheduler:quartz for which active versions are available. In turn
> org.quartz-scheduler:quartz depends on the 0.9.1.1 branch EOL version of
> c3p0:c3p0. Later versions of quartz have moved to the active com.mchange:c3p0
> - edu.ucar:grib depends on the 2.5.0 branch EOL version of
> com.google.protobuf:protobuf-java for which active versions are available.
> Request moving to a much later version of edu.ucar, or alternative artifacts
> to address all the above EOL issues (lack of active support for
> vulnerabilities and bugs).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (TIKA-2536) Move to later edu.ucar version to avoid EOL dependencies
[ https://issues.apache.org/jira/browse/TIKA-2536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17627650#comment-17627650 ] Tim Allison commented on TIKA-2536: --- Still, if anyone knows anyone at ucar or anyone has the time and permissions to publish to maven central, that would be far better! > Move to later edu.ucar version to avoid EOL dependencies > > > Key: TIKA-2536 > URL: https://issues.apache.org/jira/browse/TIKA-2536 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.16, 1.17 > Environment: All >Reporter: Richard Jones >Priority: Major > Attachments: screenshot-1.png, screenshot-2.png > > > The currently referenced 4.5.5 versions of edu.ucar:grib and edu.ucar:cdm > (released in Mar 2015), as well as being branch EOL themselves, depend on > many other project/branch/version EOL artifacts for which much later and > active versions are often available. The list is as follows: > - edu.ucar:grib depends on the project EOL bzip2. Much more recent versions > of edu.ucar:grib exist that no longer depend on bzip2 (note: Jbzip2 is hosted > on the Google Code site, which was shut down for active development in 2015. > The project was never migrated to another site, e.g. Github). > - edu.ucar:grib depends on the 2.0.4 EOL version of org.jdom:jdom2 > - edu.ucar:cdm depends on the 2.6.2 branch EOL version of > net.sf.ehcache:ehcache-core > - edu.ucar:cdm depends on the 2.2.0 EOL version of > org.quartz-scheduler:quartz for which active versions are available. In turn > org.quartz-scheduler:quartz depends on the 0.9.1.1 branch EOL version of > c3p0:c3p0. Later versions of quartz have moved to the active com.mchange:c3p0 > - edu.ucar:grib depends on the 2.5.0 branch EOL version of > com.google.protobuf:protobuf-java for which active versions are available. > Request moving to a much later version of edu.ucar, or alternative artifacts > to address all the above EOL issues (lack of active support for > vulnerabilities and bugs). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (TIKA-2536) Move to later edu.ucar version to avoid EOL dependencies
[
https://issues.apache.org/jira/browse/TIKA-2536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17627649#comment-17627649
]
Tim Allison commented on TIKA-2536:
---
!screenshot-2.png!
We are packaging the latest protobuf in {{tika-parser-scientific-package}}
> Move to later edu.ucar version to avoid EOL dependencies
>
>
> Key: TIKA-2536
> URL: https://issues.apache.org/jira/browse/TIKA-2536
> Project: Tika
> Issue Type: Improvement
> Components: parser
>Affects Versions: 1.16, 1.17
> Environment: All
>Reporter: Richard Jones
>Priority: Major
> Attachments: screenshot-1.png, screenshot-2.png
>
>
> The currently referenced 4.5.5 versions of edu.ucar:grib and edu.ucar:cdm
> (released in Mar 2015), as well as being branch EOL themselves, depend on
> many other project/branch/version EOL artifacts for which much later and
> active versions are often available. The list is as follows:
> - edu.ucar:grib depends on the project EOL bzip2. Much more recent versions
> of edu.ucar:grib exist that no longer depend on bzip2 (note: Jbzip2 is hosted
> on the Google Code site, which was shut down for active development in 2015.
> The project was never migrated to another site, e.g. Github).
> - edu.ucar:grib depends on the 2.0.4 EOL version of org.jdom:jdom2
> - edu.ucar:cdm depends on the 2.6.2 branch EOL version of
> net.sf.ehcache:ehcache-core
> - edu.ucar:cdm depends on the 2.2.0 EOL version of
> org.quartz-scheduler:quartz for which active versions are available. In turn
> org.quartz-scheduler:quartz depends on the 0.9.1.1 branch EOL version of
> c3p0:c3p0. Later versions of quartz have moved to the active com.mchange:c3p0
> - edu.ucar:grib depends on the 2.5.0 branch EOL version of
> com.google.protobuf:protobuf-java for which active versions are available.
> Request moving to a much later version of edu.ucar, or alternative artifacts
> to address all the above EOL issues (lack of active support for
> vulnerabilities and bugs).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (TIKA-2536) Move to later edu.ucar version to avoid EOL dependencies
[ https://issues.apache.org/jira/browse/TIKA-2536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17627646#comment-17627646 ] David Pilato commented on TIKA-2536: Ha right! Thanks for pointing this out [~tallison]. I'm going to check why this is happening then... > Move to later edu.ucar version to avoid EOL dependencies > > > Key: TIKA-2536 > URL: https://issues.apache.org/jira/browse/TIKA-2536 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.16, 1.17 > Environment: All >Reporter: Richard Jones >Priority: Major > Attachments: screenshot-1.png > > > The currently referenced 4.5.5 versions of edu.ucar:grib and edu.ucar:cdm > (released in Mar 2015), as well as being branch EOL themselves, depend on > many other project/branch/version EOL artifacts for which much later and > active versions are often available. The list is as follows: > - edu.ucar:grib depends on the project EOL bzip2. Much more recent versions > of edu.ucar:grib exist that no longer depend on bzip2 (note: Jbzip2 is hosted > on the Google Code site, which was shut down for active development in 2015. > The project was never migrated to another site, e.g. Github). > - edu.ucar:grib depends on the 2.0.4 EOL version of org.jdom:jdom2 > - edu.ucar:cdm depends on the 2.6.2 branch EOL version of > net.sf.ehcache:ehcache-core > - edu.ucar:cdm depends on the 2.2.0 EOL version of > org.quartz-scheduler:quartz for which active versions are available. In turn > org.quartz-scheduler:quartz depends on the 0.9.1.1 branch EOL version of > c3p0:c3p0. Later versions of quartz have moved to the active com.mchange:c3p0 > - edu.ucar:grib depends on the 2.5.0 branch EOL version of > com.google.protobuf:protobuf-java for which active versions are available. > Request moving to a much later version of edu.ucar, or alternative artifacts > to address all the above EOL issues (lack of active support for > vulnerabilities and bugs). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (TIKA-2536) Move to later edu.ucar version to avoid EOL dependencies
[ https://issues.apache.org/jira/browse/TIKA-2536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17627644#comment-17627644 ] Tim Allison commented on TIKA-2536: --- Wait, we are dependency-managementing our way out of this. We have protobuf-java in the dependency management section of our parent pom at a higher version -- 3.12.9. The problem [~dadoonet] is that our dependency management is not inherited by your project. !screenshot-1.png! This doesn't solve the larger problem that we're on an ancient version of edu.ucar but it does explain why we're not getting complaints from ossindex (on this dependency!). > Move to later edu.ucar version to avoid EOL dependencies > > > Key: TIKA-2536 > URL: https://issues.apache.org/jira/browse/TIKA-2536 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.16, 1.17 > Environment: All >Reporter: Richard Jones >Priority: Major > Attachments: screenshot-1.png > > > The currently referenced 4.5.5 versions of edu.ucar:grib and edu.ucar:cdm > (released in Mar 2015), as well as being branch EOL themselves, depend on > many other project/branch/version EOL artifacts for which much later and > active versions are often available. The list is as follows: > - edu.ucar:grib depends on the project EOL bzip2. Much more recent versions > of edu.ucar:grib exist that no longer depend on bzip2 (note: Jbzip2 is hosted > on the Google Code site, which was shut down for active development in 2015. > The project was never migrated to another site, e.g. Github). > - edu.ucar:grib depends on the 2.0.4 EOL version of org.jdom:jdom2 > - edu.ucar:cdm depends on the 2.6.2 branch EOL version of > net.sf.ehcache:ehcache-core > - edu.ucar:cdm depends on the 2.2.0 EOL version of > org.quartz-scheduler:quartz for which active versions are available. In turn > org.quartz-scheduler:quartz depends on the 0.9.1.1 branch EOL version of > c3p0:c3p0. Later versions of quartz have moved to the active com.mchange:c3p0 > - edu.ucar:grib depends on the 2.5.0 branch EOL version of > com.google.protobuf:protobuf-java for which active versions are available. > Request moving to a much later version of edu.ucar, or alternative artifacts > to address all the above EOL issues (lack of active support for > vulnerabilities and bugs). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (TIKA-2536) Move to later edu.ucar version to avoid EOL dependencies
[ https://issues.apache.org/jira/browse/TIKA-2536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17627640#comment-17627640 ] Tim Allison commented on TIKA-2536: --- Thank you [~nick] for confirming. > Move to later edu.ucar version to avoid EOL dependencies > > > Key: TIKA-2536 > URL: https://issues.apache.org/jira/browse/TIKA-2536 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.16, 1.17 > Environment: All >Reporter: Richard Jones >Priority: Major > > The currently referenced 4.5.5 versions of edu.ucar:grib and edu.ucar:cdm > (released in Mar 2015), as well as being branch EOL themselves, depend on > many other project/branch/version EOL artifacts for which much later and > active versions are often available. The list is as follows: > - edu.ucar:grib depends on the project EOL bzip2. Much more recent versions > of edu.ucar:grib exist that no longer depend on bzip2 (note: Jbzip2 is hosted > on the Google Code site, which was shut down for active development in 2015. > The project was never migrated to another site, e.g. Github). > - edu.ucar:grib depends on the 2.0.4 EOL version of org.jdom:jdom2 > - edu.ucar:cdm depends on the 2.6.2 branch EOL version of > net.sf.ehcache:ehcache-core > - edu.ucar:cdm depends on the 2.2.0 EOL version of > org.quartz-scheduler:quartz for which active versions are available. In turn > org.quartz-scheduler:quartz depends on the 0.9.1.1 branch EOL version of > c3p0:c3p0. Later versions of quartz have moved to the active com.mchange:c3p0 > - edu.ucar:grib depends on the 2.5.0 branch EOL version of > com.google.protobuf:protobuf-java for which active versions are available. > Request moving to a much later version of edu.ucar, or alternative artifacts > to address all the above EOL issues (lack of active support for > vulnerabilities and bugs). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (TIKA-2536) Move to later edu.ucar version to avoid EOL dependencies
[ https://issues.apache.org/jira/browse/TIKA-2536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17627638#comment-17627638 ] Nick Burch commented on TIKA-2536: -- We can only depend on versions in maven central, we can't depend on versions hosted elsewhere If newer versions have been formally released, ideally the project owners would upload them to central. If they can't/won't and we can get that confirmed, we may be able to get them uploaded on their behalf, but it's much better and easier if the project owners upload themselves! OSSRH is often the best way for independent maintainers not part of a bigger foundation to get their releases into central. If the version currently in maven central will play nicely with a new version of a dependency, short-term we ought to be able to pull that in and exclude the old version. If it doesn't play nicely, our only option is to upgrade the whole lot, which needs to be in central > Move to later edu.ucar version to avoid EOL dependencies > > > Key: TIKA-2536 > URL: https://issues.apache.org/jira/browse/TIKA-2536 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.16, 1.17 > Environment: All >Reporter: Richard Jones >Priority: Major > > The currently referenced 4.5.5 versions of edu.ucar:grib and edu.ucar:cdm > (released in Mar 2015), as well as being branch EOL themselves, depend on > many other project/branch/version EOL artifacts for which much later and > active versions are often available. The list is as follows: > - edu.ucar:grib depends on the project EOL bzip2. Much more recent versions > of edu.ucar:grib exist that no longer depend on bzip2 (note: Jbzip2 is hosted > on the Google Code site, which was shut down for active development in 2015. > The project was never migrated to another site, e.g. Github). > - edu.ucar:grib depends on the 2.0.4 EOL version of org.jdom:jdom2 > - edu.ucar:cdm depends on the 2.6.2 branch EOL version of > net.sf.ehcache:ehcache-core > - edu.ucar:cdm depends on the 2.2.0 EOL version of > org.quartz-scheduler:quartz for which active versions are available. In turn > org.quartz-scheduler:quartz depends on the 0.9.1.1 branch EOL version of > c3p0:c3p0. Later versions of quartz have moved to the active com.mchange:c3p0 > - edu.ucar:grib depends on the 2.5.0 branch EOL version of > com.google.protobuf:protobuf-java for which active versions are available. > Request moving to a much later version of edu.ucar, or alternative artifacts > to address all the above EOL issues (lack of active support for > vulnerabilities and bugs). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (TIKA-2536) Move to later edu.ucar version to avoid EOL dependencies
[ https://issues.apache.org/jira/browse/TIKA-2536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17627637#comment-17627637 ] Tim Allison commented on TIKA-2536: --- It looks like last time [~annieburgess] pushed a more recent version to maven central. Do we know of anyone with credentials who would be willing to do this again? Do we have any contacts at edu.ucar who can help? cc [~lewismc] > Move to later edu.ucar version to avoid EOL dependencies > > > Key: TIKA-2536 > URL: https://issues.apache.org/jira/browse/TIKA-2536 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.16, 1.17 > Environment: All >Reporter: Richard Jones >Priority: Major > > The currently referenced 4.5.5 versions of edu.ucar:grib and edu.ucar:cdm > (released in Mar 2015), as well as being branch EOL themselves, depend on > many other project/branch/version EOL artifacts for which much later and > active versions are often available. The list is as follows: > - edu.ucar:grib depends on the project EOL bzip2. Much more recent versions > of edu.ucar:grib exist that no longer depend on bzip2 (note: Jbzip2 is hosted > on the Google Code site, which was shut down for active development in 2015. > The project was never migrated to another site, e.g. Github). > - edu.ucar:grib depends on the 2.0.4 EOL version of org.jdom:jdom2 > - edu.ucar:cdm depends on the 2.6.2 branch EOL version of > net.sf.ehcache:ehcache-core > - edu.ucar:cdm depends on the 2.2.0 EOL version of > org.quartz-scheduler:quartz for which active versions are available. In turn > org.quartz-scheduler:quartz depends on the 0.9.1.1 branch EOL version of > c3p0:c3p0. Later versions of quartz have moved to the active com.mchange:c3p0 > - edu.ucar:grib depends on the 2.5.0 branch EOL version of > com.google.protobuf:protobuf-java for which active versions are available. > Request moving to a much later version of edu.ucar, or alternative artifacts > to address all the above EOL issues (lack of active support for > vulnerabilities and bugs). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (TIKA-2536) Move to later edu.ucar version to avoid EOL dependencies
[ https://issues.apache.org/jira/browse/TIKA-2536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17627623#comment-17627623 ] Tim Allison commented on TIKA-2536: --- I don't see an upgrade available for netcdf in the maven Central repo. I don't think we're allowed to pull from the Unidata UCAR repo. Can we dependency management our way out of this for the time being by requiring a higher version of protobuf? > Move to later edu.ucar version to avoid EOL dependencies > > > Key: TIKA-2536 > URL: https://issues.apache.org/jira/browse/TIKA-2536 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.16, 1.17 > Environment: All >Reporter: Richard Jones >Priority: Major > > The currently referenced 4.5.5 versions of edu.ucar:grib and edu.ucar:cdm > (released in Mar 2015), as well as being branch EOL themselves, depend on > many other project/branch/version EOL artifacts for which much later and > active versions are often available. The list is as follows: > - edu.ucar:grib depends on the project EOL bzip2. Much more recent versions > of edu.ucar:grib exist that no longer depend on bzip2 (note: Jbzip2 is hosted > on the Google Code site, which was shut down for active development in 2015. > The project was never migrated to another site, e.g. Github). > - edu.ucar:grib depends on the 2.0.4 EOL version of org.jdom:jdom2 > - edu.ucar:cdm depends on the 2.6.2 branch EOL version of > net.sf.ehcache:ehcache-core > - edu.ucar:cdm depends on the 2.2.0 EOL version of > org.quartz-scheduler:quartz for which active versions are available. In turn > org.quartz-scheduler:quartz depends on the 0.9.1.1 branch EOL version of > c3p0:c3p0. Later versions of quartz have moved to the active com.mchange:c3p0 > - edu.ucar:grib depends on the 2.5.0 branch EOL version of > com.google.protobuf:protobuf-java for which active versions are available. > Request moving to a much later version of edu.ucar, or alternative artifacts > to address all the above EOL issues (lack of active support for > vulnerabilities and bugs). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (TIKA-2536) Move to later edu.ucar version to avoid EOL dependencies
[
https://issues.apache.org/jira/browse/TIKA-2536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17627609#comment-17627609
]
David Pilato commented on TIKA-2536:
Hey team
netcdf 4.5.5 depends on cdm 4.5.5 which depends on protobuf-java 2.5.0.
This protobuf version has
[CVE-2022-3171|https://ossindex.sonatype.org/vulnerability/CVE-2022-3171?component-type=maven=com.google.protobuf%2Fprotobuf-java_source=ossindex-client_medium=integration_content=1.8.1]
which makes my project failing the ossindex audit:
{code:java}
[ERROR] Failed to execute goal
org.sonatype.ossindex.maven:ossindex-maven-plugin:3.2.0:audit
(audit-dependencies) on project fscrawler-tika: Detected 1 vulnerable
components:
[ERROR] com.google.protobuf:protobuf-java:jar:2.5.0:compile;
https://ossindex.sonatype.org/component/pkg:maven/com.google.protobuf/protobuf-java@2.5.0?utm_source=ossindex-client_medium=integration_content=1.8.1
[ERROR] * [CVE-2022-3171] CWE-400: Uncontrolled Resource Consumption
('Resource Exhaustion') (7.5);
https://ossindex.sonatype.org/vulnerability/CVE-2022-3171?component-type=maven=com.google.protobuf%2Fprotobuf-java_source=ossindex-client_medium=integration_content=1.8.1{code}
I believe this could not be solved until we upgrade netcdf.
My project depends on {{tika-parser-scientific-module}} 2.5.0.
> Move to later edu.ucar version to avoid EOL dependencies
>
>
> Key: TIKA-2536
> URL: https://issues.apache.org/jira/browse/TIKA-2536
> Project: Tika
> Issue Type: Improvement
> Components: parser
>Affects Versions: 1.16, 1.17
> Environment: All
>Reporter: Richard Jones
>Priority: Major
>
> The currently referenced 4.5.5 versions of edu.ucar:grib and edu.ucar:cdm
> (released in Mar 2015), as well as being branch EOL themselves, depend on
> many other project/branch/version EOL artifacts for which much later and
> active versions are often available. The list is as follows:
> - edu.ucar:grib depends on the project EOL bzip2. Much more recent versions
> of edu.ucar:grib exist that no longer depend on bzip2 (note: Jbzip2 is hosted
> on the Google Code site, which was shut down for active development in 2015.
> The project was never migrated to another site, e.g. Github).
> - edu.ucar:grib depends on the 2.0.4 EOL version of org.jdom:jdom2
> - edu.ucar:cdm depends on the 2.6.2 branch EOL version of
> net.sf.ehcache:ehcache-core
> - edu.ucar:cdm depends on the 2.2.0 EOL version of
> org.quartz-scheduler:quartz for which active versions are available. In turn
> org.quartz-scheduler:quartz depends on the 0.9.1.1 branch EOL version of
> c3p0:c3p0. Later versions of quartz have moved to the active com.mchange:c3p0
> - edu.ucar:grib depends on the 2.5.0 branch EOL version of
> com.google.protobuf:protobuf-java for which active versions are available.
> Request moving to a much later version of edu.ucar, or alternative artifacts
> to address all the above EOL issues (lack of active support for
> vulnerabilities and bugs).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (TIKA-2536) Move to later edu.ucar version to avoid EOL dependencies
[ https://issues.apache.org/jira/browse/TIKA-2536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16336083#comment-16336083 ] Tim Allison commented on TIKA-2536: --- See TIKA-1287 for a discussion of pushing edu.ucar code to maven central. Anyone care to ask them? > Move to later edu.ucar version to avoid EOL dependencies > > > Key: TIKA-2536 > URL: https://issues.apache.org/jira/browse/TIKA-2536 > Project: Tika > Issue Type: Improvement > Components: parser >Affects Versions: 1.16, 1.17 > Environment: All >Reporter: Richard Jones >Priority: Major > > The currently referenced 4.5.5 versions of edu.ucar:grib and edu.ucar:cdm > (released in Mar 2015), as well as being branch EOL themselves, depend on > many other project/branch/version EOL artifacts for which much later and > active versions are often available. The list is as follows: > - edu.ucar:grib depends on the project EOL bzip2. Much more recent versions > of edu.ucar:grib exist that no longer depend on bzip2 (note: Jbzip2 is hosted > on the Google Code site, which was shut down for active development in 2015. > The project was never migrated to another site, e.g. Github). > - edu.ucar:grib depends on the 2.0.4 EOL version of org.jdom:jdom2 > - edu.ucar:cdm depends on the 2.6.2 branch EOL version of > net.sf.ehcache:ehcache-core > - edu.ucar:cdm depends on the 2.2.0 EOL version of > org.quartz-scheduler:quartz for which active versions are available. In turn > org.quartz-scheduler:quartz depends on the 0.9.1.1 branch EOL version of > c3p0:c3p0. Later versions of quartz have moved to the active com.mchange:c3p0 > - edu.ucar:grib depends on the 2.5.0 branch EOL version of > com.google.protobuf:protobuf-java for which active versions are available. > Request moving to a much later version of edu.ucar, or alternative artifacts > to address all the above EOL issues (lack of active support for > vulnerabilities and bugs). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
