Re: [VOTE] TomEE 9.1.0

2023-06-06 Thread Daniel Dias Dos Santos 
Hello,

+1

On Tue, Jun 6, 2023, 08:02 Richard Zowalla  wrote:

> Hi all,
>
> this is a vote for a release of Apache TomEE 9.1.0.
>
> It is a maintenance release with some bug fixes and dependencies
> upgrades (MicroProfile 5, ActiveMQ, Johnzon, XBean, etc).
>
> It also fixes the latest Tomcat vulnerabilities (CVE-2023-28708, CVE-
> 2023-24998, CVE-2023-28709) by backporting and patching Tomcat inside
> the TomEE 9 build.
>
> ###
>
> Maven Repo:
> https://repository.apache.org/content/repositories/orgapachetomee-1217/
>
> 
> 
> tomee-9.1.0-rc1
> Testing TomEE 9.1.0 RC1
> 
> https://repository.apache.org/content/repositories/orgapachetomee-1217/
> 
> 
> 
>
> ###
>
> Binaries & Source:
>
> https://dist.apache.org/repos/dist/dev/tomee/staging-1217/tomee-9.1.0/
>
> ###
>
> Tag:
>
> https://github.com/apache/tomee/releases/tag/tomee-project-9.1.0
>
>
> ###
>
> Release notes:
>
>
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12353156
>
> ###
>
> Here is an adoc generated version of the changelog as well:
>
> == Dependency upgrade
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4217[TOMEE-4217]
> Arquillian 1.7.0.Final
>  - link:https://issues.apache.org/jira/browse/TOMEE-4204[TOMEE-4204]
> Bouncycastle 1.73
>  - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
> Commons FileUpload 1.5
>  - link:https://issues.apache.org/jira/browse/TOMEE-4218[TOMEE-4218]
> HSQLDB 2.7.2
>  - link:https://issues.apache.org/jira/browse/TOMEE-4221[TOMEE-4221]
> JUnit 5.9.3
>  - link:https://issues.apache.org/jira/browse/TOMEE-4212[TOMEE-4212]
> Jackson 2.15.0
>  - link:https://issues.apache.org/jira/browse/TOMEE-4216[TOMEE-4216]
> Jackson 2.15.1
>  - link:https://issues.apache.org/jira/browse/TOMEE-4208[TOMEE-4208]
> Johnzon 1.2.20
>  - link:https://issues.apache.org/jira/browse/TOMEE-4205[TOMEE-4205]
> Jose4j
> 
> 0.9.3
>  - link:https://issues.apache.org/jira/browse/TOMEE-4203[TOMEE-4203]
> Microprofile Config API 3.0.3, Fault Tolerance Impl 6.2.2, OpenTracing
> Impl 3.0.3
>  - link:https://issues.apache.org/jira/browse/TOMEE-4141[TOMEE-4141]
> SmallRye on 9.x branch
>  - link:https://issues.apache.org/jira/browse/TOMEE-4061[TOMEE-4061]
> Wrap up updates for TomEE 9.x
>  - link:https://issues.apache.org/jira/browse/TOMEE-4220[TOMEE-4220]
> log4j
> 
> 2.20.0 (integration)
>  - link:https://issues.apache.org/jira/browse/TOMEE-4213[TOMEE-4213]
> snakeyaml version 2.0 mitigate CVE-2022-1471
>  - link:https://issues.apache.org/jira/browse/TOMEE-4219[TOMEE-4219]
> xbeans 4.23
>
> == Bug
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4181[TOMEE-4181]
> BCProv jar loses its signature during the patch process
>  - link:https://issues.apache.org/jira/browse/TOMEE-4183[TOMEE-4183]
> TomEE 9.0.0 is not creating service in Windows 10 incompatible software
>  - link:https://issues.apache.org/jira/browse/TOMEE-4189[TOMEE-4189]
> java.lang.ClassNotFoundException:
> org.apache.openejb.loader.SystemInstance
>  - link:https://issues.apache.org/jira/browse/TOMEE-4192[TOMEE-4192]
> ApplicationComposers do not clear GC references on release
>  - link:https://issues.apache.org/jira/browse/TOMEE-4174[TOMEE-4174]
> Port TOMEE-3779 to 9.x
>  - link:https://issues.apache.org/jira/browse/TOMEE-4199[TOMEE-4199]
> jakartaee-api
> 
> with tomcat classifier has too much in it
>  - link:https://issues.apache.org/jira/browse/TOMEE-4112[TOMEE-4112]
> Performance Regression in bean resolution in EAR files
>
> == Improvement
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4200[TOMEE-4200]
> Use ActiveMQ client jakarta instead of shading it in TomEE
>  - link:https://issues.apache.org/jira/browse/TOMEE-4202[TOMEE-4202]
> Backport CVE fixes of Tomcat 10.1.x to 10.0.27
>
> == Task
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4053[TOMEE-4053]
> Dependency properties cleanup
>
> == Documentation
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4186[TOMEE-4186]
> Update download page for discontinued branches
>
> == Wish
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4190[TOMEE-4190]
> RunWithApplicationComposer should support inheritance
>
> == Fixed Common Vulnerabilities and Exposures (CVEs)
>
> [.compact]
>  - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
> Commons FileUpload 1.5
>  - link:https://issues.apache.org/jira/browse/TOMEE-4202[TOMEE-4202]
> Backport CVE fixes of Tomcat 10.1.x to 10.0.27
>
> ###
>
> Here is the dependency diff from 8.0.14 to 8.0.15 created with our
> release tools:
>
> artifactId   from  to
> -

Re: Tomcat 10.1.x vs Tomcat 10.0.x

2023-06-06 Thread Richard Zowalla 
Hi Jonathan,

we just upgraded to amq 18 with the native client (contained in 9.1.0
rc1). TCK 9.1 looks good with it.

AFAIK, we still need to figure out how to run the plattform tck for
ee10 within our current approach (if it is even possible) but it might
not be as simple as desired but is a pre-requiste to see, where we are
standing :-) - don't know how far we are on that part...

Gruß
Richard


Am Dienstag, dem 23.05.2023 um 11:36 -0400 schrieb Jonathan Fisher:
> Thank you very much for the explanation. In the Email, I noticed JMS
> wasn’t mentioned. I think amq 18 offers a native client, but I might
> be remembering that correctly.
> 
> What areas could we help with?
> 
> Sent from my iPhone
> 
> > On May 23, 2023, at 2:09 AM, Richard Zowalla 
> > wrote:
> > 
> > Hi Jonathan,
> > 
> > from a spec perspective: 
> > 
> > - Tomcat 10.0.x -> EE9
> > - Tomcat 10.1.x -> EE10
> > 
> > Our "main" branch (or TomEE 10) will support EE10 based upon Tomcat
> > 10.1.x - we are currently working on the various 3rd party libs to
> > make
> > that happen and to pass the TCK again. There was a discussion of
> > the
> > current process here: [1]
> > 
> > A bit of a problem is, that setting up the EE10 tck changed quiet a
> > lot
> > between EE9 and EE10 + various ongoing work in the projects we
> > depend
> > on.
> > 
> > I don't know the progress on the TCK side, though.
> > 
> > Hope it helps a bit
> > 
> > Gruß
> > Richard
> > 
> > 
> > [1]
> > https://lists.apache.org/thread/6xfzslqrfqq3o1mdywro2vhl60540foc
> > 
> > > Am Montag, dem 22.05.2023 um 15:45 -0400 schrieb Jonathan S.
> > > Fisher:
> > > Hello TomEE team,
> > > 
> > > I apologize for missing the discussion, and I've searched the
> > > archive
> > > but
> > > can't seem to find the correct thread. Tomcat 10.0.x was EOL'd in
> > > October
> > > last year and replaced by Tomcat 10.1.x. TomEE mainline depends
> > > on
> > > Tomcat
> > > 10.0.x.
> > > 
> > > I know the TomEE team is currently backporting CVE patches into
> > > Tomcat
> > > 10.0.x. And I apologize if this is a stupid question with a
> > > simpler
> > > answer:
> > > Does TomEE mainline need to be on 10.1.x and if so, what areas
> > > need
> > > work?
> > > What's preventing the move to 10.1.x?
> > > 
> > > Asking because we're looking ahead to next year, and my
> > > organization
> > > will
> > > (finally) have to get off Tomcat 9.5.x/TomEE 8.0.x when it goes
> > > EOL.
> > > I do
> > > have a little bit of dev capacity I can voluntell to help squash
> > > some
> > > simpler issues; they're mostly app developers and maybe not well
> > > suited for
> > > low level work but there's a first time for everything. Looking
> > > for
> > > ways to
> > > help smooth the transition, and fixing TomEE bugs is time well
> > > spent.
> > > 
> > > Thank you,
> > > 
> > 



signature.asc
Description: This is a digitally signed message part

[VOTE] TomEE 9.1.0

2023-06-06 Thread Richard Zowalla 
Hi all,

this is a vote for a release of Apache TomEE 9.1.0.

It is a maintenance release with some bug fixes and dependencies
upgrades (MicroProfile 5, ActiveMQ, Johnzon, XBean, etc). 

It also fixes the latest Tomcat vulnerabilities (CVE-2023-28708, CVE-
2023-24998, CVE-2023-28709) by backporting and patching Tomcat inside
the TomEE 9 build.

###

Maven Repo:
https://repository.apache.org/content/repositories/orgapachetomee-1217/



tomee-9.1.0-rc1
Testing TomEE 9.1.0 RC1

https://repository.apache.org/content/repositories/orgapachetomee-1217/




###

Binaries & Source:

https://dist.apache.org/repos/dist/dev/tomee/staging-1217/tomee-9.1.0/

###

Tag:

https://github.com/apache/tomee/releases/tag/tomee-project-9.1.0


###

Release notes:

https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320&version=12353156

###

Here is an adoc generated version of the changelog as well:

== Dependency upgrade

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4217[TOMEE-4217]
Arquillian 1.7.0.Final
 - link:https://issues.apache.org/jira/browse/TOMEE-4204[TOMEE-4204]
Bouncycastle 1.73
 - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
Commons FileUpload 1.5
 - link:https://issues.apache.org/jira/browse/TOMEE-4218[TOMEE-4218]
HSQLDB 2.7.2
 - link:https://issues.apache.org/jira/browse/TOMEE-4221[TOMEE-4221]
JUnit 5.9.3
 - link:https://issues.apache.org/jira/browse/TOMEE-4212[TOMEE-4212]
Jackson 2.15.0
 - link:https://issues.apache.org/jira/browse/TOMEE-4216[TOMEE-4216]
Jackson 2.15.1
 - link:https://issues.apache.org/jira/browse/TOMEE-4208[TOMEE-4208]
Johnzon 1.2.20
 - link:https://issues.apache.org/jira/browse/TOMEE-4205[TOMEE-4205]
Jose4j 0.9.3
 - link:https://issues.apache.org/jira/browse/TOMEE-4203[TOMEE-4203]
Microprofile Config API 3.0.3, Fault Tolerance Impl 6.2.2, OpenTracing
Impl 3.0.3
 - link:https://issues.apache.org/jira/browse/TOMEE-4141[TOMEE-4141]
SmallRye on 9.x branch
 - link:https://issues.apache.org/jira/browse/TOMEE-4061[TOMEE-4061]
Wrap up updates for TomEE 9.x
 - link:https://issues.apache.org/jira/browse/TOMEE-4220[TOMEE-4220]
log4j 2.20.0 (integration)
 - link:https://issues.apache.org/jira/browse/TOMEE-4213[TOMEE-4213]
snakeyaml version 2.0 mitigate CVE-2022-1471
 - link:https://issues.apache.org/jira/browse/TOMEE-4219[TOMEE-4219]
xbeans 4.23

== Bug

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4181[TOMEE-4181]
BCProv jar loses its signature during the patch process
 - link:https://issues.apache.org/jira/browse/TOMEE-4183[TOMEE-4183]
TomEE 9.0.0 is not creating service in Windows 10 incompatible software
 - link:https://issues.apache.org/jira/browse/TOMEE-4189[TOMEE-4189]
java.lang.ClassNotFoundException:
org.apache.openejb.loader.SystemInstance
 - link:https://issues.apache.org/jira/browse/TOMEE-4192[TOMEE-4192]
ApplicationComposers do not clear GC references on release
 - link:https://issues.apache.org/jira/browse/TOMEE-4174[TOMEE-4174]
Port TOMEE-3779 to 9.x
 - link:https://issues.apache.org/jira/browse/TOMEE-4199[TOMEE-4199]
jakartaee-api with tomcat classifier has too much in it
 - link:https://issues.apache.org/jira/browse/TOMEE-4112[TOMEE-4112]
Performance Regression in bean resolution in EAR files

== Improvement

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4200[TOMEE-4200]
Use ActiveMQ client jakarta instead of shading it in TomEE
 - link:https://issues.apache.org/jira/browse/TOMEE-4202[TOMEE-4202]
Backport CVE fixes of Tomcat 10.1.x to 10.0.27

== Task

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4053[TOMEE-4053]
Dependency properties cleanup

== Documentation

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4186[TOMEE-4186]
Update download page for discontinued branches

== Wish

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4190[TOMEE-4190]
RunWithApplicationComposer should support inheritance

== Fixed Common Vulnerabilities and Exposures (CVEs)

[.compact]
 - link:https://issues.apache.org/jira/browse/TOMEE-4187[TOMEE-4187]
Commons FileUpload 1.5
 - link:https://issues.apache.org/jira/browse/TOMEE-4202[TOMEE-4202]
Backport CVE fixes of Tomcat 10.1.x to 10.0.27

###

Here is the dependency diff from 8.0.14 to 8.0.15 created with our
release tools:

artifactId   from  to   
--  
 jackson-annotations2.14.1   2.15.1 
 jackson-core   2.14.1   2.15.1 
 jackson-databind   2.14.1   2.15.1 
 jackson-dataformat-yaml2.14.1   2.15.1 
 mutiny 1.7.0 1.8.0 
 jandex 3.0.0 3.0.1 
 smallrye-fault-tolerance   6.0.0 6.2.2 
 smallrye-fault-tolerance-api   6.0.0 6.2.2 
 smallrye-fault-tolerance-au