Re: [PR] Backports the fixes contained in Tomcat 10.1.14 to TomEE 9.x (tomee)
rzo1 merged PR #1068: URL: https://github.com/apache/tomee/pull/1068 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomee.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Backports the fixes contained in Tomcat 10.1.14 to TomEE 9.x (tomee)
rzo1 commented on PR #1068: URL: https://github.com/apache/tomee/pull/1068#issuecomment-1758941949 Build is ok (aside from the usual flaky tests) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomee.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: OWB4 branch - how to proceed with EE10 work?
+1 for merging the PR, as to not loose sight of what is working and what is not. I think it is a good idea to add the profile for it and fix the tests on main. On 09.10.23 13:40, Richard Zowalla wrote: I agree with you, Thomas ;-) The initial problem is/was, that upgrading to EE-10 APIs has a lot of cross dependencies. At least the full build is green, so it is only the CDI TCK, which is currently failing. If we add a profile for it (similar to johnzon), we can just continue to work with smaller units. Gruß Richard Am Montag, dem 09.10.2023 um 13:29 +0200 schrieb Thomas Andraschko: IMO we should really just merge the PR soon. Its t big to work on something. Then create some JIRA tasks for everything still open and close some current resolved ones. I can have a look at the failing CDI tests then, but maybe mark or romain has time. They have more knowledge :D Am Fr., 6. Okt. 2023 um 10:19 Uhr schrieb Richard Zowalla : Thanks for your fast repsonse, Thomas! It compiled because I cherry picked some changes from the previous EE- 10 branch in which the annoations were changed. I just removed those tests. Gruß Richard Am Freitag, dem 06.10.2023 um 10:04 +0200 schrieb Thomas Andraschko: Hi Richard, about JSF: in theory it should not even compile, there is no "import jakarta.faces.bean.ManagedBean" anymore. You can just delete this 3 tests as it tests old JSF managed beans, which was completely removed. We just reuse CDI now. Best regards, Thomas Am Fr., 6. Okt. 2023 um 09:18 Uhr schrieb Richard Zowalla : I did some more work on the branch since this e-mail was sent. To get a working build, I did - (1) Upgrade a lot of dependencies to their newer counterpart (EE10 APIs, Tomcat, OWB, Johnzon, BatchEE, ...) - (2) Ignored / excluded examples with JAX-WS from the build (as CXF-4 can't handle it due to removals in Jakarta XML Binding) - (3) Excluded some tests related to JAX-WS in the arquillian part of the build for the same reason. Currently, it now shows the actual status regarding the OWB-4 / CDI upgrade. A PR is here: [1] I noticed, that it isn't as simply as upgrading step by step because you tend to jump into an API/impl nightmare. How do we want to go on from this point? The branch and changes are already quite big. Where help is very welcome: - (i) There are some JSF-related arquillian tests failing: - org.apache.openejb.arquillian.tests.jms.JMSInjectionTest.testJM SInj ection - org.apache.openejb.arquillian.tests.jsf.ejb.JSFInjectionTest.te stEj bInjection - org.apache.openejb.arquillian.tests.jsf.resource.JSFResourceInj ecti onTest.validResourceInjection Maybe Thomas can have a look here (or any other JSF expert ;- ) ). I am asking, because he did the Faces 4 integration changes in a PR. - (ii) Somebody who has a (quick) look at the failing CDI tests. I don't know, if these tests are expected to fail as we didn't impl something or if it is just a setup thing. What do you think about: - Adding a profile for the CDI-TCK, so it doesn't necessarily break the build? That would be an option to get the current code to main and start to work on integrating the TCKs? Any other thoughts? Gruß Richard [1] https://github.com/apache/tomee/pull/1066 On 2023/10/03 05:18:26 Richard Zowalla wrote: Hi all, in the last few days I was trying to integrate the latest OWB 4 release within TomEE 10 (main). This included upgrading our API's to match EE10 and fix all the little runtime / compile issues. The actual work is done in my fork [3]. Long story short: - A current full build is here: [1] - There are a bunch of failing tests in the (new) CDI TCK. Might be actual issues with our impl or setup problems. Didn't look into it yet (might be better if someone with more CDI knowledge than me has a look), because I want to clarify how we want to proceed first. - The jaxws-related examples / arquilliam are because of the removal of jakarta.xml.bind.Validator in EE10 [2]. CXF4 isn't EE10 yet, so this is an expected limitation. - Some arquillian tests seem to fail due to JSP updates. Didn't check Fürther yet for the reason above. - There are some other tests and examples failing because of the owb / ee10 upgrade, which might need a additional eyes. I am now wondering how we want to proceed with EE10 / main branch? My branch [3] to go to OWB4 already contains a lot of changes (sometimes derived from the bigger branch with commits from Jean- Louis, Jon and Thomas from a few months ago). If we move on like that, it will just become a huge burden or even impossible to review. Any thoughts on how we want to proceed with the EE10-work? Gruß Richard [1] https://ci-builds.apache.org/job/Tomee/job/pull-request-manual/37/ [2] https://jakarta.ee/specifications/xml-binding/4.0/ [3] https://github.com/rzo1/tomee/tree/owb4
Re: 8.0.16 release
Looks right to me as well. Thanks Richard! On Wed, Oct 11, 2023 at 12:45 PM Richard Zowalla wrote: > I think we are running into > https://bz.apache.org/bugzilla/show_bug.cgi?id=67664 > > This requires 9.0.82 to become available. > > They are already voting: > https://lists.apache.org/thread/qro48x3xnvhvvxxv3hwnqnnsrrry773j > > After 9.0.82 becomes available, we are most likely in a good shape to > start a release > > Gruß > Richard > > Am 11. Oktober 2023 18:14:09 MESZ schrieb Richard Zowalla < > rich...@zowalla.com>: > >It seems the Tomcat upgrade breaks some connection pool related tests. > > > >I guess we need to check our integration code to fix it: > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/testReport/ > > > >So if anyone wants to dig, feel free. > > > > > > > >Am 11. Oktober 2023 16:56:27 MESZ schrieb Jamie Johnson < > jej2...@gmail.com>: > >>There are other vulnerabilities (pulled from https://osv.dev/) that can > be > >>addressed, but need to be reviewed. The format below is dependency > >>current_version (fix_version). > >> > >>org.apache.httpcomponents:httpclient 4.2.2 (>= 4.5.13) > >>GHSA-2x83-r56g-cv47 (4.2.3), GHSA-7r82-7xv7-xcpj > >>(4.5.13), GHSA-fmj5-wv96-r2ch (4.3.6), GHSA-cfh5-3ghh-wfjx (4.3.5) > >> > >>xalan:xalan 2.7.2 (2.7.3) > >>GHSA-9339-86wc-4qgf (2.7.3) > >> > >>org.apache.commons:commons-compress 1.14 (>=1.24.0) > >>GHSA-hrmr-f5m6-m9pq (1.18), GHSA-xqfj-vm6h-2x34 (1.22), > GHSA-h436-432x-8fvx > >>(1.16), GHSA-crv7-7245-f45f (1.21), GHSA-mc84-pj99-q6hh > >>(1.21), GHSA-7hfm-57qf-j43q (1.21), GHSA-cgwf-w82q-5jrr (1.24.0) > >> > >>org.eclipse.jetty:jetty-server 9.4.49.v20220914 (9.4.51.v20230217) > >>GHSA-qw69-rqj8-6qw8 (9.4.51.v20230217), GHSA-p26g-97m4-6q7c > >>(9.4.51.v20230217) > >> > >>org.eclipse.jetty:jetty-http 9.4.49.v20220914 (>=9.4.53) > >>GHSA-hmr7-m48g-48f6 (9.4.52), GHSA-wgh7-54f2-x98r (9.4.53) > >> > >>org.eclipse.jetty:jetty-servlets 9.4.49.v20220914 (9.4.53) > >>GHSA-3gh6-v5v9-6v9j (9.4.53) > >> > >>org.apache.sshd:sshd-core 2.1.0 (>=2.10.0) > >>GHSA-9279-7hph-r3xw (2.7.0), GHSA-fhw8-8j55-vwgq > >>(2.9.2), GHSA-mjmq-gwgm-5qhm (2.10.0) > >> > >>com.google.code.gson:gson 2.2.4 (2.8.9) > >>GHSA-4jrv-ppp4-jm57 (2.8.9) > >> > >>org.webjars:handlebars 1.2.1 (4.7.7) > >>GHSA-f2jv-r9rf-7988 (4.7.7) > >> > >>org.apache.ivy:ivy 2.3.0 (>= 2.5.2) > >>GHSA-wv7w-rj2x-556x (2.5.1), GHSA-2jc4-r94c-rp7h (2.5.2) > >> > >> > >>On Wed, Oct 11, 2023 at 6:49 AM Jamie Johnson wrote: > >> > >>> How deep down the rabbit hole should the dependency checks normally go? > >>> Looks like the big ones I was tracking with security updates were done. > >>> > >>> johnzon 1.2.21 > >>> tomcat 9.0.81 > >>> bouncy castle 1.76 > >>> > >>> Still poking around a bit but there’s obviously a lot. > >>> > >>> On Wed, Oct 11, 2023 at 2:09 AM Richard Zowalla > wrote: > >>> > In theory, every committer can act as release manager. > > There are some steps in the process, which requires PMC karma, though > (such as adding a key to the KEYS file, moving stuff to the release > are > on SVN, start the VOTE, etc.). > > The process is documented here: [1] > > That being said: > > I am currently planning to start the release process for TomEE 9.1.1 > within this week. Due to the Tomcat security issues released > yesterday, > we need to do some backporting, which will consume additional time. > (It > just interrupted my preparations, so it needs additional CI / TCK > cycles) > > A release usally consumes around 1-3 hours of work. Mostly because you > have to wait for stuff being build or to run some basic sanity checks > before starting and to not forget any step. > > What would really help for a TomEE 8.0.16 is to carefully re-check the > current dependencies for important 3rd party dependencies (and update > if needed. Note: Each update or bunch of updates shouldn't break the > build. A full build on CI takes around 4-8 hours) on that branch, > build > it locally and conduct some sanity checks (for example: same lib in > different versions in /lib -> check and fix) with the created > tar.gz/zip files. > > This is one of the steps, which usually consumes a lot of time. If you > want to give it a try, I am happy to help out for the steps which > require PMC involvement. Otherwise, I might find some time in the next > week to start a release of 8.0.16 - just let me know and I can plan my > time accordingly ;-) > > Gruß > Richard > > > > > [1] https://tomee.apache.org/dev/release-tomee.html > > > Am Dienstag, dem 10.10.2023 um 17:56 -0500 schrieb Jonathan S. Fisher: > > Jean-Louis, are there directions anywhere? Not promising anything :) > > > > On Tue, Oct 10, 2023 at 5:22 PM Jean-Louis Monteiro > > wrote: > > > > > >
Re: 8.0.16 release
I think we are running into https://bz.apache.org/bugzilla/show_bug.cgi?id=67664 This requires 9.0.82 to become available. They are already voting: https://lists.apache.org/thread/qro48x3xnvhvvxxv3hwnqnnsrrry773j After 9.0.82 becomes available, we are most likely in a good shape to start a release Gruß Richard Am 11. Oktober 2023 18:14:09 MESZ schrieb Richard Zowalla : >It seems the Tomcat upgrade breaks some connection pool related tests. > >I guess we need to check our integration code to fix it: >https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/testReport/ > >So if anyone wants to dig, feel free. > > > >Am 11. Oktober 2023 16:56:27 MESZ schrieb Jamie Johnson : >>There are other vulnerabilities (pulled from https://osv.dev/) that can be >>addressed, but need to be reviewed. The format below is dependency >>current_version (fix_version). >> >>org.apache.httpcomponents:httpclient 4.2.2 (>= 4.5.13) >>GHSA-2x83-r56g-cv47 (4.2.3), GHSA-7r82-7xv7-xcpj >>(4.5.13), GHSA-fmj5-wv96-r2ch (4.3.6), GHSA-cfh5-3ghh-wfjx (4.3.5) >> >>xalan:xalan 2.7.2 (2.7.3) >>GHSA-9339-86wc-4qgf (2.7.3) >> >>org.apache.commons:commons-compress 1.14 (>=1.24.0) >>GHSA-hrmr-f5m6-m9pq (1.18), GHSA-xqfj-vm6h-2x34 (1.22), GHSA-h436-432x-8fvx >>(1.16), GHSA-crv7-7245-f45f (1.21), GHSA-mc84-pj99-q6hh >>(1.21), GHSA-7hfm-57qf-j43q (1.21), GHSA-cgwf-w82q-5jrr (1.24.0) >> >>org.eclipse.jetty:jetty-server 9.4.49.v20220914 (9.4.51.v20230217) >>GHSA-qw69-rqj8-6qw8 (9.4.51.v20230217), GHSA-p26g-97m4-6q7c >>(9.4.51.v20230217) >> >>org.eclipse.jetty:jetty-http 9.4.49.v20220914 (>=9.4.53) >>GHSA-hmr7-m48g-48f6 (9.4.52), GHSA-wgh7-54f2-x98r (9.4.53) >> >>org.eclipse.jetty:jetty-servlets 9.4.49.v20220914 (9.4.53) >>GHSA-3gh6-v5v9-6v9j (9.4.53) >> >>org.apache.sshd:sshd-core 2.1.0 (>=2.10.0) >>GHSA-9279-7hph-r3xw (2.7.0), GHSA-fhw8-8j55-vwgq >>(2.9.2), GHSA-mjmq-gwgm-5qhm (2.10.0) >> >>com.google.code.gson:gson 2.2.4 (2.8.9) >>GHSA-4jrv-ppp4-jm57 (2.8.9) >> >>org.webjars:handlebars 1.2.1 (4.7.7) >>GHSA-f2jv-r9rf-7988 (4.7.7) >> >>org.apache.ivy:ivy 2.3.0 (>= 2.5.2) >>GHSA-wv7w-rj2x-556x (2.5.1), GHSA-2jc4-r94c-rp7h (2.5.2) >> >> >>On Wed, Oct 11, 2023 at 6:49 AM Jamie Johnson wrote: >> >>> How deep down the rabbit hole should the dependency checks normally go? >>> Looks like the big ones I was tracking with security updates were done. >>> >>> johnzon 1.2.21 >>> tomcat 9.0.81 >>> bouncy castle 1.76 >>> >>> Still poking around a bit but there’s obviously a lot. >>> >>> On Wed, Oct 11, 2023 at 2:09 AM Richard Zowalla wrote: >>> In theory, every committer can act as release manager. There are some steps in the process, which requires PMC karma, though (such as adding a key to the KEYS file, moving stuff to the release are on SVN, start the VOTE, etc.). The process is documented here: [1] That being said: I am currently planning to start the release process for TomEE 9.1.1 within this week. Due to the Tomcat security issues released yesterday, we need to do some backporting, which will consume additional time. (It just interrupted my preparations, so it needs additional CI / TCK cycles) A release usally consumes around 1-3 hours of work. Mostly because you have to wait for stuff being build or to run some basic sanity checks before starting and to not forget any step. What would really help for a TomEE 8.0.16 is to carefully re-check the current dependencies for important 3rd party dependencies (and update if needed. Note: Each update or bunch of updates shouldn't break the build. A full build on CI takes around 4-8 hours) on that branch, build it locally and conduct some sanity checks (for example: same lib in different versions in /lib -> check and fix) with the created tar.gz/zip files. This is one of the steps, which usually consumes a lot of time. If you want to give it a try, I am happy to help out for the steps which require PMC involvement. Otherwise, I might find some time in the next week to start a release of 8.0.16 - just let me know and I can plan my time accordingly ;-) Gruß Richard [1] https://tomee.apache.org/dev/release-tomee.html Am Dienstag, dem 10.10.2023 um 17:56 -0500 schrieb Jonathan S. Fisher: > Jean-Louis, are there directions anywhere? Not promising anything :) > > On Tue, Oct 10, 2023 at 5:22 PM Jean-Louis Monteiro > wrote: > > > > Whomever is committer can do it. > > > > I was just trying to give you an honest reply regarding my > > availabilities > > and give visibility to the rest of the community and the other > > committers > > at the same time. > > > > Hope it helps. > > > > > > Le mar. 10 oct. 2023, 23:27, Jamie Johnson a > > écrit : > > > > > I’m not sure
Re: 8.0.16 release
It seems the Tomcat upgrade breaks some connection pool related tests. I guess we need to check our integration code to fix it: https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/testReport/ So if anyone wants to dig, feel free. Am 11. Oktober 2023 16:56:27 MESZ schrieb Jamie Johnson : >There are other vulnerabilities (pulled from https://osv.dev/) that can be >addressed, but need to be reviewed. The format below is dependency >current_version (fix_version). > >org.apache.httpcomponents:httpclient 4.2.2 (>= 4.5.13) >GHSA-2x83-r56g-cv47 (4.2.3), GHSA-7r82-7xv7-xcpj >(4.5.13), GHSA-fmj5-wv96-r2ch (4.3.6), GHSA-cfh5-3ghh-wfjx (4.3.5) > >xalan:xalan 2.7.2 (2.7.3) >GHSA-9339-86wc-4qgf (2.7.3) > >org.apache.commons:commons-compress 1.14 (>=1.24.0) >GHSA-hrmr-f5m6-m9pq (1.18), GHSA-xqfj-vm6h-2x34 (1.22), GHSA-h436-432x-8fvx >(1.16), GHSA-crv7-7245-f45f (1.21), GHSA-mc84-pj99-q6hh >(1.21), GHSA-7hfm-57qf-j43q (1.21), GHSA-cgwf-w82q-5jrr (1.24.0) > >org.eclipse.jetty:jetty-server 9.4.49.v20220914 (9.4.51.v20230217) >GHSA-qw69-rqj8-6qw8 (9.4.51.v20230217), GHSA-p26g-97m4-6q7c >(9.4.51.v20230217) > >org.eclipse.jetty:jetty-http 9.4.49.v20220914 (>=9.4.53) >GHSA-hmr7-m48g-48f6 (9.4.52), GHSA-wgh7-54f2-x98r (9.4.53) > >org.eclipse.jetty:jetty-servlets 9.4.49.v20220914 (9.4.53) >GHSA-3gh6-v5v9-6v9j (9.4.53) > >org.apache.sshd:sshd-core 2.1.0 (>=2.10.0) >GHSA-9279-7hph-r3xw (2.7.0), GHSA-fhw8-8j55-vwgq >(2.9.2), GHSA-mjmq-gwgm-5qhm (2.10.0) > >com.google.code.gson:gson 2.2.4 (2.8.9) >GHSA-4jrv-ppp4-jm57 (2.8.9) > >org.webjars:handlebars 1.2.1 (4.7.7) >GHSA-f2jv-r9rf-7988 (4.7.7) > >org.apache.ivy:ivy 2.3.0 (>= 2.5.2) >GHSA-wv7w-rj2x-556x (2.5.1), GHSA-2jc4-r94c-rp7h (2.5.2) > > >On Wed, Oct 11, 2023 at 6:49 AM Jamie Johnson wrote: > >> How deep down the rabbit hole should the dependency checks normally go? >> Looks like the big ones I was tracking with security updates were done. >> >> johnzon 1.2.21 >> tomcat 9.0.81 >> bouncy castle 1.76 >> >> Still poking around a bit but there’s obviously a lot. >> >> On Wed, Oct 11, 2023 at 2:09 AM Richard Zowalla wrote: >> >>> In theory, every committer can act as release manager. >>> >>> There are some steps in the process, which requires PMC karma, though >>> (such as adding a key to the KEYS file, moving stuff to the release are >>> on SVN, start the VOTE, etc.). >>> >>> The process is documented here: [1] >>> >>> That being said: >>> >>> I am currently planning to start the release process for TomEE 9.1.1 >>> within this week. Due to the Tomcat security issues released yesterday, >>> we need to do some backporting, which will consume additional time. (It >>> just interrupted my preparations, so it needs additional CI / TCK >>> cycles) >>> >>> A release usally consumes around 1-3 hours of work. Mostly because you >>> have to wait for stuff being build or to run some basic sanity checks >>> before starting and to not forget any step. >>> >>> What would really help for a TomEE 8.0.16 is to carefully re-check the >>> current dependencies for important 3rd party dependencies (and update >>> if needed. Note: Each update or bunch of updates shouldn't break the >>> build. A full build on CI takes around 4-8 hours) on that branch, build >>> it locally and conduct some sanity checks (for example: same lib in >>> different versions in /lib -> check and fix) with the created >>> tar.gz/zip files. >>> >>> This is one of the steps, which usually consumes a lot of time. If you >>> want to give it a try, I am happy to help out for the steps which >>> require PMC involvement. Otherwise, I might find some time in the next >>> week to start a release of 8.0.16 - just let me know and I can plan my >>> time accordingly ;-) >>> >>> Gruß >>> Richard >>> >>> >>> >>> >>> [1] https://tomee.apache.org/dev/release-tomee.html >>> >>> >>> Am Dienstag, dem 10.10.2023 um 17:56 -0500 schrieb Jonathan S. Fisher: >>> > Jean-Louis, are there directions anywhere? Not promising anything :) >>> > >>> > On Tue, Oct 10, 2023 at 5:22 PM Jean-Louis Monteiro >>> > wrote: >>> > > >>> > > Whomever is committer can do it. >>> > > >>> > > I was just trying to give you an honest reply regarding my >>> > > availabilities >>> > > and give visibility to the rest of the community and the other >>> > > committers >>> > > at the same time. >>> > > >>> > > Hope it helps. >>> > > >>> > > >>> > > Le mar. 10 oct. 2023, 23:27, Jamie Johnson a >>> > > écrit : >>> > > >>> > > > I’m not sure what that entails or who would go about doing it. Is >>> > > > it a >>> > > > community or contributor driven thing? >>> > > > >>> > > > On Tue, Oct 10, 2023 at 3:25 PM Jean-Louis Monteiro < >>> > > > jlmonte...@tomitribe.com> wrote: >>> > > > >>> > > > > I think most of the energy is currently on TomEE 9 and the new >>> > > > > TomEE 10. >>> > > > > I've also noticed some Tomcat CVE today if I remember >>> > > > > correctly. >>> > > > > >>> > > > > I'm all hands on TomEE 10 currently because we need to
Re: 8.0.16 release
Looking in the distribution I don't see any of these jars then. Do you agree? On Wed, Oct 11, 2023 at 11:11 AM Richard Zowalla wrote: > Some of these dependencies aren't shipped with the TomEE distribution. > Best way to check is to actually look through /lib > > > > Am 11. Oktober 2023 16:56:27 MESZ schrieb Jamie Johnson >: > >There are other vulnerabilities (pulled from https://osv.dev/) that can > be > >addressed, but need to be reviewed. The format below is dependency > >current_version (fix_version). > > > >org.apache.httpcomponents:httpclient 4.2.2 (>= 4.5.13) > >GHSA-2x83-r56g-cv47 (4.2.3), GHSA-7r82-7xv7-xcpj > >(4.5.13), GHSA-fmj5-wv96-r2ch (4.3.6), GHSA-cfh5-3ghh-wfjx (4.3.5) > > > >xalan:xalan 2.7.2 (2.7.3) > >GHSA-9339-86wc-4qgf (2.7.3) > > > >org.apache.commons:commons-compress 1.14 (>=1.24.0) > >GHSA-hrmr-f5m6-m9pq (1.18), GHSA-xqfj-vm6h-2x34 (1.22), > GHSA-h436-432x-8fvx > >(1.16), GHSA-crv7-7245-f45f (1.21), GHSA-mc84-pj99-q6hh > >(1.21), GHSA-7hfm-57qf-j43q (1.21), GHSA-cgwf-w82q-5jrr (1.24.0) > > > >org.eclipse.jetty:jetty-server 9.4.49.v20220914 (9.4.51.v20230217) > >GHSA-qw69-rqj8-6qw8 (9.4.51.v20230217), GHSA-p26g-97m4-6q7c > >(9.4.51.v20230217) > > > >org.eclipse.jetty:jetty-http 9.4.49.v20220914 (>=9.4.53) > >GHSA-hmr7-m48g-48f6 (9.4.52), GHSA-wgh7-54f2-x98r (9.4.53) > > > >org.eclipse.jetty:jetty-servlets 9.4.49.v20220914 (9.4.53) > >GHSA-3gh6-v5v9-6v9j (9.4.53) > > > >org.apache.sshd:sshd-core 2.1.0 (>=2.10.0) > >GHSA-9279-7hph-r3xw (2.7.0), GHSA-fhw8-8j55-vwgq > >(2.9.2), GHSA-mjmq-gwgm-5qhm (2.10.0) > > > >com.google.code.gson:gson 2.2.4 (2.8.9) > >GHSA-4jrv-ppp4-jm57 (2.8.9) > > > >org.webjars:handlebars 1.2.1 (4.7.7) > >GHSA-f2jv-r9rf-7988 (4.7.7) > > > >org.apache.ivy:ivy 2.3.0 (>= 2.5.2) > >GHSA-wv7w-rj2x-556x (2.5.1), GHSA-2jc4-r94c-rp7h (2.5.2) > > > > > >On Wed, Oct 11, 2023 at 6:49 AM Jamie Johnson wrote: > > > >> How deep down the rabbit hole should the dependency checks normally go? > >> Looks like the big ones I was tracking with security updates were done. > >> > >> johnzon 1.2.21 > >> tomcat 9.0.81 > >> bouncy castle 1.76 > >> > >> Still poking around a bit but there’s obviously a lot. > >> > >> On Wed, Oct 11, 2023 at 2:09 AM Richard Zowalla > wrote: > >> > >>> In theory, every committer can act as release manager. > >>> > >>> There are some steps in the process, which requires PMC karma, though > >>> (such as adding a key to the KEYS file, moving stuff to the release are > >>> on SVN, start the VOTE, etc.). > >>> > >>> The process is documented here: [1] > >>> > >>> That being said: > >>> > >>> I am currently planning to start the release process for TomEE 9.1.1 > >>> within this week. Due to the Tomcat security issues released yesterday, > >>> we need to do some backporting, which will consume additional time. (It > >>> just interrupted my preparations, so it needs additional CI / TCK > >>> cycles) > >>> > >>> A release usally consumes around 1-3 hours of work. Mostly because you > >>> have to wait for stuff being build or to run some basic sanity checks > >>> before starting and to not forget any step. > >>> > >>> What would really help for a TomEE 8.0.16 is to carefully re-check the > >>> current dependencies for important 3rd party dependencies (and update > >>> if needed. Note: Each update or bunch of updates shouldn't break the > >>> build. A full build on CI takes around 4-8 hours) on that branch, build > >>> it locally and conduct some sanity checks (for example: same lib in > >>> different versions in /lib -> check and fix) with the created > >>> tar.gz/zip files. > >>> > >>> This is one of the steps, which usually consumes a lot of time. If you > >>> want to give it a try, I am happy to help out for the steps which > >>> require PMC involvement. Otherwise, I might find some time in the next > >>> week to start a release of 8.0.16 - just let me know and I can plan my > >>> time accordingly ;-) > >>> > >>> Gruß > >>> Richard > >>> > >>> > >>> > >>> > >>> [1] https://tomee.apache.org/dev/release-tomee.html > >>> > >>> > >>> Am Dienstag, dem 10.10.2023 um 17:56 -0500 schrieb Jonathan S. Fisher: > >>> > Jean-Louis, are there directions anywhere? Not promising anything :) > >>> > > >>> > On Tue, Oct 10, 2023 at 5:22 PM Jean-Louis Monteiro > >>> > wrote: > >>> > > > >>> > > Whomever is committer can do it. > >>> > > > >>> > > I was just trying to give you an honest reply regarding my > >>> > > availabilities > >>> > > and give visibility to the rest of the community and the other > >>> > > committers > >>> > > at the same time. > >>> > > > >>> > > Hope it helps. > >>> > > > >>> > > > >>> > > Le mar. 10 oct. 2023, 23:27, Jamie Johnson a > >>> > > écrit : > >>> > > > >>> > > > I’m not sure what that entails or who would go about doing it. Is > >>> > > > it a > >>> > > > community or contributor driven thing? > >>> > > > > >>> > > > On Tue, Oct 10, 2023 at 3:25 PM Jean-Louis Monteiro < > >>> > > > jlmonte...@tomitribe.com> wrote: > >>> > > > > >>> > > > >
Re: 8.0.16 release
Some of these dependencies aren't shipped with the TomEE distribution. Best way to check is to actually look through /lib Am 11. Oktober 2023 16:56:27 MESZ schrieb Jamie Johnson : >There are other vulnerabilities (pulled from https://osv.dev/) that can be >addressed, but need to be reviewed. The format below is dependency >current_version (fix_version). > >org.apache.httpcomponents:httpclient 4.2.2 (>= 4.5.13) >GHSA-2x83-r56g-cv47 (4.2.3), GHSA-7r82-7xv7-xcpj >(4.5.13), GHSA-fmj5-wv96-r2ch (4.3.6), GHSA-cfh5-3ghh-wfjx (4.3.5) > >xalan:xalan 2.7.2 (2.7.3) >GHSA-9339-86wc-4qgf (2.7.3) > >org.apache.commons:commons-compress 1.14 (>=1.24.0) >GHSA-hrmr-f5m6-m9pq (1.18), GHSA-xqfj-vm6h-2x34 (1.22), GHSA-h436-432x-8fvx >(1.16), GHSA-crv7-7245-f45f (1.21), GHSA-mc84-pj99-q6hh >(1.21), GHSA-7hfm-57qf-j43q (1.21), GHSA-cgwf-w82q-5jrr (1.24.0) > >org.eclipse.jetty:jetty-server 9.4.49.v20220914 (9.4.51.v20230217) >GHSA-qw69-rqj8-6qw8 (9.4.51.v20230217), GHSA-p26g-97m4-6q7c >(9.4.51.v20230217) > >org.eclipse.jetty:jetty-http 9.4.49.v20220914 (>=9.4.53) >GHSA-hmr7-m48g-48f6 (9.4.52), GHSA-wgh7-54f2-x98r (9.4.53) > >org.eclipse.jetty:jetty-servlets 9.4.49.v20220914 (9.4.53) >GHSA-3gh6-v5v9-6v9j (9.4.53) > >org.apache.sshd:sshd-core 2.1.0 (>=2.10.0) >GHSA-9279-7hph-r3xw (2.7.0), GHSA-fhw8-8j55-vwgq >(2.9.2), GHSA-mjmq-gwgm-5qhm (2.10.0) > >com.google.code.gson:gson 2.2.4 (2.8.9) >GHSA-4jrv-ppp4-jm57 (2.8.9) > >org.webjars:handlebars 1.2.1 (4.7.7) >GHSA-f2jv-r9rf-7988 (4.7.7) > >org.apache.ivy:ivy 2.3.0 (>= 2.5.2) >GHSA-wv7w-rj2x-556x (2.5.1), GHSA-2jc4-r94c-rp7h (2.5.2) > > >On Wed, Oct 11, 2023 at 6:49 AM Jamie Johnson wrote: > >> How deep down the rabbit hole should the dependency checks normally go? >> Looks like the big ones I was tracking with security updates were done. >> >> johnzon 1.2.21 >> tomcat 9.0.81 >> bouncy castle 1.76 >> >> Still poking around a bit but there’s obviously a lot. >> >> On Wed, Oct 11, 2023 at 2:09 AM Richard Zowalla wrote: >> >>> In theory, every committer can act as release manager. >>> >>> There are some steps in the process, which requires PMC karma, though >>> (such as adding a key to the KEYS file, moving stuff to the release are >>> on SVN, start the VOTE, etc.). >>> >>> The process is documented here: [1] >>> >>> That being said: >>> >>> I am currently planning to start the release process for TomEE 9.1.1 >>> within this week. Due to the Tomcat security issues released yesterday, >>> we need to do some backporting, which will consume additional time. (It >>> just interrupted my preparations, so it needs additional CI / TCK >>> cycles) >>> >>> A release usally consumes around 1-3 hours of work. Mostly because you >>> have to wait for stuff being build or to run some basic sanity checks >>> before starting and to not forget any step. >>> >>> What would really help for a TomEE 8.0.16 is to carefully re-check the >>> current dependencies for important 3rd party dependencies (and update >>> if needed. Note: Each update or bunch of updates shouldn't break the >>> build. A full build on CI takes around 4-8 hours) on that branch, build >>> it locally and conduct some sanity checks (for example: same lib in >>> different versions in /lib -> check and fix) with the created >>> tar.gz/zip files. >>> >>> This is one of the steps, which usually consumes a lot of time. If you >>> want to give it a try, I am happy to help out for the steps which >>> require PMC involvement. Otherwise, I might find some time in the next >>> week to start a release of 8.0.16 - just let me know and I can plan my >>> time accordingly ;-) >>> >>> Gruß >>> Richard >>> >>> >>> >>> >>> [1] https://tomee.apache.org/dev/release-tomee.html >>> >>> >>> Am Dienstag, dem 10.10.2023 um 17:56 -0500 schrieb Jonathan S. Fisher: >>> > Jean-Louis, are there directions anywhere? Not promising anything :) >>> > >>> > On Tue, Oct 10, 2023 at 5:22 PM Jean-Louis Monteiro >>> > wrote: >>> > > >>> > > Whomever is committer can do it. >>> > > >>> > > I was just trying to give you an honest reply regarding my >>> > > availabilities >>> > > and give visibility to the rest of the community and the other >>> > > committers >>> > > at the same time. >>> > > >>> > > Hope it helps. >>> > > >>> > > >>> > > Le mar. 10 oct. 2023, 23:27, Jamie Johnson a >>> > > écrit : >>> > > >>> > > > I’m not sure what that entails or who would go about doing it. Is >>> > > > it a >>> > > > community or contributor driven thing? >>> > > > >>> > > > On Tue, Oct 10, 2023 at 3:25 PM Jean-Louis Monteiro < >>> > > > jlmonte...@tomitribe.com> wrote: >>> > > > >>> > > > > I think most of the energy is currently on TomEE 9 and the new >>> > > > > TomEE 10. >>> > > > > I've also noticed some Tomcat CVE today if I remember >>> > > > > correctly. >>> > > > > >>> > > > > I'm all hands on TomEE 10 currently because we need to fill the >>> > > > > feature >>> > > > > gaps on all implementations. So speaking about myself, not sure >>> > > > > I can >>> > > > > trigger a
Re: 8.0.16 release
There are other vulnerabilities (pulled from https://osv.dev/) that can be addressed, but need to be reviewed. The format below is dependency current_version (fix_version). org.apache.httpcomponents:httpclient 4.2.2 (>= 4.5.13) GHSA-2x83-r56g-cv47 (4.2.3), GHSA-7r82-7xv7-xcpj (4.5.13), GHSA-fmj5-wv96-r2ch (4.3.6), GHSA-cfh5-3ghh-wfjx (4.3.5) xalan:xalan 2.7.2 (2.7.3) GHSA-9339-86wc-4qgf (2.7.3) org.apache.commons:commons-compress 1.14 (>=1.24.0) GHSA-hrmr-f5m6-m9pq (1.18), GHSA-xqfj-vm6h-2x34 (1.22), GHSA-h436-432x-8fvx (1.16), GHSA-crv7-7245-f45f (1.21), GHSA-mc84-pj99-q6hh (1.21), GHSA-7hfm-57qf-j43q (1.21), GHSA-cgwf-w82q-5jrr (1.24.0) org.eclipse.jetty:jetty-server 9.4.49.v20220914 (9.4.51.v20230217) GHSA-qw69-rqj8-6qw8 (9.4.51.v20230217), GHSA-p26g-97m4-6q7c (9.4.51.v20230217) org.eclipse.jetty:jetty-http 9.4.49.v20220914 (>=9.4.53) GHSA-hmr7-m48g-48f6 (9.4.52), GHSA-wgh7-54f2-x98r (9.4.53) org.eclipse.jetty:jetty-servlets 9.4.49.v20220914 (9.4.53) GHSA-3gh6-v5v9-6v9j (9.4.53) org.apache.sshd:sshd-core 2.1.0 (>=2.10.0) GHSA-9279-7hph-r3xw (2.7.0), GHSA-fhw8-8j55-vwgq (2.9.2), GHSA-mjmq-gwgm-5qhm (2.10.0) com.google.code.gson:gson 2.2.4 (2.8.9) GHSA-4jrv-ppp4-jm57 (2.8.9) org.webjars:handlebars 1.2.1 (4.7.7) GHSA-f2jv-r9rf-7988 (4.7.7) org.apache.ivy:ivy 2.3.0 (>= 2.5.2) GHSA-wv7w-rj2x-556x (2.5.1), GHSA-2jc4-r94c-rp7h (2.5.2) On Wed, Oct 11, 2023 at 6:49 AM Jamie Johnson wrote: > How deep down the rabbit hole should the dependency checks normally go? > Looks like the big ones I was tracking with security updates were done. > > johnzon 1.2.21 > tomcat 9.0.81 > bouncy castle 1.76 > > Still poking around a bit but there’s obviously a lot. > > On Wed, Oct 11, 2023 at 2:09 AM Richard Zowalla wrote: > >> In theory, every committer can act as release manager. >> >> There are some steps in the process, which requires PMC karma, though >> (such as adding a key to the KEYS file, moving stuff to the release are >> on SVN, start the VOTE, etc.). >> >> The process is documented here: [1] >> >> That being said: >> >> I am currently planning to start the release process for TomEE 9.1.1 >> within this week. Due to the Tomcat security issues released yesterday, >> we need to do some backporting, which will consume additional time. (It >> just interrupted my preparations, so it needs additional CI / TCK >> cycles) >> >> A release usally consumes around 1-3 hours of work. Mostly because you >> have to wait for stuff being build or to run some basic sanity checks >> before starting and to not forget any step. >> >> What would really help for a TomEE 8.0.16 is to carefully re-check the >> current dependencies for important 3rd party dependencies (and update >> if needed. Note: Each update or bunch of updates shouldn't break the >> build. A full build on CI takes around 4-8 hours) on that branch, build >> it locally and conduct some sanity checks (for example: same lib in >> different versions in /lib -> check and fix) with the created >> tar.gz/zip files. >> >> This is one of the steps, which usually consumes a lot of time. If you >> want to give it a try, I am happy to help out for the steps which >> require PMC involvement. Otherwise, I might find some time in the next >> week to start a release of 8.0.16 - just let me know and I can plan my >> time accordingly ;-) >> >> Gruß >> Richard >> >> >> >> >> [1] https://tomee.apache.org/dev/release-tomee.html >> >> >> Am Dienstag, dem 10.10.2023 um 17:56 -0500 schrieb Jonathan S. Fisher: >> > Jean-Louis, are there directions anywhere? Not promising anything :) >> > >> > On Tue, Oct 10, 2023 at 5:22 PM Jean-Louis Monteiro >> > wrote: >> > > >> > > Whomever is committer can do it. >> > > >> > > I was just trying to give you an honest reply regarding my >> > > availabilities >> > > and give visibility to the rest of the community and the other >> > > committers >> > > at the same time. >> > > >> > > Hope it helps. >> > > >> > > >> > > Le mar. 10 oct. 2023, 23:27, Jamie Johnson a >> > > écrit : >> > > >> > > > I’m not sure what that entails or who would go about doing it. Is >> > > > it a >> > > > community or contributor driven thing? >> > > > >> > > > On Tue, Oct 10, 2023 at 3:25 PM Jean-Louis Monteiro < >> > > > jlmonte...@tomitribe.com> wrote: >> > > > >> > > > > I think most of the energy is currently on TomEE 9 and the new >> > > > > TomEE 10. >> > > > > I've also noticed some Tomcat CVE today if I remember >> > > > > correctly. >> > > > > >> > > > > I'm all hands on TomEE 10 currently because we need to fill the >> > > > > feature >> > > > > gaps on all implementations. So speaking about myself, not sure >> > > > > I can >> > > > > trigger a build and deliver the whole process in the next >> > > > > couple of days >> > > > or >> > > > > weeks. >> > > > > >> > > > > If someone can do it, I'm happy to review, test and vote on the >> > > > > release. >> > > > > -- >> > > > > Jean-Louis Monteiro >> > > > > http://twitter.com/jlouismonteiro >> > > > >
Re: 8.0.16 release
How deep down the rabbit hole should the dependency checks normally go? Looks like the big ones I was tracking with security updates were done. johnzon 1.2.21 tomcat 9.0.81 bouncy castle 1.76 Still poking around a bit but there’s obviously a lot. On Wed, Oct 11, 2023 at 2:09 AM Richard Zowalla wrote: > In theory, every committer can act as release manager. > > There are some steps in the process, which requires PMC karma, though > (such as adding a key to the KEYS file, moving stuff to the release are > on SVN, start the VOTE, etc.). > > The process is documented here: [1] > > That being said: > > I am currently planning to start the release process for TomEE 9.1.1 > within this week. Due to the Tomcat security issues released yesterday, > we need to do some backporting, which will consume additional time. (It > just interrupted my preparations, so it needs additional CI / TCK > cycles) > > A release usally consumes around 1-3 hours of work. Mostly because you > have to wait for stuff being build or to run some basic sanity checks > before starting and to not forget any step. > > What would really help for a TomEE 8.0.16 is to carefully re-check the > current dependencies for important 3rd party dependencies (and update > if needed. Note: Each update or bunch of updates shouldn't break the > build. A full build on CI takes around 4-8 hours) on that branch, build > it locally and conduct some sanity checks (for example: same lib in > different versions in /lib -> check and fix) with the created > tar.gz/zip files. > > This is one of the steps, which usually consumes a lot of time. If you > want to give it a try, I am happy to help out for the steps which > require PMC involvement. Otherwise, I might find some time in the next > week to start a release of 8.0.16 - just let me know and I can plan my > time accordingly ;-) > > Gruß > Richard > > > > > [1] https://tomee.apache.org/dev/release-tomee.html > > > Am Dienstag, dem 10.10.2023 um 17:56 -0500 schrieb Jonathan S. Fisher: > > Jean-Louis, are there directions anywhere? Not promising anything :) > > > > On Tue, Oct 10, 2023 at 5:22 PM Jean-Louis Monteiro > > wrote: > > > > > > Whomever is committer can do it. > > > > > > I was just trying to give you an honest reply regarding my > > > availabilities > > > and give visibility to the rest of the community and the other > > > committers > > > at the same time. > > > > > > Hope it helps. > > > > > > > > > Le mar. 10 oct. 2023, 23:27, Jamie Johnson a > > > écrit : > > > > > > > I’m not sure what that entails or who would go about doing it. Is > > > > it a > > > > community or contributor driven thing? > > > > > > > > On Tue, Oct 10, 2023 at 3:25 PM Jean-Louis Monteiro < > > > > jlmonte...@tomitribe.com> wrote: > > > > > > > > > I think most of the energy is currently on TomEE 9 and the new > > > > > TomEE 10. > > > > > I've also noticed some Tomcat CVE today if I remember > > > > > correctly. > > > > > > > > > > I'm all hands on TomEE 10 currently because we need to fill the > > > > > feature > > > > > gaps on all implementations. So speaking about myself, not sure > > > > > I can > > > > > trigger a build and deliver the whole process in the next > > > > > couple of days > > > > or > > > > > weeks. > > > > > > > > > > If someone can do it, I'm happy to review, test and vote on the > > > > > release. > > > > > -- > > > > > Jean-Louis Monteiro > > > > > http://twitter.com/jlouismonteiro > > > > > http://www.tomitribe.com > > > > > > > > > > > > > > > On Tue, Oct 10, 2023 at 5:48 PM Jamie Johnson > > > > > wrote: > > > > > > > > > > > Is there a timeline for the release of 8.0.16? There are a > > > > > > few > > > > security > > > > > > issues associated with johnzon that we’d like to leverage > > > > > > while we > > > > > migrate > > > > > > to a newer version of TomEE. > > > > > > > > > > > > > > > > > > > > > > >
Re: [PR] Regenerated BOMs after dependency upgrades (tomee)
rzo1 merged PR #1067: URL: https://github.com/apache/tomee/pull/1067 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomee.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] Regenerated BOMs after dependency upgrades (tomee)
github-actions[bot] opened a new pull request, #1067: URL: https://github.com/apache/tomee/pull/1067 Found some uncommited changes (from BOM regeneration) after running build on TomEE 8.x branch -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomee.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: 8.0.16 release
In theory, every committer can act as release manager. There are some steps in the process, which requires PMC karma, though (such as adding a key to the KEYS file, moving stuff to the release are on SVN, start the VOTE, etc.). The process is documented here: [1] That being said: I am currently planning to start the release process for TomEE 9.1.1 within this week. Due to the Tomcat security issues released yesterday, we need to do some backporting, which will consume additional time. (It just interrupted my preparations, so it needs additional CI / TCK cycles) A release usally consumes around 1-3 hours of work. Mostly because you have to wait for stuff being build or to run some basic sanity checks before starting and to not forget any step. What would really help for a TomEE 8.0.16 is to carefully re-check the current dependencies for important 3rd party dependencies (and update if needed. Note: Each update or bunch of updates shouldn't break the build. A full build on CI takes around 4-8 hours) on that branch, build it locally and conduct some sanity checks (for example: same lib in different versions in /lib -> check and fix) with the created tar.gz/zip files. This is one of the steps, which usually consumes a lot of time. If you want to give it a try, I am happy to help out for the steps which require PMC involvement. Otherwise, I might find some time in the next week to start a release of 8.0.16 - just let me know and I can plan my time accordingly ;-) Gruß Richard [1] https://tomee.apache.org/dev/release-tomee.html Am Dienstag, dem 10.10.2023 um 17:56 -0500 schrieb Jonathan S. Fisher: > Jean-Louis, are there directions anywhere? Not promising anything :) > > On Tue, Oct 10, 2023 at 5:22 PM Jean-Louis Monteiro > wrote: > > > > Whomever is committer can do it. > > > > I was just trying to give you an honest reply regarding my > > availabilities > > and give visibility to the rest of the community and the other > > committers > > at the same time. > > > > Hope it helps. > > > > > > Le mar. 10 oct. 2023, 23:27, Jamie Johnson a > > écrit : > > > > > I’m not sure what that entails or who would go about doing it. Is > > > it a > > > community or contributor driven thing? > > > > > > On Tue, Oct 10, 2023 at 3:25 PM Jean-Louis Monteiro < > > > jlmonte...@tomitribe.com> wrote: > > > > > > > I think most of the energy is currently on TomEE 9 and the new > > > > TomEE 10. > > > > I've also noticed some Tomcat CVE today if I remember > > > > correctly. > > > > > > > > I'm all hands on TomEE 10 currently because we need to fill the > > > > feature > > > > gaps on all implementations. So speaking about myself, not sure > > > > I can > > > > trigger a build and deliver the whole process in the next > > > > couple of days > > > or > > > > weeks. > > > > > > > > If someone can do it, I'm happy to review, test and vote on the > > > > release. > > > > -- > > > > Jean-Louis Monteiro > > > > http://twitter.com/jlouismonteiro > > > > http://www.tomitribe.com > > > > > > > > > > > > On Tue, Oct 10, 2023 at 5:48 PM Jamie Johnson > > > > wrote: > > > > > > > > > Is there a timeline for the release of 8.0.16? There are a > > > > > few > > > security > > > > > issues associated with johnzon that we’d like to leverage > > > > > while we > > > > migrate > > > > > to a newer version of TomEE. > > > > > > > > > > > > > > > signature.asc Description: This is a digitally signed message part
