Re: 8.0.16 release
Thanks to you and Richard for helping me stumble through. I'm stuck at this step: ~/opensource/tomee-release-tools$ ./target/release release-notes generate 8.0.16 No jira accounts configured. Run `account add` to configure a jira account ~/opensource/tomee-release-tools$ ./target/release account Unknown command: account a, what do I do On Fri, Oct 27, 2023 at 4:57 PM Jonathan Gallimore wrote: > > Upload to here: https://dist.apache.org/repos/dist/dev/tomee/ - this is > where we'll all be getting the artifacts to vote on. If you're using the > release tools, you'll be on this step: "Deploy Source and Distributions to > dist/dev". > > Thanks for all your work on this. > > Jon > > On Fri, Oct 27, 2023 at 10:52 PM Jonathan S. Fisher > wrote: > > > Ok repository is uploaded and closed: > > > > https://repository.apache.org/content/repositories/orgapachetomee-1222/org/apache/tomee/apache-tomee/8.0.16/ > > > > What's next? The directions say to upload but that seems a bit > > premature before calling for a vote or what not... sorry I'm new here! > > https://tomee.apache.org/dev/release-tomee.html > > > > On Fri, Oct 27, 2023 at 4:11 PM Jonathan Gallimore > > wrote: > > > > > > Thanks Jonathan. If it helps, the changeset from 5.17.5 to 5.17.6 isn't > > > massive: https://github.com/apache/activemq/commits/activemq-5.17.x. > > > > > > Jon > > > > > > On Fri, Oct 27, 2023 at 10:00 PM Jonathan S. Fisher > > > wrote: > > > > > > > ope, it's in there now. Just popped up and I merged. > > > > > > > > ActiveMQ merges make a be a bit nervous :) I'll go ahead > > > > release:perform but stop again before closing the repository. > > > > > > > > I'll try running this too with some of our bigger apps and see if I > > > > can find anything wrong. > > > > > > > > On Fri, Oct 27, 2023 at 3:58 PM Jonathan Gallimore > > > > wrote: > > > > > > > > > > It should be done by the build, but I can do that and push it as > > well. > > > > > > > > > > Jon > > > > > > > > > > On Fri, Oct 27, 2023 at 9:55 PM Jonathan S. Fisher < > > exabr...@gmail.com> > > > > > wrote: > > > > > > > > > > > Thanks, do we need to do the bom thing? > > > > > > > > > > > > On Fri, Oct 27, 2023 at 3:53 PM Jonathan Gallimore > > > > > > wrote: > > > > > > > > > > > > > > Done: > > > > > > > > > > > > > > > > > > > https://github.com/apache/tomee/commit/c63eacac4956c29454a0efc3e75e933dd4316b26 > > > > > > > > > > > > > > On Fri, Oct 27, 2023 at 9:46 PM Jonathan Gallimore < > > > > > > > jonathan.gallim...@gmail.com> wrote: > > > > > > > > > > > > > > > Thanks. That commit is incoming in about 1 minute. > > > > > > > > > > > > > > > > Jon > > > > > > > > > > > > > > > > On Fri, Oct 27, 2023 at 9:43 PM Jonathan S. Fisher < > > > > exabr...@gmail.com > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > >> No problemo. I'll cancel, do the pr two step, and rebuild > > > > > > > >> > > > > > > > >> On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore > > > > > > > >> wrote: > > > > > > > >> > > > > > > > > >> > I was about to ask the same. Happy to push the update to the > > > > branch > > > > > > > >> before > > > > > > > >> > a release is kicked off. > > > > > > > >> > > > > > > > > >> > Jon > > > > > > > >> > > > > > > > > >> > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, < > > > > alex.m3...@gmail.com> > > > > > > > >> wrote: > > > > > > > >> > > > > > > > > >> > > Hi > > > > > > > >> > > > > > > > > > >> > > Before it's too late, can 8.0.16 release include (if not > > > > already > > > > > > done) > > > > > > > >> > > the dependency update to ActiveMQ version fixing > > > > CVE-2023-46604 > > > > > > (which > > > > > > > >> > > has High 8.8 score by > > > > > > > >> > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's > > > > > > enabling > > > > > > > >> > > remote code execution ? > > > > > > > >> > > > > > > > > > >> > > As a reminder, ActiveMQ is embedded in TomEE+. > > > > > > > >> > > > > > > > > > >> > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version > > > > 5.16.6, > > > > > > and > > > > > > > >> > > according to > > > > > > > >> > > > > > > > > > >> > > > > > > > > > > > > https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt > > > > > > > >> > > , > > > > > > > >> > > we need at least 5.16.7 > > > > > > > >> > > > > > > > > > >> > > I hope this dependency update can make it in 8.0.16 before > > > > it's > > > > > > > >> > > released (or maybe it's already in the about-to-be voted > > > > 8.0.16 ?) > > > > > > > >> > > > > > > > > > >> > > Thanks, > > > > > > > >> > > Alex > > > > > > > >> > > > > > > > > > >> > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher < > > > > > > exabr...@gmail.com> > > > > > > > >> a > > > > > > > >> > > écrit : > > > > > > > >> > > > > > > > > > > >> > > > Alright, I have the build completed, signed, and > > uploaded > > > > the > > > > > > the > > > > > > > >> > > > Nexus staging repository: orgapachetomee-1221 > > > > > > > >> > > > > > > > > >
Re: 8.0.16 release
Upload to here: https://dist.apache.org/repos/dist/dev/tomee/ - this is where we'll all be getting the artifacts to vote on. If you're using the release tools, you'll be on this step: "Deploy Source and Distributions to dist/dev". Thanks for all your work on this. Jon On Fri, Oct 27, 2023 at 10:52 PM Jonathan S. Fisher wrote: > Ok repository is uploaded and closed: > > https://repository.apache.org/content/repositories/orgapachetomee-1222/org/apache/tomee/apache-tomee/8.0.16/ > > What's next? The directions say to upload but that seems a bit > premature before calling for a vote or what not... sorry I'm new here! > https://tomee.apache.org/dev/release-tomee.html > > On Fri, Oct 27, 2023 at 4:11 PM Jonathan Gallimore > wrote: > > > > Thanks Jonathan. If it helps, the changeset from 5.17.5 to 5.17.6 isn't > > massive: https://github.com/apache/activemq/commits/activemq-5.17.x. > > > > Jon > > > > On Fri, Oct 27, 2023 at 10:00 PM Jonathan S. Fisher > > wrote: > > > > > ope, it's in there now. Just popped up and I merged. > > > > > > ActiveMQ merges make a be a bit nervous :) I'll go ahead > > > release:perform but stop again before closing the repository. > > > > > > I'll try running this too with some of our bigger apps and see if I > > > can find anything wrong. > > > > > > On Fri, Oct 27, 2023 at 3:58 PM Jonathan Gallimore > > > wrote: > > > > > > > > It should be done by the build, but I can do that and push it as > well. > > > > > > > > Jon > > > > > > > > On Fri, Oct 27, 2023 at 9:55 PM Jonathan S. Fisher < > exabr...@gmail.com> > > > > wrote: > > > > > > > > > Thanks, do we need to do the bom thing? > > > > > > > > > > On Fri, Oct 27, 2023 at 3:53 PM Jonathan Gallimore > > > > > wrote: > > > > > > > > > > > > Done: > > > > > > > > > > > > > > > https://github.com/apache/tomee/commit/c63eacac4956c29454a0efc3e75e933dd4316b26 > > > > > > > > > > > > On Fri, Oct 27, 2023 at 9:46 PM Jonathan Gallimore < > > > > > > jonathan.gallim...@gmail.com> wrote: > > > > > > > > > > > > > Thanks. That commit is incoming in about 1 minute. > > > > > > > > > > > > > > Jon > > > > > > > > > > > > > > On Fri, Oct 27, 2023 at 9:43 PM Jonathan S. Fisher < > > > exabr...@gmail.com > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > >> No problemo. I'll cancel, do the pr two step, and rebuild > > > > > > >> > > > > > > >> On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore > > > > > > >> wrote: > > > > > > >> > > > > > > > >> > I was about to ask the same. Happy to push the update to the > > > branch > > > > > > >> before > > > > > > >> > a release is kicked off. > > > > > > >> > > > > > > > >> > Jon > > > > > > >> > > > > > > > >> > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, < > > > alex.m3...@gmail.com> > > > > > > >> wrote: > > > > > > >> > > > > > > > >> > > Hi > > > > > > >> > > > > > > > > >> > > Before it's too late, can 8.0.16 release include (if not > > > already > > > > > done) > > > > > > >> > > the dependency update to ActiveMQ version fixing > > > CVE-2023-46604 > > > > > (which > > > > > > >> > > has High 8.8 score by > > > > > > >> > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's > > > > > enabling > > > > > > >> > > remote code execution ? > > > > > > >> > > > > > > > > >> > > As a reminder, ActiveMQ is embedded in TomEE+. > > > > > > >> > > > > > > > > >> > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version > > > 5.16.6, > > > > > and > > > > > > >> > > according to > > > > > > >> > > > > > > > > >> > > > > > > > > > https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt > > > > > > >> > > , > > > > > > >> > > we need at least 5.16.7 > > > > > > >> > > > > > > > > >> > > I hope this dependency update can make it in 8.0.16 before > > > it's > > > > > > >> > > released (or maybe it's already in the about-to-be voted > > > 8.0.16 ?) > > > > > > >> > > > > > > > > >> > > Thanks, > > > > > > >> > > Alex > > > > > > >> > > > > > > > > >> > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher < > > > > > exabr...@gmail.com> > > > > > > >> a > > > > > > >> > > écrit : > > > > > > >> > > > > > > > > > >> > > > Alright, I have the build completed, signed, and > uploaded > > > the > > > > > the > > > > > > >> > > > Nexus staging repository: orgapachetomee-1221 > > > > > > >> > > > > > > > > > >> > > > What's next? I'm a little apprehensive to close out the > > > staging > > > > > repo > > > > > > >> > > > for fear of prematurely publishing a release... > > > > > > >> > > > > > > > > > >> > > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher < > > > > > > >> exabr...@gmail.com> > > > > > > >> > > wrote: > > > > > > >> > > > > > > > > > > >> > > > > I got another good build locally and CI is happy too. > I'm > > > > > going to > > > > > > >> > > > > stage the release! > > > > > > >> > > > > > > > > > > >> > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher < > > > > > > >> exabr...@gmail.com> > > > > > > >> > > wrote: > > > > > > >> > > > > > > >
Re: 8.0.16 release
Ok repository is uploaded and closed: https://repository.apache.org/content/repositories/orgapachetomee-1222/org/apache/tomee/apache-tomee/8.0.16/ What's next? The directions say to upload but that seems a bit premature before calling for a vote or what not... sorry I'm new here! https://tomee.apache.org/dev/release-tomee.html On Fri, Oct 27, 2023 at 4:11 PM Jonathan Gallimore wrote: > > Thanks Jonathan. If it helps, the changeset from 5.17.5 to 5.17.6 isn't > massive: https://github.com/apache/activemq/commits/activemq-5.17.x. > > Jon > > On Fri, Oct 27, 2023 at 10:00 PM Jonathan S. Fisher > wrote: > > > ope, it's in there now. Just popped up and I merged. > > > > ActiveMQ merges make a be a bit nervous :) I'll go ahead > > release:perform but stop again before closing the repository. > > > > I'll try running this too with some of our bigger apps and see if I > > can find anything wrong. > > > > On Fri, Oct 27, 2023 at 3:58 PM Jonathan Gallimore > > wrote: > > > > > > It should be done by the build, but I can do that and push it as well. > > > > > > Jon > > > > > > On Fri, Oct 27, 2023 at 9:55 PM Jonathan S. Fisher > > > wrote: > > > > > > > Thanks, do we need to do the bom thing? > > > > > > > > On Fri, Oct 27, 2023 at 3:53 PM Jonathan Gallimore > > > > wrote: > > > > > > > > > > Done: > > > > > > > > > > > https://github.com/apache/tomee/commit/c63eacac4956c29454a0efc3e75e933dd4316b26 > > > > > > > > > > On Fri, Oct 27, 2023 at 9:46 PM Jonathan Gallimore < > > > > > jonathan.gallim...@gmail.com> wrote: > > > > > > > > > > > Thanks. That commit is incoming in about 1 minute. > > > > > > > > > > > > Jon > > > > > > > > > > > > On Fri, Oct 27, 2023 at 9:43 PM Jonathan S. Fisher < > > exabr...@gmail.com > > > > > > > > > > > wrote: > > > > > > > > > > > >> No problemo. I'll cancel, do the pr two step, and rebuild > > > > > >> > > > > > >> On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore > > > > > >> wrote: > > > > > >> > > > > > > >> > I was about to ask the same. Happy to push the update to the > > branch > > > > > >> before > > > > > >> > a release is kicked off. > > > > > >> > > > > > > >> > Jon > > > > > >> > > > > > > >> > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, < > > alex.m3...@gmail.com> > > > > > >> wrote: > > > > > >> > > > > > > >> > > Hi > > > > > >> > > > > > > > >> > > Before it's too late, can 8.0.16 release include (if not > > already > > > > done) > > > > > >> > > the dependency update to ActiveMQ version fixing > > CVE-2023-46604 > > > > (which > > > > > >> > > has High 8.8 score by > > > > > >> > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's > > > > enabling > > > > > >> > > remote code execution ? > > > > > >> > > > > > > > >> > > As a reminder, ActiveMQ is embedded in TomEE+. > > > > > >> > > > > > > > >> > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version > > 5.16.6, > > > > and > > > > > >> > > according to > > > > > >> > > > > > > > >> > > > > > > https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt > > > > > >> > > , > > > > > >> > > we need at least 5.16.7 > > > > > >> > > > > > > > >> > > I hope this dependency update can make it in 8.0.16 before > > it's > > > > > >> > > released (or maybe it's already in the about-to-be voted > > 8.0.16 ?) > > > > > >> > > > > > > > >> > > Thanks, > > > > > >> > > Alex > > > > > >> > > > > > > > >> > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher < > > > > exabr...@gmail.com> > > > > > >> a > > > > > >> > > écrit : > > > > > >> > > > > > > > > >> > > > Alright, I have the build completed, signed, and uploaded > > the > > > > the > > > > > >> > > > Nexus staging repository: orgapachetomee-1221 > > > > > >> > > > > > > > > >> > > > What's next? I'm a little apprehensive to close out the > > staging > > > > repo > > > > > >> > > > for fear of prematurely publishing a release... > > > > > >> > > > > > > > > >> > > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher < > > > > > >> exabr...@gmail.com> > > > > > >> > > wrote: > > > > > >> > > > > > > > > > >> > > > > I got another good build locally and CI is happy too. I'm > > > > going to > > > > > >> > > > > stage the release! > > > > > >> > > > > > > > > > >> > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher < > > > > > >> exabr...@gmail.com> > > > > > >> > > wrote: > > > > > >> > > > > > > > > > > >> > > > > > Yep! I just logged that one and pushed a PR. Waiting on > > CI > > > > > >> > > > > > > > > > > >> > > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson < > > > > > >> jej2...@gmail.com> > > > > > >> > > wrote: > > > > > >> > > > > > > > > > > > >> > > > > > > Should this be included? > > > > > >> > > > > > > > > > > > >> > > > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from > > 2.3.2 > > > > > >> (xmlsec) to > > > > > >> > > > > > > mitigate CVE-2023-4448 > > > > > >> > > > > > > > > > > > >> > > > > > > Not sure how to find the others without going through > > > > commit > > > > > >> > > history. >
Re: 8.0.16 release
Thanks Jonathan. If it helps, the changeset from 5.17.5 to 5.17.6 isn't massive: https://github.com/apache/activemq/commits/activemq-5.17.x. Jon On Fri, Oct 27, 2023 at 10:00 PM Jonathan S. Fisher wrote: > ope, it's in there now. Just popped up and I merged. > > ActiveMQ merges make a be a bit nervous :) I'll go ahead > release:perform but stop again before closing the repository. > > I'll try running this too with some of our bigger apps and see if I > can find anything wrong. > > On Fri, Oct 27, 2023 at 3:58 PM Jonathan Gallimore > wrote: > > > > It should be done by the build, but I can do that and push it as well. > > > > Jon > > > > On Fri, Oct 27, 2023 at 9:55 PM Jonathan S. Fisher > > wrote: > > > > > Thanks, do we need to do the bom thing? > > > > > > On Fri, Oct 27, 2023 at 3:53 PM Jonathan Gallimore > > > wrote: > > > > > > > > Done: > > > > > > > > https://github.com/apache/tomee/commit/c63eacac4956c29454a0efc3e75e933dd4316b26 > > > > > > > > On Fri, Oct 27, 2023 at 9:46 PM Jonathan Gallimore < > > > > jonathan.gallim...@gmail.com> wrote: > > > > > > > > > Thanks. That commit is incoming in about 1 minute. > > > > > > > > > > Jon > > > > > > > > > > On Fri, Oct 27, 2023 at 9:43 PM Jonathan S. Fisher < > exabr...@gmail.com > > > > > > > > > wrote: > > > > > > > > > >> No problemo. I'll cancel, do the pr two step, and rebuild > > > > >> > > > > >> On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore > > > > >> wrote: > > > > >> > > > > > >> > I was about to ask the same. Happy to push the update to the > branch > > > > >> before > > > > >> > a release is kicked off. > > > > >> > > > > > >> > Jon > > > > >> > > > > > >> > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, < > alex.m3...@gmail.com> > > > > >> wrote: > > > > >> > > > > > >> > > Hi > > > > >> > > > > > > >> > > Before it's too late, can 8.0.16 release include (if not > already > > > done) > > > > >> > > the dependency update to ActiveMQ version fixing > CVE-2023-46604 > > > (which > > > > >> > > has High 8.8 score by > > > > >> > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's > > > enabling > > > > >> > > remote code execution ? > > > > >> > > > > > > >> > > As a reminder, ActiveMQ is embedded in TomEE+. > > > > >> > > > > > > >> > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version > 5.16.6, > > > and > > > > >> > > according to > > > > >> > > > > > > >> > > > > https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt > > > > >> > > , > > > > >> > > we need at least 5.16.7 > > > > >> > > > > > > >> > > I hope this dependency update can make it in 8.0.16 before > it's > > > > >> > > released (or maybe it's already in the about-to-be voted > 8.0.16 ?) > > > > >> > > > > > > >> > > Thanks, > > > > >> > > Alex > > > > >> > > > > > > >> > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher < > > > exabr...@gmail.com> > > > > >> a > > > > >> > > écrit : > > > > >> > > > > > > > >> > > > Alright, I have the build completed, signed, and uploaded > the > > > the > > > > >> > > > Nexus staging repository: orgapachetomee-1221 > > > > >> > > > > > > > >> > > > What's next? I'm a little apprehensive to close out the > staging > > > repo > > > > >> > > > for fear of prematurely publishing a release... > > > > >> > > > > > > > >> > > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher < > > > > >> exabr...@gmail.com> > > > > >> > > wrote: > > > > >> > > > > > > > > >> > > > > I got another good build locally and CI is happy too. I'm > > > going to > > > > >> > > > > stage the release! > > > > >> > > > > > > > > >> > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher < > > > > >> exabr...@gmail.com> > > > > >> > > wrote: > > > > >> > > > > > > > > > >> > > > > > Yep! I just logged that one and pushed a PR. Waiting on > CI > > > > >> > > > > > > > > > >> > > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson < > > > > >> jej2...@gmail.com> > > > > >> > > wrote: > > > > >> > > > > > > > > > > >> > > > > > > Should this be included? > > > > >> > > > > > > > > > > >> > > > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from > 2.3.2 > > > > >> (xmlsec) to > > > > >> > > > > > > mitigate CVE-2023-4448 > > > > >> > > > > > > > > > > >> > > > > > > Not sure how to find the others without going through > > > commit > > > > >> > > history. > > > > >> > > > > > > > > > > >> > > > > > > Jamie > > > > >> > > > > > > > > > > >> > > > > > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher < > > > > >> > > exabr...@gmail.com> > > > > >> > > > > > > wrote: > > > > >> > > > > > > > > > > >> > > > > > > > Richard, thank you sir; I assigned that ticket to > > > myself. If > > > > >> > > anyone > > > > >> > > > > > > > else is aware of anything else I can upgrade before > > > release, > > > > >> > > please > > > > >> > > > > > > > speak up :) > > > > >> > > > > > > > > > > > >> > > > > > > > Also good news: for whatever reason, I'm able to > build > > > > >> > > > > > > > tomee-release-tools now. The atlassian
Re: [PR] Regenerated BOMs after dependency upgrades (tomee)
jgallimore merged PR #1077: URL: https://github.com/apache/tomee/pull/1077 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomee.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] Regenerated BOMs after dependency upgrades (tomee)
github-actions[bot] opened a new pull request, #1077: URL: https://github.com/apache/tomee/pull/1077 Found some uncommited changes (from BOM regeneration) after running build on TomEE main -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomee.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: 8.0.16 release
ope, it's in there now. Just popped up and I merged. ActiveMQ merges make a be a bit nervous :) I'll go ahead release:perform but stop again before closing the repository. I'll try running this too with some of our bigger apps and see if I can find anything wrong. On Fri, Oct 27, 2023 at 3:58 PM Jonathan Gallimore wrote: > > It should be done by the build, but I can do that and push it as well. > > Jon > > On Fri, Oct 27, 2023 at 9:55 PM Jonathan S. Fisher > wrote: > > > Thanks, do we need to do the bom thing? > > > > On Fri, Oct 27, 2023 at 3:53 PM Jonathan Gallimore > > wrote: > > > > > > Done: > > > > > https://github.com/apache/tomee/commit/c63eacac4956c29454a0efc3e75e933dd4316b26 > > > > > > On Fri, Oct 27, 2023 at 9:46 PM Jonathan Gallimore < > > > jonathan.gallim...@gmail.com> wrote: > > > > > > > Thanks. That commit is incoming in about 1 minute. > > > > > > > > Jon > > > > > > > > On Fri, Oct 27, 2023 at 9:43 PM Jonathan S. Fisher > > > > > > wrote: > > > > > > > >> No problemo. I'll cancel, do the pr two step, and rebuild > > > >> > > > >> On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore > > > >> wrote: > > > >> > > > > >> > I was about to ask the same. Happy to push the update to the branch > > > >> before > > > >> > a release is kicked off. > > > >> > > > > >> > Jon > > > >> > > > > >> > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, > > > >> wrote: > > > >> > > > > >> > > Hi > > > >> > > > > > >> > > Before it's too late, can 8.0.16 release include (if not already > > done) > > > >> > > the dependency update to ActiveMQ version fixing CVE-2023-46604 > > (which > > > >> > > has High 8.8 score by > > > >> > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's > > enabling > > > >> > > remote code execution ? > > > >> > > > > > >> > > As a reminder, ActiveMQ is embedded in TomEE+. > > > >> > > > > > >> > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version 5.16.6, > > and > > > >> > > according to > > > >> > > > > > >> > > https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt > > > >> > > , > > > >> > > we need at least 5.16.7 > > > >> > > > > > >> > > I hope this dependency update can make it in 8.0.16 before it's > > > >> > > released (or maybe it's already in the about-to-be voted 8.0.16 ?) > > > >> > > > > > >> > > Thanks, > > > >> > > Alex > > > >> > > > > > >> > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher < > > exabr...@gmail.com> > > > >> a > > > >> > > écrit : > > > >> > > > > > > >> > > > Alright, I have the build completed, signed, and uploaded the > > the > > > >> > > > Nexus staging repository: orgapachetomee-1221 > > > >> > > > > > > >> > > > What's next? I'm a little apprehensive to close out the staging > > repo > > > >> > > > for fear of prematurely publishing a release... > > > >> > > > > > > >> > > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher < > > > >> exabr...@gmail.com> > > > >> > > wrote: > > > >> > > > > > > > >> > > > > I got another good build locally and CI is happy too. I'm > > going to > > > >> > > > > stage the release! > > > >> > > > > > > > >> > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher < > > > >> exabr...@gmail.com> > > > >> > > wrote: > > > >> > > > > > > > > >> > > > > > Yep! I just logged that one and pushed a PR. Waiting on CI > > > >> > > > > > > > > >> > > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson < > > > >> jej2...@gmail.com> > > > >> > > wrote: > > > >> > > > > > > > > > >> > > > > > > Should this be included? > > > >> > > > > > > > > > >> > > > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2 > > > >> (xmlsec) to > > > >> > > > > > > mitigate CVE-2023-4448 > > > >> > > > > > > > > > >> > > > > > > Not sure how to find the others without going through > > commit > > > >> > > history. > > > >> > > > > > > > > > >> > > > > > > Jamie > > > >> > > > > > > > > > >> > > > > > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher < > > > >> > > exabr...@gmail.com> > > > >> > > > > > > wrote: > > > >> > > > > > > > > > >> > > > > > > > Richard, thank you sir; I assigned that ticket to > > myself. If > > > >> > > anyone > > > >> > > > > > > > else is aware of anything else I can upgrade before > > release, > > > >> > > please > > > >> > > > > > > > speak up :) > > > >> > > > > > > > > > > >> > > > > > > > Also good news: for whatever reason, I'm able to build > > > >> > > > > > > > tomee-release-tools now. The atlassian maven repository > > hit > > > >> me > > > >> > > with a > > > >> > > > > > > > rate limit briefly but it seems to have lifted. > > > >> > > > > > > > > > > >> > > > > > > > I have three questions at this point in time: > > > >> > > > > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before > > release for > > > >> > > CVE's? > > > >> > > > > > > > 2. Are there CVEs we ignore? (basically ones that are > > > >> present but > > > >> > > > > > > > don't apply to us) > > > >> > > > > > > > 3. I ran a build locally and got two test failures. > > Looks
Re: 8.0.16 release
Those should be there for 8.0.x, 9.1.x and 10.0.x (I think you merged the PR for 8.0.x yourself :-) ) Jon On Fri, Oct 27, 2023 at 9:56 PM Jonathan Gallimore < jonathan.gallim...@gmail.com> wrote: > It should be done by the build, but I can do that and push it as well. > > Jon > > On Fri, Oct 27, 2023 at 9:55 PM Jonathan S. Fisher > wrote: > >> Thanks, do we need to do the bom thing? >> >> On Fri, Oct 27, 2023 at 3:53 PM Jonathan Gallimore >> wrote: >> > >> > Done: >> > >> https://github.com/apache/tomee/commit/c63eacac4956c29454a0efc3e75e933dd4316b26 >> > >> > On Fri, Oct 27, 2023 at 9:46 PM Jonathan Gallimore < >> > jonathan.gallim...@gmail.com> wrote: >> > >> > > Thanks. That commit is incoming in about 1 minute. >> > > >> > > Jon >> > > >> > > On Fri, Oct 27, 2023 at 9:43 PM Jonathan S. Fisher < >> exabr...@gmail.com> >> > > wrote: >> > > >> > >> No problemo. I'll cancel, do the pr two step, and rebuild >> > >> >> > >> On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore >> > >> wrote: >> > >> > >> > >> > I was about to ask the same. Happy to push the update to the branch >> > >> before >> > >> > a release is kicked off. >> > >> > >> > >> > Jon >> > >> > >> > >> > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, >> > >> wrote: >> > >> > >> > >> > > Hi >> > >> > > >> > >> > > Before it's too late, can 8.0.16 release include (if not already >> done) >> > >> > > the dependency update to ActiveMQ version fixing CVE-2023-46604 >> (which >> > >> > > has High 8.8 score by >> > >> > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's >> enabling >> > >> > > remote code execution ? >> > >> > > >> > >> > > As a reminder, ActiveMQ is embedded in TomEE+. >> > >> > > >> > >> > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version >> 5.16.6, and >> > >> > > according to >> > >> > > >> > >> >> https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt >> > >> > > , >> > >> > > we need at least 5.16.7 >> > >> > > >> > >> > > I hope this dependency update can make it in 8.0.16 before it's >> > >> > > released (or maybe it's already in the about-to-be voted 8.0.16 >> ?) >> > >> > > >> > >> > > Thanks, >> > >> > > Alex >> > >> > > >> > >> > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher < >> exabr...@gmail.com> >> > >> a >> > >> > > écrit : >> > >> > > > >> > >> > > > Alright, I have the build completed, signed, and uploaded the >> the >> > >> > > > Nexus staging repository: orgapachetomee-1221 >> > >> > > > >> > >> > > > What's next? I'm a little apprehensive to close out the >> staging repo >> > >> > > > for fear of prematurely publishing a release... >> > >> > > > >> > >> > > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher < >> > >> exabr...@gmail.com> >> > >> > > wrote: >> > >> > > > > >> > >> > > > > I got another good build locally and CI is happy too. I'm >> going to >> > >> > > > > stage the release! >> > >> > > > > >> > >> > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher < >> > >> exabr...@gmail.com> >> > >> > > wrote: >> > >> > > > > > >> > >> > > > > > Yep! I just logged that one and pushed a PR. Waiting on CI >> > >> > > > > > >> > >> > > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson < >> > >> jej2...@gmail.com> >> > >> > > wrote: >> > >> > > > > > > >> > >> > > > > > > Should this be included? >> > >> > > > > > > >> > >> > > > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2 >> > >> (xmlsec) to >> > >> > > > > > > mitigate CVE-2023-4448 >> > >> > > > > > > >> > >> > > > > > > Not sure how to find the others without going through >> commit >> > >> > > history. >> > >> > > > > > > >> > >> > > > > > > Jamie >> > >> > > > > > > >> > >> > > > > > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher < >> > >> > > exabr...@gmail.com> >> > >> > > > > > > wrote: >> > >> > > > > > > >> > >> > > > > > > > Richard, thank you sir; I assigned that ticket to >> myself. If >> > >> > > anyone >> > >> > > > > > > > else is aware of anything else I can upgrade before >> release, >> > >> > > please >> > >> > > > > > > > speak up :) >> > >> > > > > > > > >> > >> > > > > > > > Also good news: for whatever reason, I'm able to build >> > >> > > > > > > > tomee-release-tools now. The atlassian maven >> repository hit >> > >> me >> > >> > > with a >> > >> > > > > > > > rate limit briefly but it seems to have lifted. >> > >> > > > > > > > >> > >> > > > > > > > I have three questions at this point in time: >> > >> > > > > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before >> release for >> > >> > > CVE's? >> > >> > > > > > > > 2. Are there CVEs we ignore? (basically ones that are >> > >> present but >> > >> > > > > > > > don't apply to us) >> > >> > > > > > > > 3. I ran a build locally and got two test failures. >> Looks >> > >> like >> > >> > > CI did >> > >> > > > > > > > too: >> > >> > > > > > > > >> > >> > > >> > >> >> https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ >> > >> > > > > > > > >> > >> > > > > > > > I
Re: [PR] Regenerated BOMs after dependency upgrades (tomee)
jgallimore merged PR #1076: URL: https://github.com/apache/tomee/pull/1076 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomee.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] Regenerated BOMs after dependency upgrades (tomee)
github-actions[bot] opened a new pull request, #1076: URL: https://github.com/apache/tomee/pull/1076 Found some uncommited changes (from BOM regeneration) after running build on TomEE 9.x branch -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomee.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: 8.0.16 release
It should be done by the build, but I can do that and push it as well. Jon On Fri, Oct 27, 2023 at 9:55 PM Jonathan S. Fisher wrote: > Thanks, do we need to do the bom thing? > > On Fri, Oct 27, 2023 at 3:53 PM Jonathan Gallimore > wrote: > > > > Done: > > > https://github.com/apache/tomee/commit/c63eacac4956c29454a0efc3e75e933dd4316b26 > > > > On Fri, Oct 27, 2023 at 9:46 PM Jonathan Gallimore < > > jonathan.gallim...@gmail.com> wrote: > > > > > Thanks. That commit is incoming in about 1 minute. > > > > > > Jon > > > > > > On Fri, Oct 27, 2023 at 9:43 PM Jonathan S. Fisher > > > > wrote: > > > > > >> No problemo. I'll cancel, do the pr two step, and rebuild > > >> > > >> On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore > > >> wrote: > > >> > > > >> > I was about to ask the same. Happy to push the update to the branch > > >> before > > >> > a release is kicked off. > > >> > > > >> > Jon > > >> > > > >> > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, > > >> wrote: > > >> > > > >> > > Hi > > >> > > > > >> > > Before it's too late, can 8.0.16 release include (if not already > done) > > >> > > the dependency update to ActiveMQ version fixing CVE-2023-46604 > (which > > >> > > has High 8.8 score by > > >> > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's > enabling > > >> > > remote code execution ? > > >> > > > > >> > > As a reminder, ActiveMQ is embedded in TomEE+. > > >> > > > > >> > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version 5.16.6, > and > > >> > > according to > > >> > > > > >> > https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt > > >> > > , > > >> > > we need at least 5.16.7 > > >> > > > > >> > > I hope this dependency update can make it in 8.0.16 before it's > > >> > > released (or maybe it's already in the about-to-be voted 8.0.16 ?) > > >> > > > > >> > > Thanks, > > >> > > Alex > > >> > > > > >> > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher < > exabr...@gmail.com> > > >> a > > >> > > écrit : > > >> > > > > > >> > > > Alright, I have the build completed, signed, and uploaded the > the > > >> > > > Nexus staging repository: orgapachetomee-1221 > > >> > > > > > >> > > > What's next? I'm a little apprehensive to close out the staging > repo > > >> > > > for fear of prematurely publishing a release... > > >> > > > > > >> > > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher < > > >> exabr...@gmail.com> > > >> > > wrote: > > >> > > > > > > >> > > > > I got another good build locally and CI is happy too. I'm > going to > > >> > > > > stage the release! > > >> > > > > > > >> > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher < > > >> exabr...@gmail.com> > > >> > > wrote: > > >> > > > > > > > >> > > > > > Yep! I just logged that one and pushed a PR. Waiting on CI > > >> > > > > > > > >> > > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson < > > >> jej2...@gmail.com> > > >> > > wrote: > > >> > > > > > > > > >> > > > > > > Should this be included? > > >> > > > > > > > > >> > > > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2 > > >> (xmlsec) to > > >> > > > > > > mitigate CVE-2023-4448 > > >> > > > > > > > > >> > > > > > > Not sure how to find the others without going through > commit > > >> > > history. > > >> > > > > > > > > >> > > > > > > Jamie > > >> > > > > > > > > >> > > > > > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher < > > >> > > exabr...@gmail.com> > > >> > > > > > > wrote: > > >> > > > > > > > > >> > > > > > > > Richard, thank you sir; I assigned that ticket to > myself. If > > >> > > anyone > > >> > > > > > > > else is aware of anything else I can upgrade before > release, > > >> > > please > > >> > > > > > > > speak up :) > > >> > > > > > > > > > >> > > > > > > > Also good news: for whatever reason, I'm able to build > > >> > > > > > > > tomee-release-tools now. The atlassian maven repository > hit > > >> me > > >> > > with a > > >> > > > > > > > rate limit briefly but it seems to have lifted. > > >> > > > > > > > > > >> > > > > > > > I have three questions at this point in time: > > >> > > > > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before > release for > > >> > > CVE's? > > >> > > > > > > > 2. Are there CVEs we ignore? (basically ones that are > > >> present but > > >> > > > > > > > don't apply to us) > > >> > > > > > > > 3. I ran a build locally and got two test failures. > Looks > > >> like > > >> > > CI did > > >> > > > > > > > too: > > >> > > > > > > > > > >> > > > > >> > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ > > >> > > > > > > > > > >> > > > > > > > It doesn't look related to the EclipseLink change > unless I > > >> > > screwed the > > >> > > > > > > > pooch on something. Are these known issues by chance? > > >> > > > > > > > > > >> > > > > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla < > > >> > > rich...@zowalla.com> > > >> > > > > > > > wrote: > > >> > > > > > > > > > > >> > > > > > > > > Might be relevant fo
Re: [PR] Regenerated BOMs after dependency upgrades (tomee)
exabrial merged PR #1075: URL: https://github.com/apache/tomee/pull/1075 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomee.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] Regenerated BOMs after dependency upgrades (tomee)
github-actions[bot] opened a new pull request, #1075: URL: https://github.com/apache/tomee/pull/1075 Found some uncommited changes (from BOM regeneration) after running build on TomEE 8.x branch -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomee.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: 8.0.16 release
Thanks, do we need to do the bom thing? On Fri, Oct 27, 2023 at 3:53 PM Jonathan Gallimore wrote: > > Done: > https://github.com/apache/tomee/commit/c63eacac4956c29454a0efc3e75e933dd4316b26 > > On Fri, Oct 27, 2023 at 9:46 PM Jonathan Gallimore < > jonathan.gallim...@gmail.com> wrote: > > > Thanks. That commit is incoming in about 1 minute. > > > > Jon > > > > On Fri, Oct 27, 2023 at 9:43 PM Jonathan S. Fisher > > wrote: > > > >> No problemo. I'll cancel, do the pr two step, and rebuild > >> > >> On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore > >> wrote: > >> > > >> > I was about to ask the same. Happy to push the update to the branch > >> before > >> > a release is kicked off. > >> > > >> > Jon > >> > > >> > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, > >> wrote: > >> > > >> > > Hi > >> > > > >> > > Before it's too late, can 8.0.16 release include (if not already done) > >> > > the dependency update to ActiveMQ version fixing CVE-2023-46604 (which > >> > > has High 8.8 score by > >> > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's enabling > >> > > remote code execution ? > >> > > > >> > > As a reminder, ActiveMQ is embedded in TomEE+. > >> > > > >> > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version 5.16.6, and > >> > > according to > >> > > > >> https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt > >> > > , > >> > > we need at least 5.16.7 > >> > > > >> > > I hope this dependency update can make it in 8.0.16 before it's > >> > > released (or maybe it's already in the about-to-be voted 8.0.16 ?) > >> > > > >> > > Thanks, > >> > > Alex > >> > > > >> > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher > >> a > >> > > écrit : > >> > > > > >> > > > Alright, I have the build completed, signed, and uploaded the the > >> > > > Nexus staging repository: orgapachetomee-1221 > >> > > > > >> > > > What's next? I'm a little apprehensive to close out the staging repo > >> > > > for fear of prematurely publishing a release... > >> > > > > >> > > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher < > >> exabr...@gmail.com> > >> > > wrote: > >> > > > > > >> > > > > I got another good build locally and CI is happy too. I'm going to > >> > > > > stage the release! > >> > > > > > >> > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher < > >> exabr...@gmail.com> > >> > > wrote: > >> > > > > > > >> > > > > > Yep! I just logged that one and pushed a PR. Waiting on CI > >> > > > > > > >> > > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson < > >> jej2...@gmail.com> > >> > > wrote: > >> > > > > > > > >> > > > > > > Should this be included? > >> > > > > > > > >> > > > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2 > >> (xmlsec) to > >> > > > > > > mitigate CVE-2023-4448 > >> > > > > > > > >> > > > > > > Not sure how to find the others without going through commit > >> > > history. > >> > > > > > > > >> > > > > > > Jamie > >> > > > > > > > >> > > > > > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher < > >> > > exabr...@gmail.com> > >> > > > > > > wrote: > >> > > > > > > > >> > > > > > > > Richard, thank you sir; I assigned that ticket to myself. If > >> > > anyone > >> > > > > > > > else is aware of anything else I can upgrade before release, > >> > > please > >> > > > > > > > speak up :) > >> > > > > > > > > >> > > > > > > > Also good news: for whatever reason, I'm able to build > >> > > > > > > > tomee-release-tools now. The atlassian maven repository hit > >> me > >> > > with a > >> > > > > > > > rate limit briefly but it seems to have lifted. > >> > > > > > > > > >> > > > > > > > I have three questions at this point in time: > >> > > > > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for > >> > > CVE's? > >> > > > > > > > 2. Are there CVEs we ignore? (basically ones that are > >> present but > >> > > > > > > > don't apply to us) > >> > > > > > > > 3. I ran a build locally and got two test failures. Looks > >> like > >> > > CI did > >> > > > > > > > too: > >> > > > > > > > > >> > > > >> https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ > >> > > > > > > > > >> > > > > > > > It doesn't look related to the EclipseLink change unless I > >> > > screwed the > >> > > > > > > > pooch on something. Are these known issues by chance? > >> > > > > > > > > >> > > > > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla < > >> > > rich...@zowalla.com> > >> > > > > > > > wrote: > >> > > > > > > > > > >> > > > > > > > > Might be relevant for your release preperations: > >> > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4263 > >> > > > > > > > > > >> > > > > > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. > >> Fisher" > >> > > < > >> > > > > > > > exabr...@gmail.com>: > >> > > > > > > > > >Thank you, eclipselink has been updated and boms also > >> updated. > >> > > > > > > > > > > >> > > > > > > > > >Are the tomee release tools still needed? > >> > > > > > > > > > >
Re: 8.0.16 release
Done: https://github.com/apache/tomee/commit/c63eacac4956c29454a0efc3e75e933dd4316b26 On Fri, Oct 27, 2023 at 9:46 PM Jonathan Gallimore < jonathan.gallim...@gmail.com> wrote: > Thanks. That commit is incoming in about 1 minute. > > Jon > > On Fri, Oct 27, 2023 at 9:43 PM Jonathan S. Fisher > wrote: > >> No problemo. I'll cancel, do the pr two step, and rebuild >> >> On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore >> wrote: >> > >> > I was about to ask the same. Happy to push the update to the branch >> before >> > a release is kicked off. >> > >> > Jon >> > >> > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, >> wrote: >> > >> > > Hi >> > > >> > > Before it's too late, can 8.0.16 release include (if not already done) >> > > the dependency update to ActiveMQ version fixing CVE-2023-46604 (which >> > > has High 8.8 score by >> > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's enabling >> > > remote code execution ? >> > > >> > > As a reminder, ActiveMQ is embedded in TomEE+. >> > > >> > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version 5.16.6, and >> > > according to >> > > >> https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt >> > > , >> > > we need at least 5.16.7 >> > > >> > > I hope this dependency update can make it in 8.0.16 before it's >> > > released (or maybe it's already in the about-to-be voted 8.0.16 ?) >> > > >> > > Thanks, >> > > Alex >> > > >> > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher >> a >> > > écrit : >> > > > >> > > > Alright, I have the build completed, signed, and uploaded the the >> > > > Nexus staging repository: orgapachetomee-1221 >> > > > >> > > > What's next? I'm a little apprehensive to close out the staging repo >> > > > for fear of prematurely publishing a release... >> > > > >> > > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher < >> exabr...@gmail.com> >> > > wrote: >> > > > > >> > > > > I got another good build locally and CI is happy too. I'm going to >> > > > > stage the release! >> > > > > >> > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher < >> exabr...@gmail.com> >> > > wrote: >> > > > > > >> > > > > > Yep! I just logged that one and pushed a PR. Waiting on CI >> > > > > > >> > > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson < >> jej2...@gmail.com> >> > > wrote: >> > > > > > > >> > > > > > > Should this be included? >> > > > > > > >> > > > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2 >> (xmlsec) to >> > > > > > > mitigate CVE-2023-4448 >> > > > > > > >> > > > > > > Not sure how to find the others without going through commit >> > > history. >> > > > > > > >> > > > > > > Jamie >> > > > > > > >> > > > > > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher < >> > > exabr...@gmail.com> >> > > > > > > wrote: >> > > > > > > >> > > > > > > > Richard, thank you sir; I assigned that ticket to myself. If >> > > anyone >> > > > > > > > else is aware of anything else I can upgrade before release, >> > > please >> > > > > > > > speak up :) >> > > > > > > > >> > > > > > > > Also good news: for whatever reason, I'm able to build >> > > > > > > > tomee-release-tools now. The atlassian maven repository hit >> me >> > > with a >> > > > > > > > rate limit briefly but it seems to have lifted. >> > > > > > > > >> > > > > > > > I have three questions at this point in time: >> > > > > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for >> > > CVE's? >> > > > > > > > 2. Are there CVEs we ignore? (basically ones that are >> present but >> > > > > > > > don't apply to us) >> > > > > > > > 3. I ran a build locally and got two test failures. Looks >> like >> > > CI did >> > > > > > > > too: >> > > > > > > > >> > > >> https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ >> > > > > > > > >> > > > > > > > It doesn't look related to the EclipseLink change unless I >> > > screwed the >> > > > > > > > pooch on something. Are these known issues by chance? >> > > > > > > > >> > > > > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla < >> > > rich...@zowalla.com> >> > > > > > > > wrote: >> > > > > > > > > >> > > > > > > > > Might be relevant for your release preperations: >> > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4263 >> > > > > > > > > >> > > > > > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. >> Fisher" >> > > < >> > > > > > > > exabr...@gmail.com>: >> > > > > > > > > >Thank you, eclipselink has been updated and boms also >> updated. >> > > > > > > > > > >> > > > > > > > > >Are the tomee release tools still needed? >> > > > > > > > > > >> > > > > > > > > >[ERROR] Failed to execute goal on project release-tools: >> > > Could not >> > > > > > > > > >resolve dependencies for project >> > > > > > > > > >org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: >> > > Failed to >> > > > > > > > > >collect dependencies at >> > > org.tomitribe.jamira:jamira-core:jar:0.4 -> >> > > > > > > > > >com.atlassian.jira:ji
Re: 8.0.16 release
Thanks. That commit is incoming in about 1 minute. Jon On Fri, Oct 27, 2023 at 9:43 PM Jonathan S. Fisher wrote: > No problemo. I'll cancel, do the pr two step, and rebuild > > On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore > wrote: > > > > I was about to ask the same. Happy to push the update to the branch > before > > a release is kicked off. > > > > Jon > > > > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, > wrote: > > > > > Hi > > > > > > Before it's too late, can 8.0.16 release include (if not already done) > > > the dependency update to ActiveMQ version fixing CVE-2023-46604 (which > > > has High 8.8 score by > > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's enabling > > > remote code execution ? > > > > > > As a reminder, ActiveMQ is embedded in TomEE+. > > > > > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version 5.16.6, and > > > according to > > > > https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt > > > , > > > we need at least 5.16.7 > > > > > > I hope this dependency update can make it in 8.0.16 before it's > > > released (or maybe it's already in the about-to-be voted 8.0.16 ?) > > > > > > Thanks, > > > Alex > > > > > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher > a > > > écrit : > > > > > > > > Alright, I have the build completed, signed, and uploaded the the > > > > Nexus staging repository: orgapachetomee-1221 > > > > > > > > What's next? I'm a little apprehensive to close out the staging repo > > > > for fear of prematurely publishing a release... > > > > > > > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher < > exabr...@gmail.com> > > > wrote: > > > > > > > > > > I got another good build locally and CI is happy too. I'm going to > > > > > stage the release! > > > > > > > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher < > exabr...@gmail.com> > > > wrote: > > > > > > > > > > > > Yep! I just logged that one and pushed a PR. Waiting on CI > > > > > > > > > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson > > > > wrote: > > > > > > > > > > > > > > Should this be included? > > > > > > > > > > > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2 > (xmlsec) to > > > > > > > mitigate CVE-2023-4448 > > > > > > > > > > > > > > Not sure how to find the others without going through commit > > > history. > > > > > > > > > > > > > > Jamie > > > > > > > > > > > > > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher < > > > exabr...@gmail.com> > > > > > > > wrote: > > > > > > > > > > > > > > > Richard, thank you sir; I assigned that ticket to myself. If > > > anyone > > > > > > > > else is aware of anything else I can upgrade before release, > > > please > > > > > > > > speak up :) > > > > > > > > > > > > > > > > Also good news: for whatever reason, I'm able to build > > > > > > > > tomee-release-tools now. The atlassian maven repository hit > me > > > with a > > > > > > > > rate limit briefly but it seems to have lifted. > > > > > > > > > > > > > > > > I have three questions at this point in time: > > > > > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for > > > CVE's? > > > > > > > > 2. Are there CVEs we ignore? (basically ones that are > present but > > > > > > > > don't apply to us) > > > > > > > > 3. I ran a build locally and got two test failures. Looks > like > > > CI did > > > > > > > > too: > > > > > > > > > > > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ > > > > > > > > > > > > > > > > It doesn't look related to the EclipseLink change unless I > > > screwed the > > > > > > > > pooch on something. Are these known issues by chance? > > > > > > > > > > > > > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla < > > > rich...@zowalla.com> > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > Might be relevant for your release preperations: > > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4263 > > > > > > > > > > > > > > > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. > Fisher" > > > < > > > > > > > > exabr...@gmail.com>: > > > > > > > > > >Thank you, eclipselink has been updated and boms also > updated. > > > > > > > > > > > > > > > > > > > >Are the tomee release tools still needed? > > > > > > > > > > > > > > > > > > > >[ERROR] Failed to execute goal on project release-tools: > > > Could not > > > > > > > > > >resolve dependencies for project > > > > > > > > > >org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: > > > Failed to > > > > > > > > > >collect dependencies at > > > org.tomitribe.jamira:jamira-core:jar:0.4 -> > > > > > > > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: > > > Failed to read > > > > > > > > > >artifact descriptor for > > > > > > > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: > The > > > following > > > > > > > > > >artifacts could not be resolved: > > > > > > > > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 > > > (absent): Coul
Re: 8.0.16 release
No problemo. I'll cancel, do the pr two step, and rebuild On Fri, Oct 27, 2023 at 3:39 PM Jonathan Gallimore wrote: > > I was about to ask the same. Happy to push the update to the branch before > a release is kicked off. > > Jon > > On Fri, 27 Oct 2023, 21:23 Alex The Rocker, wrote: > > > Hi > > > > Before it's too late, can 8.0.16 release include (if not already done) > > the dependency update to ActiveMQ version fixing CVE-2023-46604 (which > > has High 8.8 score by > > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's enabling > > remote code execution ? > > > > As a reminder, ActiveMQ is embedded in TomEE+. > > > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version 5.16.6, and > > according to > > https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt > > , > > we need at least 5.16.7 > > > > I hope this dependency update can make it in 8.0.16 before it's > > released (or maybe it's already in the about-to-be voted 8.0.16 ?) > > > > Thanks, > > Alex > > > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher a > > écrit : > > > > > > Alright, I have the build completed, signed, and uploaded the the > > > Nexus staging repository: orgapachetomee-1221 > > > > > > What's next? I'm a little apprehensive to close out the staging repo > > > for fear of prematurely publishing a release... > > > > > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher > > wrote: > > > > > > > > I got another good build locally and CI is happy too. I'm going to > > > > stage the release! > > > > > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher > > wrote: > > > > > > > > > > Yep! I just logged that one and pushed a PR. Waiting on CI > > > > > > > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson > > wrote: > > > > > > > > > > > > Should this be included? > > > > > > > > > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2 (xmlsec) to > > > > > > mitigate CVE-2023-4448 > > > > > > > > > > > > Not sure how to find the others without going through commit > > history. > > > > > > > > > > > > Jamie > > > > > > > > > > > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher < > > exabr...@gmail.com> > > > > > > wrote: > > > > > > > > > > > > > Richard, thank you sir; I assigned that ticket to myself. If > > anyone > > > > > > > else is aware of anything else I can upgrade before release, > > please > > > > > > > speak up :) > > > > > > > > > > > > > > Also good news: for whatever reason, I'm able to build > > > > > > > tomee-release-tools now. The atlassian maven repository hit me > > with a > > > > > > > rate limit briefly but it seems to have lifted. > > > > > > > > > > > > > > I have three questions at this point in time: > > > > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for > > CVE's? > > > > > > > 2. Are there CVEs we ignore? (basically ones that are present but > > > > > > > don't apply to us) > > > > > > > 3. I ran a build locally and got two test failures. Looks like > > CI did > > > > > > > too: > > > > > > > > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ > > > > > > > > > > > > > > It doesn't look related to the EclipseLink change unless I > > screwed the > > > > > > > pooch on something. Are these known issues by chance? > > > > > > > > > > > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla < > > rich...@zowalla.com> > > > > > > > wrote: > > > > > > > > > > > > > > > > Might be relevant for your release preperations: > > > > > > > https://issues.apache.org/jira/browse/TOMEE-4263 > > > > > > > > > > > > > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. Fisher" > > < > > > > > > > exabr...@gmail.com>: > > > > > > > > >Thank you, eclipselink has been updated and boms also updated. > > > > > > > > > > > > > > > > > >Are the tomee release tools still needed? > > > > > > > > > > > > > > > > > >[ERROR] Failed to execute goal on project release-tools: > > Could not > > > > > > > > >resolve dependencies for project > > > > > > > > >org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: > > Failed to > > > > > > > > >collect dependencies at > > org.tomitribe.jamira:jamira-core:jar:0.4 -> > > > > > > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: > > Failed to read > > > > > > > > >artifact descriptor for > > > > > > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: The > > following > > > > > > > > >artifacts could not be resolved: > > > > > > > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 > > (absent): Could > > > > > > > > >not transfer artifact > > > > > > > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 from/to > > > > > > > > >atlassian ( > > > > > > > > > https://maven.atlassian.com/content/repositories/atlassian-public/): > > > > > > > > >status code: 429, reason phrase: Too Many Requests (429) -> > > [Help 1] > > > > > > > > > > > > > > > > > >I can't seem to get the artifacts from their Maven repository > > due to > > >
Re: 8.0.16 release
I was about to ask the same. Happy to push the update to the branch before a release is kicked off. Jon On Fri, 27 Oct 2023, 21:23 Alex The Rocker, wrote: > Hi > > Before it's too late, can 8.0.16 release include (if not already done) > the dependency update to ActiveMQ version fixing CVE-2023-46604 (which > has High 8.8 score by > https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's enabling > remote code execution ? > > As a reminder, ActiveMQ is embedded in TomEE+. > > With TomEE+ 8.0.15, we have ActiveMQ artifacts at version 5.16.6, and > according to > https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt > , > we need at least 5.16.7 > > I hope this dependency update can make it in 8.0.16 before it's > released (or maybe it's already in the about-to-be voted 8.0.16 ?) > > Thanks, > Alex > > Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher a > écrit : > > > > Alright, I have the build completed, signed, and uploaded the the > > Nexus staging repository: orgapachetomee-1221 > > > > What's next? I'm a little apprehensive to close out the staging repo > > for fear of prematurely publishing a release... > > > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher > wrote: > > > > > > I got another good build locally and CI is happy too. I'm going to > > > stage the release! > > > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher > wrote: > > > > > > > > Yep! I just logged that one and pushed a PR. Waiting on CI > > > > > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson > wrote: > > > > > > > > > > Should this be included? > > > > > > > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2 (xmlsec) to > > > > > mitigate CVE-2023-4448 > > > > > > > > > > Not sure how to find the others without going through commit > history. > > > > > > > > > > Jamie > > > > > > > > > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher < > exabr...@gmail.com> > > > > > wrote: > > > > > > > > > > > Richard, thank you sir; I assigned that ticket to myself. If > anyone > > > > > > else is aware of anything else I can upgrade before release, > please > > > > > > speak up :) > > > > > > > > > > > > Also good news: for whatever reason, I'm able to build > > > > > > tomee-release-tools now. The atlassian maven repository hit me > with a > > > > > > rate limit briefly but it seems to have lifted. > > > > > > > > > > > > I have three questions at this point in time: > > > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for > CVE's? > > > > > > 2. Are there CVEs we ignore? (basically ones that are present but > > > > > > don't apply to us) > > > > > > 3. I ran a build locally and got two test failures. Looks like > CI did > > > > > > too: > > > > > > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ > > > > > > > > > > > > It doesn't look related to the EclipseLink change unless I > screwed the > > > > > > pooch on something. Are these known issues by chance? > > > > > > > > > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla < > rich...@zowalla.com> > > > > > > wrote: > > > > > > > > > > > > > > Might be relevant for your release preperations: > > > > > > https://issues.apache.org/jira/browse/TOMEE-4263 > > > > > > > > > > > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. Fisher" > < > > > > > > exabr...@gmail.com>: > > > > > > > >Thank you, eclipselink has been updated and boms also updated. > > > > > > > > > > > > > > > >Are the tomee release tools still needed? > > > > > > > > > > > > > > > >[ERROR] Failed to execute goal on project release-tools: > Could not > > > > > > > >resolve dependencies for project > > > > > > > >org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: > Failed to > > > > > > > >collect dependencies at > org.tomitribe.jamira:jamira-core:jar:0.4 -> > > > > > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: > Failed to read > > > > > > > >artifact descriptor for > > > > > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: The > following > > > > > > > >artifacts could not be resolved: > > > > > > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 > (absent): Could > > > > > > > >not transfer artifact > > > > > > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 from/to > > > > > > > >atlassian ( > > > > > > > https://maven.atlassian.com/content/repositories/atlassian-public/): > > > > > > > >status code: 429, reason phrase: Too Many Requests (429) -> > [Help 1] > > > > > > > > > > > > > > > >I can't seem to get the artifacts from their Maven repository > due to > > > > > > > >rate limiting unfortunately. > > > > > > > > > > > > > > > > > > > > > > > >On Wed, Oct 25, 2023 at 8:50 AM Richard Zowalla < > r...@apache.org> > > > > > > wrote: > > > > > > > >> > > > > > > > >> Feel free to update 3rd party dependencies (make sure to > create a > > > > > > Jira, > > > > > > > >> so it gets into the release notes). To update the BOMs you > can eit
Re: 8.0.16 release
Hi Before it's too late, can 8.0.16 release include (if not already done) the dependency update to ActiveMQ version fixing CVE-2023-46604 (which has High 8.8 score by https://nvd.nist.gov/vuln/detail/CVE-2022-46604), as it's enabling remote code execution ? As a reminder, ActiveMQ is embedded in TomEE+. With TomEE+ 8.0.15, we have ActiveMQ artifacts at version 5.16.6, and according to https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt, we need at least 5.16.7 I hope this dependency update can make it in 8.0.16 before it's released (or maybe it's already in the about-to-be voted 8.0.16 ?) Thanks, Alex Le ven. 27 oct. 2023 à 18:15, Jonathan S. Fisher a écrit : > > Alright, I have the build completed, signed, and uploaded the the > Nexus staging repository: orgapachetomee-1221 > > What's next? I'm a little apprehensive to close out the staging repo > for fear of prematurely publishing a release... > > On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher wrote: > > > > I got another good build locally and CI is happy too. I'm going to > > stage the release! > > > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher > > wrote: > > > > > > Yep! I just logged that one and pushed a PR. Waiting on CI > > > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson wrote: > > > > > > > > Should this be included? > > > > > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2 (xmlsec) to > > > > mitigate CVE-2023-4448 > > > > > > > > Not sure how to find the others without going through commit history. > > > > > > > > Jamie > > > > > > > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher > > > > wrote: > > > > > > > > > Richard, thank you sir; I assigned that ticket to myself. If anyone > > > > > else is aware of anything else I can upgrade before release, please > > > > > speak up :) > > > > > > > > > > Also good news: for whatever reason, I'm able to build > > > > > tomee-release-tools now. The atlassian maven repository hit me with a > > > > > rate limit briefly but it seems to have lifted. > > > > > > > > > > I have three questions at this point in time: > > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for CVE's? > > > > > 2. Are there CVEs we ignore? (basically ones that are present but > > > > > don't apply to us) > > > > > 3. I ran a build locally and got two test failures. Looks like CI did > > > > > too: > > > > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ > > > > > > > > > > It doesn't look related to the EclipseLink change unless I screwed the > > > > > pooch on something. Are these known issues by chance? > > > > > > > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla > > > > > wrote: > > > > > > > > > > > > Might be relevant for your release preperations: > > > > > https://issues.apache.org/jira/browse/TOMEE-4263 > > > > > > > > > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. Fisher" < > > > > > exabr...@gmail.com>: > > > > > > >Thank you, eclipselink has been updated and boms also updated. > > > > > > > > > > > > > >Are the tomee release tools still needed? > > > > > > > > > > > > > >[ERROR] Failed to execute goal on project release-tools: Could not > > > > > > >resolve dependencies for project > > > > > > >org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: Failed to > > > > > > >collect dependencies at org.tomitribe.jamira:jamira-core:jar:0.4 -> > > > > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: Failed to > > > > > > >read > > > > > > >artifact descriptor for > > > > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: The > > > > > > >following > > > > > > >artifacts could not be resolved: > > > > > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 (absent): > > > > > > >Could > > > > > > >not transfer artifact > > > > > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 from/to > > > > > > >atlassian ( > > > > > https://maven.atlassian.com/content/repositories/atlassian-public/): > > > > > > >status code: 429, reason phrase: Too Many Requests (429) -> [Help > > > > > > >1] > > > > > > > > > > > > > >I can't seem to get the artifacts from their Maven repository due > > > > > > >to > > > > > > >rate limiting unfortunately. > > > > > > > > > > > > > > > > > > > > >On Wed, Oct 25, 2023 at 8:50 AM Richard Zowalla > > > > > wrote: > > > > > > >> > > > > > > >> Feel free to update 3rd party dependencies (make sure to create a > > > > > Jira, > > > > > > >> so it gets into the release notes). To update the BOMs you can > > > > > > >> either > > > > > > >> rely on the related GitHub action (will do it automatically via > > > > > > >> a PR) > > > > > > >> or just run a quick build. > > > > > > >> > > > > > > >> > > > > > > >> Am Mittwoch, dem 25.10.2023 um 08:40 -0500 schrieb Jonathan S. > > > > > > >> Fisher: > > > > > > >> > Richard: thank you sir, I see my key in there. > > > > > > >> > Rod: Are the docker images part of
Re: 8.0.16 release
Alright, I have the build completed, signed, and uploaded the the Nexus staging repository: orgapachetomee-1221 What's next? I'm a little apprehensive to close out the staging repo for fear of prematurely publishing a release... On Fri, Oct 27, 2023 at 9:42 AM Jonathan S. Fisher wrote: > > I got another good build locally and CI is happy too. I'm going to > stage the release! > > On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher wrote: > > > > Yep! I just logged that one and pushed a PR. Waiting on CI > > > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson wrote: > > > > > > Should this be included? > > > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2 (xmlsec) to > > > mitigate CVE-2023-4448 > > > > > > Not sure how to find the others without going through commit history. > > > > > > Jamie > > > > > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher > > > wrote: > > > > > > > Richard, thank you sir; I assigned that ticket to myself. If anyone > > > > else is aware of anything else I can upgrade before release, please > > > > speak up :) > > > > > > > > Also good news: for whatever reason, I'm able to build > > > > tomee-release-tools now. The atlassian maven repository hit me with a > > > > rate limit briefly but it seems to have lifted. > > > > > > > > I have three questions at this point in time: > > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for CVE's? > > > > 2. Are there CVEs we ignore? (basically ones that are present but > > > > don't apply to us) > > > > 3. I ran a build locally and got two test failures. Looks like CI did > > > > too: > > > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ > > > > > > > > It doesn't look related to the EclipseLink change unless I screwed the > > > > pooch on something. Are these known issues by chance? > > > > > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla > > > > wrote: > > > > > > > > > > Might be relevant for your release preperations: > > > > https://issues.apache.org/jira/browse/TOMEE-4263 > > > > > > > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. Fisher" < > > > > exabr...@gmail.com>: > > > > > >Thank you, eclipselink has been updated and boms also updated. > > > > > > > > > > > >Are the tomee release tools still needed? > > > > > > > > > > > >[ERROR] Failed to execute goal on project release-tools: Could not > > > > > >resolve dependencies for project > > > > > >org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: Failed to > > > > > >collect dependencies at org.tomitribe.jamira:jamira-core:jar:0.4 -> > > > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: Failed to > > > > > >read > > > > > >artifact descriptor for > > > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: The following > > > > > >artifacts could not be resolved: > > > > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 (absent): > > > > > >Could > > > > > >not transfer artifact > > > > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 from/to > > > > > >atlassian ( > > > > https://maven.atlassian.com/content/repositories/atlassian-public/): > > > > > >status code: 429, reason phrase: Too Many Requests (429) -> [Help 1] > > > > > > > > > > > >I can't seem to get the artifacts from their Maven repository due to > > > > > >rate limiting unfortunately. > > > > > > > > > > > > > > > > > >On Wed, Oct 25, 2023 at 8:50 AM Richard Zowalla > > > > wrote: > > > > > >> > > > > > >> Feel free to update 3rd party dependencies (make sure to create a > > > > Jira, > > > > > >> so it gets into the release notes). To update the BOMs you can > > > > > >> either > > > > > >> rely on the related GitHub action (will do it automatically via a > > > > > >> PR) > > > > > >> or just run a quick build. > > > > > >> > > > > > >> > > > > > >> Am Mittwoch, dem 25.10.2023 um 08:40 -0500 schrieb Jonathan S. > > > > > >> Fisher: > > > > > >> > Richard: thank you sir, I see my key in there. > > > > > >> > Rod: Are the docker images part of the main build? I don't use > > > > Docker > > > > > >> > professionally, so I'm not very familiar with the whole process. > > > > > >> > > > > > > >> > I see Tomcat 9.0.82 in tomee-8.x. Yeehaw! > > > > > >> > > > > > > >> > Does anyone have an issue with me updating to eclipselink 2.7.13? > > > > > >> > https://github.com/eclipse-ee4j/eclipselink/releases/tag/2.7.13 > > > > We've > > > > > >> > been running TomEE 8.0.15 with 2.7.13 in production for a few > > > > > >> > weeks > > > > > >> > and haven't seen any issues. > > > > > >> > > > > > > >> > > > > > > >> > On Tue, Oct 24, 2023 at 10:18 AM Rod Jenkins > > > > > >> > wrote: > > > > > >> > > > > > > > >> > > Is there anyway to test the keys before we deploy? We have > > > > > >> > > issues > > > > > >> > > in the past with new keys and verifying the packages when the > > > > > >> > > docker images are built. > > > > > >> > > > > > > > >> > > Thanks, > > > > > >> > > Rod. > > >
Re: 8.0.16 release
I got another good build locally and CI is happy too. I'm going to stage the release! On Thu, Oct 26, 2023 at 9:27 AM Jonathan S. Fisher wrote: > > Yep! I just logged that one and pushed a PR. Waiting on CI > > On Thu, Oct 26, 2023 at 9:24 AM Jamie Johnson wrote: > > > > Should this be included? > > > > TOMEE-4263: Update Apache Santuario to 2.3.4 from 2.3.2 (xmlsec) to > > mitigate CVE-2023-4448 > > > > Not sure how to find the others without going through commit history. > > > > Jamie > > > > On Thu, Oct 26, 2023 at 8:19 AM Jonathan S. Fisher > > wrote: > > > > > Richard, thank you sir; I assigned that ticket to myself. If anyone > > > else is aware of anything else I can upgrade before release, please > > > speak up :) > > > > > > Also good news: for whatever reason, I'm able to build > > > tomee-release-tools now. The atlassian maven repository hit me with a > > > rate limit briefly but it seems to have lifted. > > > > > > I have three questions at this point in time: > > > 1. Is there a way to scan 8.0.16-SNAPHSOT before release for CVE's? > > > 2. Are there CVEs we ignore? (basically ones that are present but > > > don't apply to us) > > > 3. I ran a build locally and got two test failures. Looks like CI did > > > too: > > > https://ci-builds.apache.org/job/Tomee/job/tomee-8.x-build-full-java8/lastCompletedBuild/ > > > > > > It doesn't look related to the EclipseLink change unless I screwed the > > > pooch on something. Are these known issues by chance? > > > > > > On Thu, Oct 26, 2023 at 1:03 AM Richard Zowalla > > > wrote: > > > > > > > > Might be relevant for your release preperations: > > > https://issues.apache.org/jira/browse/TOMEE-4263 > > > > > > > > Am 26. Oktober 2023 00:11:14 MESZ schrieb "Jonathan S. Fisher" < > > > exabr...@gmail.com>: > > > > >Thank you, eclipselink has been updated and boms also updated. > > > > > > > > > >Are the tomee release tools still needed? > > > > > > > > > >[ERROR] Failed to execute goal on project release-tools: Could not > > > > >resolve dependencies for project > > > > >org.apache.openejb.tools:release-tools:jar:1.0-SNAPSHOT: Failed to > > > > >collect dependencies at org.tomitribe.jamira:jamira-core:jar:0.4 -> > > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: Failed to read > > > > >artifact descriptor for > > > > >com.atlassian.jira:jira-rest-java-client-app:jar:5.2.2: The following > > > > >artifacts could not be resolved: > > > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 (absent): Could > > > > >not transfer artifact > > > > >com.atlassian.jira:jira-rest-java-client-app:pom:5.2.2 from/to > > > > >atlassian ( > > > https://maven.atlassian.com/content/repositories/atlassian-public/): > > > > >status code: 429, reason phrase: Too Many Requests (429) -> [Help 1] > > > > > > > > > >I can't seem to get the artifacts from their Maven repository due to > > > > >rate limiting unfortunately. > > > > > > > > > > > > > > >On Wed, Oct 25, 2023 at 8:50 AM Richard Zowalla > > > wrote: > > > > >> > > > > >> Feel free to update 3rd party dependencies (make sure to create a > > > Jira, > > > > >> so it gets into the release notes). To update the BOMs you can either > > > > >> rely on the related GitHub action (will do it automatically via a PR) > > > > >> or just run a quick build. > > > > >> > > > > >> > > > > >> Am Mittwoch, dem 25.10.2023 um 08:40 -0500 schrieb Jonathan S. > > > > >> Fisher: > > > > >> > Richard: thank you sir, I see my key in there. > > > > >> > Rod: Are the docker images part of the main build? I don't use > > > Docker > > > > >> > professionally, so I'm not very familiar with the whole process. > > > > >> > > > > > >> > I see Tomcat 9.0.82 in tomee-8.x. Yeehaw! > > > > >> > > > > > >> > Does anyone have an issue with me updating to eclipselink 2.7.13? > > > > >> > https://github.com/eclipse-ee4j/eclipselink/releases/tag/2.7.13 > > > We've > > > > >> > been running TomEE 8.0.15 with 2.7.13 in production for a few weeks > > > > >> > and haven't seen any issues. > > > > >> > > > > > >> > > > > > >> > On Tue, Oct 24, 2023 at 10:18 AM Rod Jenkins > > > > >> > wrote: > > > > >> > > > > > > >> > > Is there anyway to test the keys before we deploy? We have > > > > >> > > issues > > > > >> > > in the past with new keys and verifying the packages when the > > > > >> > > docker images are built. > > > > >> > > > > > > >> > > Thanks, > > > > >> > > Rod. > > > > >> > > > > > > >> > > > > > > > >> > > > On Oct 24, 2023, at 9:06 AM, Richard Zowalla > > > > >> > > > wrote: > > > > >> > > > > > > > >> > > > Added to https://dist.apache.org/repos/dist/release/tomee/KEYS > > > > >> > > > > > > > >> > > > > Am Dienstag, dem 24.10.2023 um 08:54 -0500 schrieb Jonathan > > > > >> > > > > S. > > > > >> > > > > Fisher: > > > > >> > > > > pasted here: > > > > >> > > > > > > > > >> > > > > -BEGIN PGP PUBLIC KEY BLOCK- > > > > >> > > > > > > > > >> > > > > > > > mJMEV5tUvhMFK4EEACMEIwQBDFKWRWNFys17LQRo18NBQ0cJk9HitooLx1k3dGT >