subject:"Releases\?"

Re: Helping with Releases (Re: TomEE KEYS update)

2022-03-18 Thread Zowalla, Richard

I like the idea of pairing people to act as release managers. That is a
great way to transfer knowledge and open the circle of people "who
know". 

By doing so, it might be even possible to have some sort of (mostly) up
2 date release documentation, which could then be integrated in the
release tools. A checklist as a starter (or a script in the next
iteration) is also a good thing + the 4 eye principle. 

If we have some sort of "structured" documentation / approach, we could
try to automate parts of it leveraging CI tools available at ASF (which
might have some restriction due to INFRA restrictions).

> A significant blocker, however, is that a large number of the steps
> can't be done unless you're an Apache committer.  Not because of
> policy, just because they require access to systems only committers
> can reach.  You won't be able to run a lot of the commands.

In addition, it seems that even a "normal" committer cannot act as
release manager unless a special request is sent to INFRA [2] and the
particular access rights are granted. I don't know, if this was already
requested for TomEE ;)

To add some additional things, which we tend to make different from
times to times:

- Creation of Release Notes: We sometimes use the JIRA feature to show
our changes or use the release-tools to create the .adoc file, which is
then put on the website, too. In the past, we didn't create proper
relese notes for our website and peope had to dig into Jira to find
them. I like our current approach (since 9-M7) by adding dedicated
release notes to the website much more. They are even referenced on
Stackoverflow now *lol*.

Gruß
Richard

[1] https://infra.apache.org/release-publishing.html#releasemanager


Am Donnerstag, dem 17.03.2022 um 17:50 -0700 schrieb David Blevins:
> Digging up this old thread as any offer to help really deserves a
> response.  I had travelled to help dear old mom these two weeks and
> didn't get back to you after I had a bit more bandwidth.
> 
> > On Sep 18, 2021, at 9:31 AM, Jenkins, Rodney J (Rod) <
> > jenki...@nationwide.com> wrote:
> > 
> > David,
> > 
> > Thank you for the insights and explanation!
> > 
> > I completely understand the technical debt and the challenge of
> > making this better during a release.  I would like to jump in and
> > see where I can help.  My problem is I am not a java
> > developer.  What I am good it is automating tasks, if I can be
> > taught to execute them.
> > 
> > The big ask is:  Would anyone want to take the time with me to
> > educate me on what has to happen for a release (not during a
> > release)?  I am thinking that we could set up a dummy repo that has
> > some simple small java code in it to be a dummy TomEE release
> > candidate.  Create some dummy destinations that mimic where the
> > artifacts must be placed.  Once I understand the process, I can see
> > about making it repeatable.
> > 
> > Personally, I would like to see it done in a way that someone with
> > lesser skills (like, but not necessarily,  me) does releases.  The
> > way I see it now is the heavy hitters do the releases.  I think
> > their time would be better spent on the technical debt, bugs,
> > etc.  Maybe we could find a small few that would be wiling the be
> > release specialists.  I know some where I work that MAY be
> > interested.  If someone would teach me, I would teach them.
> 
> You have the right spirit.  In the early days of Geronimo I did the
> majority of releases and while I did a good job, wasn't the job I
> wanted to be doing and could see how me doing all the releases
> created a knowledge vacuum that actually hurts the community.
> 
> What I did was suggest we start a system where each release had a
> pilot and a copilot.  The pilot would be an experienced person who
> know what they were doing, the copilot would be someone
> learning.  Next release the copilot would become the pilot and do the
> release and a new person would become the copilot.  Each release the
> documentation got a bit better, the technical debt paid down a
> bit.  Things improved, releases got more frequent and quality went
> up.
> 
> A significant blocker, however, is that a large number of the steps
> can't be done unless you're an Apache committer.  Not because of
> policy, just because they require access to systems only committers
> can reach.  You won't be able to run a lot of the commands.
> 
> That's not a show stopper, it just means it our creativity in how to
> leverage you will be heavily challenged.  I'm up for it if you are.
> 
> I have been trying to revitalize our release tools in java for
> automating as many release tasks as possible.  I do think that's the
> right way

Helping with Releases (Re: TomEE KEYS update)

2022-03-17 Thread David Blevins

Digging up this old thread as any offer to help really deserves a response.  I 
had travelled to help dear old mom these two weeks and didn't get back to you 
after I had a bit more bandwidth.

> On Sep 18, 2021, at 9:31 AM, Jenkins, Rodney J (Rod) 
>  wrote:
> 
> David,
> 
> Thank you for the insights and explanation!
> 
> I completely understand the technical debt and the challenge of making this 
> better during a release.  I would like to jump in and see where I can help.  
> My problem is I am not a java developer.  What I am good it is automating 
> tasks, if I can be taught to execute them.
> 
> The big ask is:  Would anyone want to take the time with me to educate me on 
> what has to happen for a release (not during a release)?  I am thinking that 
> we could set up a dummy repo that has some simple small java code in it to be 
> a dummy TomEE release candidate.  Create some dummy destinations that mimic 
> where the artifacts must be placed.  Once I understand the process, I can see 
> about making it repeatable.
> 
> Personally, I would like to see it done in a way that someone with lesser 
> skills (like, but not necessarily,  me) does releases.  The way I see it now 
> is the heavy hitters do the releases.  I think their time would be better 
> spent on the technical debt, bugs, etc.  Maybe we could find a small few that 
> would be wiling the be release specialists.  I know some where I work that 
> MAY be interested.  If someone would teach me, I would teach them.

You have the right spirit.  In the early days of Geronimo I did the majority of 
releases and while I did a good job, wasn't the job I wanted to be doing and 
could see how me doing all the releases created a knowledge vacuum that 
actually hurts the community.

What I did was suggest we start a system where each release had a pilot and a 
copilot.  The pilot would be an experienced person who know what they were 
doing, the copilot would be someone learning.  Next release the copilot would 
become the pilot and do the release and a new person would become the copilot.  
Each release the documentation got a bit better, the technical debt paid down a 
bit.  Things improved, releases got more frequent and quality went up.

A significant blocker, however, is that a large number of the steps can't be 
done unless you're an Apache committer.  Not because of policy, just because 
they require access to systems only committers can reach.  You won't be able to 
run a lot of the commands.

That's not a show stopper, it just means it our creativity in how to leverage 
you will be heavily challenged.  I'm up for it if you are.

I have been trying to revitalize our release tools in java for automating as 
many release tasks as possible.  I do think that's the right way to go as the 
majority of people who do releases are java developers.  In the past I've 
written elaborate scripts in bash and inevitably they decay as I'd be the only 
one who understood them.  That doesn't necessarily mean there's no role for 
scripting.

One of the hardest parts of doing releases is remembering all the steps that 
have to be done and double checking they were done correctly.  This is 
absolutely something you could script up and run.  I will say in all my 
attempts to document release processes, I've noticed even in the best 
circumstances they're always a little out of date.  Turn your back even a 
little and they become just out of date enough no one even looks at the doc 
anymore, than it's game over.

If we had a release auditing script that could be pretty amazing.  It could be 
the checklist people use to "see" the release process as a whole.  Again I'm 
imagining something like the System V startup output where there's one line per 
task.  Each line is a step that has to be done a green/red colored status on 
the right.

Here are some things I frequently see done wrong and not noticed:

 - Forgetting to update the keys file.  Topic of the original thread.  Because 
it's something you only need to do once in a while, it's easy to forget.  
There's a release tools command to help people do it, but you have to remember 
you rotated your key a few months ago and need to run it.  Perfect thing to 
audit.

 - Missing signatures once published.  We've had infrastructure ask us to add 
signatures because we've forgotten a few times.  There's already a 
script/command to do it, but nothing to check if people use them.  As 
mentioned, people stop using scripts they find confusing, so they decide to 
wing it instead.  A script to audit this part would be great.  Apache infra has 
such a script and does run it every few months, but it's not ideal when they're 
the ones point it out.

 - Leaving SNAPSHOT or old TomEE dependencies in the examples or build.  I 
spent three days cleaning out references in the examples to older TomEE 7 and 8 
snapshots missed by past releases.  T

Re: Dependencies on previous releases / Use of [8.0,) in examples

2022-02-21 Thread Zowalla, Richard

"tomee-webaccess-7.0.0.war" is only used to participate in a
StripVersionTest: "tomee-webaccess-7.0.0.war" -> "tomee-webaccess".

Imho, it could basically be an empty WAR file, i.e. we could build a
"fake" war during our build and reference it. 

Same holds for the (outdated) sirona-javaagent. We could also add a
"fake" javaagent (or any other modern and small javaagent) to test the
same functionality.

Question would be: Separate repository or include it in a module of
TomEE main (which one)?

Gruß
Richard



Am Montag, dem 21.02.2022 um 20:48 -0500 schrieb David Blevins:
> Nice,
> 
> We're down to just one reference to a past release, tomee-webaccess-
> 7.0.0.war!  We're using that to test the TomEE Maven Plugin.
> 
> If someone wanted to cut it out, it looks like basically any war
> would work as long as it was in Maven Central.  Maybe we could push
> something up there that's smaller than 6.9MB.
> 
> 
> -David
> 
> > On Feb 21, 2022, at 3:49 AM, Jean-Louis Monteiro <
> > jlmonte...@tomitribe.com> wrote:
> > 
> > +1
> > 
> > I did the same in the 9.x branch.
> > I'm not a fan either because as you mentioned, it's not
> > reproducible.
> > 
> > --
> > Jean-Louis Monteiro
> > http://twitter.com/jlouismonteiro
> > http://www.tomitribe.com
> > 
> > 
> > On Mon, Feb 21, 2022 at 8:03 AM Zowalla, Richard <
> > richard.zowa...@hs-heilbronn.de> wrote:
> > 
> > > I think, that we need to totally avoid the range syntax in our
> > > examples. We also use it for the EE API and some other things in
> > > there.
> > > 
> > > In total, it leads to (non) reproducable builds (as you
> > > described).
> > > 
> > > I am strongly +1 for replacing the range syntax by plain versions
> > > in
> > > the examples.
> > > 
> > > Gruß
> > > Richard
> > > 
> > > Am Sonntag, dem 20.02.2022 um 22:51 -0500 schrieb David Blevins:
> > > > I've been digging through the build trying to eliminate
> > > > dependencies
> > > > older releases.
> > > > 
> > > > We've been inconsistently updating the versions in the
> > > > examples, so
> > > > I've gone and fixed a few of those.  We had some tools like the
> > > > TomEE
> > > > Patch Plugin indirectly pulling 8.0.0-M3 artifacts -- now
> > > > fixed.
> > > > 
> > > > One of the things adding to the issue is the use of
> > > > `[8.0,)` as the TomEE version in our
> > > > examples.
> > > > 
> > > > This looks like a very well-intentioned way to get the latest
> > > > version
> > > > and avoid always having to update versions in examples.  What
> > > > I'm
> > > > seeing in practice is that it behaves very inconsistently from
> > > > example to example for reasons that are unclear.
> > > > 
> > > > For example in the example `javamail-velocity` it downloads
> > > > stuff
> > > > from 8.0.7, 8.0.8, 8.0.9 and 8.0.10-SNAPSHOT. In fact if you
> > > > build
> > > > offline without those versions in your m2 repo, you'll get a
> > > > build
> > > > failure.  If you'd like to try, here's a quick way to delete
> > > > the last
> > > > few releases while leaving your 8.0.11-SNAPSHOTs intact:
> > > > 
> > > >$ rm -r ~/.m2/repository/org/apache/tomee/*/8.0.{7,8,9,10}*
> > > >$ rm -r
> > > > ~/.m2/repository/org/apache/tomee/bom/boms/8.0.{7,8,9,10}*
> > > > 
> > > > Ultimately this means our build is actually dependent on
> > > > previous
> > > > releases.  Here's the full list of old release binaries our
> > > > build
> > > > needs to function:
> > > > 
> > > > - 
> > > > https://gist.github.com/dblevins/c86f302c8a5b2afa4fecea905ad583fb
> > > > 
> > > > I don't see a way to eliminate these without eliminating our
> > > > `[8.0,)` usage.
> > > > 
> > > > Any thoughts?
> > > > 
> > > > 


smime.p7s
Description: S/MIME cryptographic signature

Re: Dependencies on previous releases / Use of [8.0,) in examples

2022-02-21 Thread David Blevins

Nice,

We're down to just one reference to a past release, tomee-webaccess-7.0.0.war!  
We're using that to test the TomEE Maven Plugin.

If someone wanted to cut it out, it looks like basically any war would work as 
long as it was in Maven Central.  Maybe we could push something up there that's 
smaller than 6.9MB.


-David

> On Feb 21, 2022, at 3:49 AM, Jean-Louis Monteiro  
> wrote:
> 
> +1
> 
> I did the same in the 9.x branch.
> I'm not a fan either because as you mentioned, it's not reproducible.
> 
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
> 
> 
> On Mon, Feb 21, 2022 at 8:03 AM Zowalla, Richard <
> richard.zowa...@hs-heilbronn.de> wrote:
> 
>> I think, that we need to totally avoid the range syntax in our
>> examples. We also use it for the EE API and some other things in there.
>> 
>> In total, it leads to (non) reproducable builds (as you described).
>> 
>> I am strongly +1 for replacing the range syntax by plain versions in
>> the examples.
>> 
>> Gruß
>> Richard
>> 
>> Am Sonntag, dem 20.02.2022 um 22:51 -0500 schrieb David Blevins:
>>> I've been digging through the build trying to eliminate dependencies
>>> older releases.
>>> 
>>> We've been inconsistently updating the versions in the examples, so
>>> I've gone and fixed a few of those.  We had some tools like the TomEE
>>> Patch Plugin indirectly pulling 8.0.0-M3 artifacts -- now fixed.
>>> 
>>> One of the things adding to the issue is the use of
>>> `[8.0,)` as the TomEE version in our examples.
>>> 
>>> This looks like a very well-intentioned way to get the latest version
>>> and avoid always having to update versions in examples.  What I'm
>>> seeing in practice is that it behaves very inconsistently from
>>> example to example for reasons that are unclear.
>>> 
>>> For example in the example `javamail-velocity` it downloads stuff
>>> from 8.0.7, 8.0.8, 8.0.9 and 8.0.10-SNAPSHOT. In fact if you build
>>> offline without those versions in your m2 repo, you'll get a build
>>> failure.  If you'd like to try, here's a quick way to delete the last
>>> few releases while leaving your 8.0.11-SNAPSHOTs intact:
>>> 
>>>$ rm -r ~/.m2/repository/org/apache/tomee/*/8.0.{7,8,9,10}*
>>>$ rm -r
>>> ~/.m2/repository/org/apache/tomee/bom/boms/8.0.{7,8,9,10}*
>>> 
>>> Ultimately this means our build is actually dependent on previous
>>> releases.  Here's the full list of old release binaries our build
>>> needs to function:
>>> 
>>> - https://gist.github.com/dblevins/c86f302c8a5b2afa4fecea905ad583fb
>>> 
>>> I don't see a way to eliminate these without eliminating our
>>> `[8.0,)` usage.
>>> 
>>> Any thoughts?
>>> 
>>> 
>> 



smime.p7s
Description: S/MIME cryptographic signature

Re: Dependencies on previous releases / Use of [8.0,) in examples

2022-02-21 Thread Jean-Louis Monteiro

+1

I did the same in the 9.x branch.
I'm not a fan either because as you mentioned, it's not reproducible.

--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com


On Mon, Feb 21, 2022 at 8:03 AM Zowalla, Richard <
richard.zowa...@hs-heilbronn.de> wrote:

> I think, that we need to totally avoid the range syntax in our
> examples. We also use it for the EE API and some other things in there.
>
> In total, it leads to (non) reproducable builds (as you described).
>
> I am strongly +1 for replacing the range syntax by plain versions in
> the examples.
>
> Gruß
> Richard
>
> Am Sonntag, dem 20.02.2022 um 22:51 -0500 schrieb David Blevins:
> > I've been digging through the build trying to eliminate dependencies
> > older releases.
> >
> > We've been inconsistently updating the versions in the examples, so
> > I've gone and fixed a few of those.  We had some tools like the TomEE
> > Patch Plugin indirectly pulling 8.0.0-M3 artifacts -- now fixed.
> >
> > One of the things adding to the issue is the use of
> > `[8.0,)` as the TomEE version in our examples.
> >
> > This looks like a very well-intentioned way to get the latest version
> > and avoid always having to update versions in examples.  What I'm
> > seeing in practice is that it behaves very inconsistently from
> > example to example for reasons that are unclear.
> >
> > For example in the example `javamail-velocity` it downloads stuff
> > from 8.0.7, 8.0.8, 8.0.9 and 8.0.10-SNAPSHOT. In fact if you build
> > offline without those versions in your m2 repo, you'll get a build
> > failure.  If you'd like to try, here's a quick way to delete the last
> > few releases while leaving your 8.0.11-SNAPSHOTs intact:
> >
> > $ rm -r ~/.m2/repository/org/apache/tomee/*/8.0.{7,8,9,10}*
> > $ rm -r
> > ~/.m2/repository/org/apache/tomee/bom/boms/8.0.{7,8,9,10}*
> >
> > Ultimately this means our build is actually dependent on previous
> > releases.  Here's the full list of old release binaries our build
> > needs to function:
> >
> >  - https://gist.github.com/dblevins/c86f302c8a5b2afa4fecea905ad583fb
> >
> > I don't see a way to eliminate these without eliminating our
> > `[8.0,)` usage.
> >
> > Any thoughts?
> >
> >
>

Re: Dependencies on previous releases / Use of [8.0,) in examples

2022-02-20 Thread Zowalla, Richard

I think, that we need to totally avoid the range syntax in our
examples. We also use it for the EE API and some other things in there.

In total, it leads to (non) reproducable builds (as you described).

I am strongly +1 for replacing the range syntax by plain versions in
the examples.

Gruß
Richard

Am Sonntag, dem 20.02.2022 um 22:51 -0500 schrieb David Blevins:
> I've been digging through the build trying to eliminate dependencies
> older releases.
> 
> We've been inconsistently updating the versions in the examples, so
> I've gone and fixed a few of those.  We had some tools like the TomEE
> Patch Plugin indirectly pulling 8.0.0-M3 artifacts -- now fixed.
> 
> One of the things adding to the issue is the use of
> `[8.0,)` as the TomEE version in our examples.
> 
> This looks like a very well-intentioned way to get the latest version
> and avoid always having to update versions in examples.  What I'm
> seeing in practice is that it behaves very inconsistently from
> example to example for reasons that are unclear.
> 
> For example in the example `javamail-velocity` it downloads stuff
> from 8.0.7, 8.0.8, 8.0.9 and 8.0.10-SNAPSHOT. In fact if you build
> offline without those versions in your m2 repo, you'll get a build
> failure.  If you'd like to try, here's a quick way to delete the last
> few releases while leaving your 8.0.11-SNAPSHOTs intact:
> 
> $ rm -r ~/.m2/repository/org/apache/tomee/*/8.0.{7,8,9,10}*
> $ rm -r
> ~/.m2/repository/org/apache/tomee/bom/boms/8.0.{7,8,9,10}*
> 
> Ultimately this means our build is actually dependent on previous
> releases.  Here's the full list of old release binaries our build
> needs to function:
> 
>  - https://gist.github.com/dblevins/c86f302c8a5b2afa4fecea905ad583fb
> 
> I don't see a way to eliminate these without eliminating our
> `[8.0,)` usage.
> 
> Any thoughts?
> 
> 


smime.p7s
Description: S/MIME cryptographic signature

Dependencies on previous releases / Use of [8.0,) in examples

2022-02-20 Thread David Blevins

I've been digging through the build trying to eliminate dependencies older 
releases.

We've been inconsistently updating the versions in the examples, so I've gone 
and fixed a few of those.  We had some tools like the TomEE Patch Plugin 
indirectly pulling 8.0.0-M3 artifacts -- now fixed.

One of the things adding to the issue is the use of `[8.0,)` 
as the TomEE version in our examples.

This looks like a very well-intentioned way to get the latest version and avoid 
always having to update versions in examples.  What I'm seeing in practice is 
that it behaves very inconsistently from example to example for reasons that 
are unclear.

For example in the example `javamail-velocity` it downloads stuff from 8.0.7, 
8.0.8, 8.0.9 and 8.0.10-SNAPSHOT. In fact if you build offline without those 
versions in your m2 repo, you'll get a build failure.  If you'd like to try, 
here's a quick way to delete the last few releases while leaving your 
8.0.11-SNAPSHOTs intact:

$ rm -r ~/.m2/repository/org/apache/tomee/*/8.0.{7,8,9,10}*
$ rm -r ~/.m2/repository/org/apache/tomee/bom/boms/8.0.{7,8,9,10}*

Ultimately this means our build is actually dependent on previous releases.  
Here's the full list of old release binaries our build needs to function:

 - https://gist.github.com/dblevins/c86f302c8a5b2afa4fecea905ad583fb

I don't see a way to eliminate these without eliminating our 
`[8.0,)` usage.

Any thoughts?


-- 
David Blevins
http://twitter.com/dblevins
http://www.tomitribe.com



smime.p7s
Description: S/MIME cryptographic signature

Re: Releases?

2021-01-22 Thread Daniel Dias Dos Santos

+1 : )


Em sex., 22 de jan. de 2021 às 12:33, exabrial12 
escreveu:

> So we haven't had any issues running the 8.0.6-SNAPSHOT in production!
>
> Looking forward to the release. Cheers,
> -Jonathan
>
>
>
>
> --
> Sent from:
> http://tomee-openejb.979440.n4.nabble.com/TomEE-Dev-f982480.html
>

Re: Releases?

2021-01-22 Thread exabrial12

So we haven't had any issues running the 8.0.6-SNAPSHOT in production! 

Looking forward to the release. Cheers,
-Jonathan




--
Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Dev-f982480.html

Re: Releases?

2021-01-20 Thread exabrial12

We've got this deployed and will let it run for a few hours. Hopefully that
bug is crushed!



--
Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Dev-f982480.html

Re: Releases?

2021-01-15 Thread exabrial12

We're going into a 3 day weekend, and I have a "don't deploy on a Friday
rule" for the dept  but I think we could flip one of the nodes to the
master snapshot in the cluster over starting Tuesday morning. It generally
takes about 1-3 days for the server to OOME after that. I wouldn't delay the
release on account of our schedule but we could certainly test it to help
out since we can reproduce pretty easily.



--
Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Dev-f982480.html

Re: Releases?

2021-01-14 Thread Jean-Louis Monteiro

Do you know if it's fixed by the current master?
Just want to make sure it's fixed lol
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com


On Thu, Jan 14, 2021 at 10:58 PM exabrial12  wrote:

> We've been have some applications in prod OOME. I took a heap dump of one
> and
> saw a bunch of Johnzon CDI instances, so this is a welcome release.
>
> Thanks everyone!
>
>
>
> --
> Sent from:
> http://tomee-openejb.979440.n4.nabble.com/TomEE-Dev-f982480.html
>

Re: Releases?

2021-01-14 Thread exabrial12

We've been have some applications in prod OOME. I took a heap dump of one and
saw a bunch of Johnzon CDI instances, so this is a welcome release.

Thanks everyone!



--
Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Dev-f982480.html

Re: Releases?

2021-01-14 Thread Jonathan Gallimore

I have posted a vote for 8.0.6. I'll follow up with 7.x versions. This does
include Tomcat 9.0.41. Please do note that ActiveMQ just started a new
release vote for 5.16.1 just before I posted this, which is *not* included.
We can certainly followup with an 8.0.7 if needed or include it if a reroll
is needed.

Jon

On Thu, Jan 14, 2021 at 2:35 PM Jonathan Gallimore <
jonathan.gallim...@gmail.com> wrote:

> Hi Alexandre
>
> The Tomcat version for 8.0.6 will be 9.0.41, and I am cutting the release
> now. This will include the fix for CVE-2021-24122, announced on Tomcat's
> mailing list today.
>
> Kind Regards
>
> Jon
>
>
>
> On Thu, Jan 14, 2021 at 2:26 PM Alex The Rocker 
> wrote:
>
>> yes, for example CVE-2021-24122, for which fix exists in Tomcat 9.0.40
>> / 8.5.60 / etc.
>> I hope this will be at least Tomcat's version embedded in upcoming TomEE
>> 8.0.6
>>
>> Kind regards,
>> Alexandre
>>
>> Le mer. 13 janv. 2021 à 12:53, Jonathan Gallimore
>>  a écrit :
>> >
>> > Yes. Is there a specific concern you have?
>> >
>> > On Wed, Jan 13, 2021 at 10:40 AM Alex The Rocker 
>> > wrote:
>> >
>> > > Hello Jon,
>> > >
>> > > Would you please make sure that this 8.0.6 TomEE release will include
>> > > latest CVEs fixes (from TomEE, ActiveMQ, etc) ?
>> > >
>> > > Kind regards;
>> > > Alexandre
>> > >
>> > > Le ven. 8 janv. 2021 à 14:15, Jonathan Gallimore
>> > >  a écrit :
>> > > >
>> > > > Hi All,
>> > > >
>> > > > Any objections if I kick off a 8.0.6 release? I think there are some
>> > > > dependency updates that it would be useful to get included
>> (specifically
>> > > > Tomcat), and also there's a regression with using a
>> non-transactional
>> > > > ActiveMQ connection factory in a transactional method that I have
>> fixed
>> > > as
>> > > > well.
>> > > >
>> > > > Thanks
>> > > >
>> > > > Jon
>> > >
>>
>

Re: Releases?

2021-01-14 Thread Jonathan Gallimore

Hi Alexandre

The Tomcat version for 8.0.6 will be 9.0.41, and I am cutting the release
now. This will include the fix for CVE-2021-24122, announced on Tomcat's
mailing list today.

Kind Regards

Jon



On Thu, Jan 14, 2021 at 2:26 PM Alex The Rocker 
wrote:

> yes, for example CVE-2021-24122, for which fix exists in Tomcat 9.0.40
> / 8.5.60 / etc.
> I hope this will be at least Tomcat's version embedded in upcoming TomEE
> 8.0.6
>
> Kind regards,
> Alexandre
>
> Le mer. 13 janv. 2021 à 12:53, Jonathan Gallimore
>  a écrit :
> >
> > Yes. Is there a specific concern you have?
> >
> > On Wed, Jan 13, 2021 at 10:40 AM Alex The Rocker 
> > wrote:
> >
> > > Hello Jon,
> > >
> > > Would you please make sure that this 8.0.6 TomEE release will include
> > > latest CVEs fixes (from TomEE, ActiveMQ, etc) ?
> > >
> > > Kind regards;
> > > Alexandre
> > >
> > > Le ven. 8 janv. 2021 à 14:15, Jonathan Gallimore
> > >  a écrit :
> > > >
> > > > Hi All,
> > > >
> > > > Any objections if I kick off a 8.0.6 release? I think there are some
> > > > dependency updates that it would be useful to get included
> (specifically
> > > > Tomcat), and also there's a regression with using a non-transactional
> > > > ActiveMQ connection factory in a transactional method that I have
> fixed
> > > as
> > > > well.
> > > >
> > > > Thanks
> > > >
> > > > Jon
> > >
>

Re: Releases?

2021-01-13 Thread Jonathan Gallimore

Yes. Is there a specific concern you have?

On Wed, Jan 13, 2021 at 10:40 AM Alex The Rocker 
wrote:

> Hello Jon,
>
> Would you please make sure that this 8.0.6 TomEE release will include
> latest CVEs fixes (from TomEE, ActiveMQ, etc) ?
>
> Kind regards;
> Alexandre
>
> Le ven. 8 janv. 2021 à 14:15, Jonathan Gallimore
>  a écrit :
> >
> > Hi All,
> >
> > Any objections if I kick off a 8.0.6 release? I think there are some
> > dependency updates that it would be useful to get included (specifically
> > Tomcat), and also there's a regression with using a non-transactional
> > ActiveMQ connection factory in a transactional method that I have fixed
> as
> > well.
> >
> > Thanks
> >
> > Jon
>

Re: Releases?

2021-01-13 Thread Alex The Rocker

Hello Jon,

Would you please make sure that this 8.0.6 TomEE release will include
latest CVEs fixes (from TomEE, ActiveMQ, etc) ?

Kind regards;
Alexandre

Le ven. 8 janv. 2021 à 14:15, Jonathan Gallimore
 a écrit :
>
> Hi All,
>
> Any objections if I kick off a 8.0.6 release? I think there are some
> dependency updates that it would be useful to get included (specifically
> Tomcat), and also there's a regression with using a non-transactional
> ActiveMQ connection factory in a transactional method that I have fixed as
> well.
>
> Thanks
>
> Jon

Re: Releases?

2021-01-13 Thread Jonathan Gallimore

d. The CI seems to have the
>>>> same issue.
>>>>
>>>> Jan 08, 2021 5:31:22 PM
>>>> org.apache.openejb.arquillian.common.TomEEContainer undeploy
>>>> WARNING: 747aba401bdbd3a58da1ac3acd318310abb7e18d.war was not deployed
>>>> Jan 08, 2021 5:31:22 PM org.jboss.cdi.tck.shrinkwrap.ArchiveBuilder
>>>> build
>>>> INFO: Test archive built [info:
>>>> org.jboss.cdi.tck.tests.implementation.producer.method.broken.parameterizedTypeWithWildcard.ParameterizedTypeWithWildcardTest,
>>>> time: 13 ms]
>>>> Jan 08, 2021 5:31:22 PM org.apache.openejb.client.EventLogger log
>>>> INFO: RemoteInitialContextCreated{providerUri=
>>>> http://localhost:33417/tomee/ejb}
>>>> Jan 08, 2021 5:34:21 PM
>>>> org.jboss.cdi.tck.impl.testng.ProgressLoggingTestListener beforeInvocation
>>>>
>>>> I stopped the build here after it ran for 8 hours. I'm taking a look at
>>>> this today.
>>>>
>>>> Jon
>>>>
>>>> On Fri, Jan 8, 2021 at 10:25 PM Cesar Hernandez 
>>>> wrote:
>>>>
>>>>> +1 on a new release.
>>>>> btw, this one is a pending dependency update in case still make it for
>>>>> the
>>>>> release. The CI result got stuck base on the WIP I'm troubleshooting
>>>>> in the
>>>>> Jenkins TomEE PR job: https://github.com/apache/tomee/pull/729
>>>>>
>>>>> El vie, 8 ene 2021 a las 10:25, Zowalla, Richard (<
>>>>> richard.zowa...@hs-heilbronn.de>) escribió:
>>>>>
>>>>> > Hi,
>>>>> >
>>>>> > great idea - no objections from my side
>>>>> >
>>>>> > Gruss
>>>>> > Richard
>>>>> >
>>>>> > 
>>>>> > Von: Jonathan Gallimore [jonathan.gallim...@gmail.com]
>>>>> > Gesendet: Freitag, 8. Januar 2021 14:15
>>>>> > An: dev@tomee.apache.org
>>>>> > Betreff: Releases?
>>>>> >
>>>>> > Hi All,
>>>>> >
>>>>> > Any objections if I kick off a 8.0.6 release? I think there are some
>>>>> > dependency updates that it would be useful to get included
>>>>> (specifically
>>>>> > Tomcat), and also there's a regression with using a non-transactional
>>>>> > ActiveMQ connection factory in a transactional method that I have
>>>>> fixed as
>>>>> > well.
>>>>> >
>>>>> > Thanks
>>>>> >
>>>>> > Jon
>>>>> >
>>>>>
>>>>>
>>>>> --
>>>>> Atentamente:
>>>>> César Hernández.
>>>>>
>>>>

Re: Releases?

2021-01-13 Thread Jonathan Gallimore

I think I have managed to resolved - essentially the taglibs jar changing
name, and also some packages having "openejb.shade." prepended to them
looked to be tripping us up.

I have run a full build on a server here, but I do get some test failures
that I'll look at. I'll also see what the CI produces, and I'll get a TCK
run done as well.

Thanks for your patience.

Jon

On Mon, Jan 11, 2021 at 10:52 PM Jonathan Gallimore <
jonathan.gallim...@gmail.com> wrote:

> A (very long) git bisect is showing the taglib shading as being the
> culprit here - I assume the package change is leading to a classloader
> issue or similar. Continuing to work on it, I'll let you know what I find.
> Pointer are definitely welcome :)
>
> Jon
>
> On Mon, Jan 11, 2021 at 3:40 PM Jonathan Gallimore <
> jonathan.gallim...@gmail.com> wrote:
>
>> Looks like there is an underlying memory leak here. I'm digging into it.
>> It looks like StandardContext objects aren't being cleaned up when
>> undeploying applications.
>>
>> Jon
>>
>> On Mon, Jan 11, 2021 at 11:46 AM Jonathan Gallimore <
>> jonathan.gallim...@gmail.com> wrote:
>>
>>> I ran into some issues over the weekend, specifically with CDI tests,
>>> where each test seemed to be timing out after 90 seconds, additionally
>>> there's a warning about a .war not being deployed. The CI seems to have the
>>> same issue.
>>>
>>> Jan 08, 2021 5:31:22 PM
>>> org.apache.openejb.arquillian.common.TomEEContainer undeploy
>>> WARNING: 747aba401bdbd3a58da1ac3acd318310abb7e18d.war was not deployed
>>> Jan 08, 2021 5:31:22 PM org.jboss.cdi.tck.shrinkwrap.ArchiveBuilder build
>>> INFO: Test archive built [info:
>>> org.jboss.cdi.tck.tests.implementation.producer.method.broken.parameterizedTypeWithWildcard.ParameterizedTypeWithWildcardTest,
>>> time: 13 ms]
>>> Jan 08, 2021 5:31:22 PM org.apache.openejb.client.EventLogger log
>>> INFO: RemoteInitialContextCreated{providerUri=
>>> http://localhost:33417/tomee/ejb}
>>> Jan 08, 2021 5:34:21 PM
>>> org.jboss.cdi.tck.impl.testng.ProgressLoggingTestListener beforeInvocation
>>>
>>> I stopped the build here after it ran for 8 hours. I'm taking a look at
>>> this today.
>>>
>>> Jon
>>>
>>> On Fri, Jan 8, 2021 at 10:25 PM Cesar Hernandez 
>>> wrote:
>>>
>>>> +1 on a new release.
>>>> btw, this one is a pending dependency update in case still make it for
>>>> the
>>>> release. The CI result got stuck base on the WIP I'm troubleshooting in
>>>> the
>>>> Jenkins TomEE PR job: https://github.com/apache/tomee/pull/729
>>>>
>>>> El vie, 8 ene 2021 a las 10:25, Zowalla, Richard (<
>>>> richard.zowa...@hs-heilbronn.de>) escribió:
>>>>
>>>> > Hi,
>>>> >
>>>> > great idea - no objections from my side
>>>> >
>>>> > Gruss
>>>> > Richard
>>>> >
>>>> > 
>>>> > Von: Jonathan Gallimore [jonathan.gallim...@gmail.com]
>>>> > Gesendet: Freitag, 8. Januar 2021 14:15
>>>> > An: dev@tomee.apache.org
>>>> > Betreff: Releases?
>>>> >
>>>> > Hi All,
>>>> >
>>>> > Any objections if I kick off a 8.0.6 release? I think there are some
>>>> > dependency updates that it would be useful to get included
>>>> (specifically
>>>> > Tomcat), and also there's a regression with using a non-transactional
>>>> > ActiveMQ connection factory in a transactional method that I have
>>>> fixed as
>>>> > well.
>>>> >
>>>> > Thanks
>>>> >
>>>> > Jon
>>>> >
>>>>
>>>>
>>>> --
>>>> Atentamente:
>>>> César Hernández.
>>>>
>>>

Re: Releases?

2021-01-11 Thread Jonathan Gallimore

Looks like there is an underlying memory leak here. I'm digging into it. It
looks like StandardContext objects aren't being cleaned up when undeploying
applications.

Jon

On Mon, Jan 11, 2021 at 11:46 AM Jonathan Gallimore <
jonathan.gallim...@gmail.com> wrote:

> I ran into some issues over the weekend, specifically with CDI tests,
> where each test seemed to be timing out after 90 seconds, additionally
> there's a warning about a .war not being deployed. The CI seems to have the
> same issue.
>
> Jan 08, 2021 5:31:22 PM
> org.apache.openejb.arquillian.common.TomEEContainer undeploy
> WARNING: 747aba401bdbd3a58da1ac3acd318310abb7e18d.war was not deployed
> Jan 08, 2021 5:31:22 PM org.jboss.cdi.tck.shrinkwrap.ArchiveBuilder build
> INFO: Test archive built [info:
> org.jboss.cdi.tck.tests.implementation.producer.method.broken.parameterizedTypeWithWildcard.ParameterizedTypeWithWildcardTest,
> time: 13 ms]
> Jan 08, 2021 5:31:22 PM org.apache.openejb.client.EventLogger log
> INFO: RemoteInitialContextCreated{providerUri=
> http://localhost:33417/tomee/ejb}
> Jan 08, 2021 5:34:21 PM
> org.jboss.cdi.tck.impl.testng.ProgressLoggingTestListener beforeInvocation
>
> I stopped the build here after it ran for 8 hours. I'm taking a look at
> this today.
>
> Jon
>
> On Fri, Jan 8, 2021 at 10:25 PM Cesar Hernandez 
> wrote:
>
>> +1 on a new release.
>> btw, this one is a pending dependency update in case still make it for the
>> release. The CI result got stuck base on the WIP I'm troubleshooting in
>> the
>> Jenkins TomEE PR job: https://github.com/apache/tomee/pull/729
>>
>> El vie, 8 ene 2021 a las 10:25, Zowalla, Richard (<
>> richard.zowa...@hs-heilbronn.de>) escribió:
>>
>> > Hi,
>> >
>> > great idea - no objections from my side
>> >
>> > Gruss
>> > Richard
>> >
>> > 
>> > Von: Jonathan Gallimore [jonathan.gallim...@gmail.com]
>> > Gesendet: Freitag, 8. Januar 2021 14:15
>> > An: dev@tomee.apache.org
>> > Betreff: Releases?
>> >
>> > Hi All,
>> >
>> > Any objections if I kick off a 8.0.6 release? I think there are some
>> > dependency updates that it would be useful to get included (specifically
>> > Tomcat), and also there's a regression with using a non-transactional
>> > ActiveMQ connection factory in a transactional method that I have fixed
>> as
>> > well.
>> >
>> > Thanks
>> >
>> > Jon
>> >
>>
>>
>> --
>> Atentamente:
>> César Hernández.
>>
>

Re: Releases?

2021-01-11 Thread Jonathan Gallimore

I ran into some issues over the weekend, specifically with CDI tests, where
each test seemed to be timing out after 90 seconds, additionally there's a
warning about a .war not being deployed. The CI seems to have the same
issue.

Jan 08, 2021 5:31:22 PM org.apache.openejb.arquillian.common.TomEEContainer
undeploy
WARNING: 747aba401bdbd3a58da1ac3acd318310abb7e18d.war was not deployed
Jan 08, 2021 5:31:22 PM org.jboss.cdi.tck.shrinkwrap.ArchiveBuilder build
INFO: Test archive built [info:
org.jboss.cdi.tck.tests.implementation.producer.method.broken.parameterizedTypeWithWildcard.ParameterizedTypeWithWildcardTest,
time: 13 ms]
Jan 08, 2021 5:31:22 PM org.apache.openejb.client.EventLogger log
INFO: RemoteInitialContextCreated{providerUri=
http://localhost:33417/tomee/ejb}
Jan 08, 2021 5:34:21 PM
org.jboss.cdi.tck.impl.testng.ProgressLoggingTestListener beforeInvocation

I stopped the build here after it ran for 8 hours. I'm taking a look at
this today.

Jon

On Fri, Jan 8, 2021 at 10:25 PM Cesar Hernandez 
wrote:

> +1 on a new release.
> btw, this one is a pending dependency update in case still make it for the
> release. The CI result got stuck base on the WIP I'm troubleshooting in the
> Jenkins TomEE PR job: https://github.com/apache/tomee/pull/729
>
> El vie, 8 ene 2021 a las 10:25, Zowalla, Richard (<
> richard.zowa...@hs-heilbronn.de>) escribió:
>
> > Hi,
> >
> > great idea - no objections from my side
> >
> > Gruss
> > Richard
> >
> > 
> > Von: Jonathan Gallimore [jonathan.gallim...@gmail.com]
> > Gesendet: Freitag, 8. Januar 2021 14:15
> > An: dev@tomee.apache.org
> > Betreff: Releases?
> >
> > Hi All,
> >
> > Any objections if I kick off a 8.0.6 release? I think there are some
> > dependency updates that it would be useful to get included (specifically
> > Tomcat), and also there's a regression with using a non-transactional
> > ActiveMQ connection factory in a transactional method that I have fixed
> as
> > well.
> >
> > Thanks
> >
> > Jon
> >
>
>
> --
> Atentamente:
> César Hernández.
>

Re: Releases?

2021-01-08 Thread Cesar Hernandez

+1 on a new release.
btw, this one is a pending dependency update in case still make it for the
release. The CI result got stuck base on the WIP I'm troubleshooting in the
Jenkins TomEE PR job: https://github.com/apache/tomee/pull/729

El vie, 8 ene 2021 a las 10:25, Zowalla, Richard (<
richard.zowa...@hs-heilbronn.de>) escribió:

> Hi,
>
> great idea - no objections from my side
>
> Gruss
> Richard
>
> 
> Von: Jonathan Gallimore [jonathan.gallim...@gmail.com]
> Gesendet: Freitag, 8. Januar 2021 14:15
> An: dev@tomee.apache.org
> Betreff: Releases?
>
> Hi All,
>
> Any objections if I kick off a 8.0.6 release? I think there are some
> dependency updates that it would be useful to get included (specifically
> Tomcat), and also there's a regression with using a non-transactional
> ActiveMQ connection factory in a transactional method that I have fixed as
> well.
>
> Thanks
>
> Jon
>


-- 
Atentamente:
César Hernández.

AW: Releases?

2021-01-08 Thread Zowalla, Richard

Hi,

great idea - no objections from my side

Gruss
Richard


Von: Jonathan Gallimore [jonathan.gallim...@gmail.com]
Gesendet: Freitag, 8. Januar 2021 14:15
An: dev@tomee.apache.org
Betreff: Releases?

Hi All,

Any objections if I kick off a 8.0.6 release? I think there are some
dependency updates that it would be useful to get included (specifically
Tomcat), and also there's a regression with using a non-transactional
ActiveMQ connection factory in a transactional method that I have fixed as
well.

Thanks

Jon

Re: Releases?

2021-01-08 Thread Alex The Rocker

Hi Jon,

Yes great proposal, i'm 100% for a 8.0.6, and I will provide
feedbacks based on our apps when RC (Release Candidate) will be
available (please don't forget Arquillian embedded TomEE 8.0.6 in RC).

Kind regards,
Alexandre

Le ven. 8 janv. 2021 à 14:15, Jonathan Gallimore
 a écrit :
>
> Hi All,
>
> Any objections if I kick off a 8.0.6 release? I think there are some
> dependency updates that it would be useful to get included (specifically
> Tomcat), and also there's a regression with using a non-transactional
> ActiveMQ connection factory in a transactional method that I have fixed as
> well.
>
> Thanks
>
> Jon

Re: Releases?

2021-01-08 Thread Jonathan Gallimore

Thanks! Getting this underway now.

On Fri, Jan 8, 2021 at 2:25 PM Wiesner, Martin <
martin.wies...@hs-heilbronn.de> wrote:

> Thx Jon for getting things rolling. Much appreciated!
>
> Best
> Martin
> -
> https://twitter.com/mawiesne
>
> > Am 08.01.2021 um 14:35 schrieb Jean-Louis Monteiro <
> jlmonte...@tomitribe.com>:
> >
> > Go for it
> > --
> > Jean-Louis Monteiro
> > http://twitter.com/jlouismonteiro
> > http://www.tomitribe.com
> >
> >
> > On Fri, Jan 8, 2021 at 2:15 PM Jonathan Gallimore <
> > jonathan.gallim...@gmail.com> wrote:
> >
> >> Hi All,
> >>
> >> Any objections if I kick off a 8.0.6 release? I think there are some
> >> dependency updates that it would be useful to get included (specifically
> >> Tomcat), and also there's a regression with using a non-transactional
> >> ActiveMQ connection factory in a transactional method that I have fixed
> as
> >> well.
> >>
> >> Thanks
> >>
> >> Jon
> >>
>
>

Re: Releases?

2021-01-08 Thread Wiesner, Martin

Thx Jon for getting things rolling. Much appreciated!

Best
Martin
-
https://twitter.com/mawiesne

> Am 08.01.2021 um 14:35 schrieb Jean-Louis Monteiro :
> 
> Go for it
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
> 
> 
> On Fri, Jan 8, 2021 at 2:15 PM Jonathan Gallimore <
> jonathan.gallim...@gmail.com> wrote:
> 
>> Hi All,
>> 
>> Any objections if I kick off a 8.0.6 release? I think there are some
>> dependency updates that it would be useful to get included (specifically
>> Tomcat), and also there's a regression with using a non-transactional
>> ActiveMQ connection factory in a transactional method that I have fixed as
>> well.
>> 
>> Thanks
>> 
>> Jon
>> 



smime.p7s
Description: S/MIME cryptographic signature

Re: Releases?

2021-01-08 Thread Jean-Louis Monteiro

Go for it
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com


On Fri, Jan 8, 2021 at 2:15 PM Jonathan Gallimore <
jonathan.gallim...@gmail.com> wrote:

> Hi All,
>
> Any objections if I kick off a 8.0.6 release? I think there are some
> dependency updates that it would be useful to get included (specifically
> Tomcat), and also there's a regression with using a non-transactional
> ActiveMQ connection factory in a transactional method that I have fixed as
> well.
>
> Thanks
>
> Jon
>

Releases?

2021-01-08 Thread Jonathan Gallimore

Hi All,

Any objections if I kick off a 8.0.6 release? I think there are some
dependency updates that it would be useful to get included (specifically
Tomcat), and also there's a regression with using a non-transactional
ActiveMQ connection factory in a transactional method that I have fixed as
well.

Thanks

Jon

Re: Releases

2019-12-05 Thread Jenkins, Rodney J (Rod)

Thank you for the response.  I am fine with this approach.  But, I am not the 
one that will be affected by it.

Rod.

On 12/5/19, 4:21 AM, "Jonathan Gallimore"  wrote:

I'll review the thread again, but the compromise I'd suggest is moving
forward with what we have now, and documenting how to use those images in
different scenarios, such as Carl's. I suspect that some small changes will
need to be added using the TomEE image as the base.

What do you think?

Jon

On Thu, Dec 5, 2019 at 2:45 AM Jenkins, Rodney J (Rod) <
jenki...@nationwide.com> wrote:

> Jon,
>
> When that is done, I’ll release new Docker images.
>
> Which leads me to the next point.  We need a decision on how we want to
> move forward with the images.
>
> Thanks,
> Rod.
>
> 
> From: Jonathan Gallimore 
> Sent: Wednesday, December 4, 2019 5:01:38 PM
    > To: dev@tomee.apache.org 
> Subject: [EXTERNAL] Releases
>
> Nationwide Information Security Warning: This is an external email. Do not
> click on links or open attachments unless you trust the sender.
>
> 
--
>
> Just a heads up that I'm going to roll releases for 7.0.7, 7.1.2 and 
8.0.1.
> Shout if you need me to stop.
>
> Thanks
>
> Jon
>

Re: Releases

2019-12-05 Thread Alex The Rocker

+1 good that you unlocked the situation for this tomcat dependency
change (hoping that some time later i'll find a way to properly create
branches on 7.1.x and 7.0.x : nothing worked for me so far...)

Alexandre

Le jeu. 5 déc. 2019 à 11:20, Jonathan Gallimore
 a écrit :
>
> Done - thanks Alexandre! I merged your change to both 7.1.x and 7.0.x.
>
> Thanks
>
> Jon
>
> On Thu, Dec 5, 2019 at 7:53 AM Alex The Rocker  wrote:
>
> > Hello Jon,
> >
> > Would it be possible to include my PR to update tomcat dependency with
> > TOMEE-2746 ?
> >
> > Please note that I was only able to push this change for tomee-7.1.x -
> > see my comment in this JIRA : maybe would it be nice to have same
> > update on 7.0.x for upcoming 7.0.7 release ?
> >
> > Kind regards,
> > Alexandre
> >
> > Le jeu. 5 déc. 2019 à 00:02, Jonathan Gallimore
> >  a écrit :
> > >
> > > Just a heads up that I'm going to roll releases for 7.0.7, 7.1.2 and
> > 8.0.1.
> > > Shout if you need me to stop.
> > >
> > > Thanks
> > >
> > > Jon
> >

Re: Releases

2019-12-05 Thread Jonathan Gallimore

I'll review the thread again, but the compromise I'd suggest is moving
forward with what we have now, and documenting how to use those images in
different scenarios, such as Carl's. I suspect that some small changes will
need to be added using the TomEE image as the base.

What do you think?

Jon

On Thu, Dec 5, 2019 at 2:45 AM Jenkins, Rodney J (Rod) <
jenki...@nationwide.com> wrote:

> Jon,
>
> When that is done, I’ll release new Docker images.
>
> Which leads me to the next point.  We need a decision on how we want to
> move forward with the images.
>
> Thanks,
> Rod.
>
> 
> From: Jonathan Gallimore 
> Sent: Wednesday, December 4, 2019 5:01:38 PM
> To: dev@tomee.apache.org 
> Subject: [EXTERNAL] Releases
>
> Nationwide Information Security Warning: This is an external email. Do not
> click on links or open attachments unless you trust the sender.
>
> --
>
> Just a heads up that I'm going to roll releases for 7.0.7, 7.1.2 and 8.0.1.
> Shout if you need me to stop.
>
> Thanks
>
> Jon
>

Re: Releases

2019-12-05 Thread Jonathan Gallimore

Done - thanks Alexandre! I merged your change to both 7.1.x and 7.0.x.

Thanks

Jon

On Thu, Dec 5, 2019 at 7:53 AM Alex The Rocker  wrote:

> Hello Jon,
>
> Would it be possible to include my PR to update tomcat dependency with
> TOMEE-2746 ?
>
> Please note that I was only able to push this change for tomee-7.1.x -
> see my comment in this JIRA : maybe would it be nice to have same
> update on 7.0.x for upcoming 7.0.7 release ?
>
> Kind regards,
> Alexandre
>
> Le jeu. 5 déc. 2019 à 00:02, Jonathan Gallimore
>  a écrit :
> >
> > Just a heads up that I'm going to roll releases for 7.0.7, 7.1.2 and
> 8.0.1.
> > Shout if you need me to stop.
> >
> > Thanks
> >
> > Jon
>

Re: Releases

2019-12-04 Thread Alex The Rocker

Hello Jon,

Would it be possible to include my PR to update tomcat dependency with
TOMEE-2746 ?

Please note that I was only able to push this change for tomee-7.1.x -
see my comment in this JIRA : maybe would it be nice to have same
update on 7.0.x for upcoming 7.0.7 release ?

Kind regards,
Alexandre

Le jeu. 5 déc. 2019 à 00:02, Jonathan Gallimore
 a écrit :
>
> Just a heads up that I'm going to roll releases for 7.0.7, 7.1.2 and 8.0.1.
> Shout if you need me to stop.
>
> Thanks
>
> Jon

Re: Releases

2019-12-04 Thread Jenkins, Rodney J (Rod)

Jon,

When that is done, I’ll release new Docker images.

Which leads me to the next point.  We need a decision on how we want to move 
forward with the images.

Thanks,
Rod.


From: Jonathan Gallimore 
Sent: Wednesday, December 4, 2019 5:01:38 PM
To: dev@tomee.apache.org 
Subject: [EXTERNAL] Releases

Nationwide Information Security Warning: This is an external email. Do not 
click on links or open attachments unless you trust the sender.
--

Just a heads up that I'm going to roll releases for 7.0.7, 7.1.2 and 8.0.1.
Shout if you need me to stop.

Thanks

Jon

Releases

2019-12-04 Thread Jonathan Gallimore

Just a heads up that I'm going to roll releases for 7.0.7, 7.1.2 and 8.0.1.
Shout if you need me to stop.

Thanks

Jon

Re: 7.1.x and 7.0.x releases

2019-11-07 Thread Jenkins, Rodney J (Rod)

No objections, but I will time this release with the docker releases, providing 
you all are happy with that.  That way, we don’t updated then in less than a 
week, we put out a new version and have to update docker again.

Thanks,
Rod.


On 11/7/19, 4:47 AM, "Jonathan Gallimore"  wrote:

Nationwide Information Security Warning: This is an external email. Do not 
click on links or open attachments unless you trust the sender.

--

Reviving this thread. I have one further update that I'd like to get in,
which is to update commons-daemon to the latest version which resolves an
issue running the Windows service with a 32bit JVM on a 64bit server. If
there's no objections, I'll roll releases for 7.0.7, 7.1.2 and 8.0.1 as ass
three have some dependency updates.

If you have any objections, please shout.

Jon

On Mon, Sep 30, 2019 at 6:10 PM Jonathan S. Fisher 
wrote:

> It was 5.15.9 that was causing problems with the failover transport (Which
> is a best practice to use). Essentially you memory leak when two or more
> physical activemq connections get involved in an XA transaction
>
> On Fri, Sep 27, 2019 at 3:55 AM Jonathan Gallimore <
> jonathan.gallim...@gmail.com> wrote:
>
> > I'm not against updating ActiveMQ on 7.0.x, but I suspect that might 
mean
> > we lose compatibility with Java 7. I forget which version Jonathan
> (Fisher)
> > is running, but I suspect that's not an issue for him.
> >
> > I'll take a look at the versions, and start a thread so the community 
can
> > decide what to do.
> >
> > Jon
> >
> > On Fri, Sep 27, 2019 at 9:39 AM Zowalla, Richard <
> > richard.zowa...@hs-heilbronn.de> wrote:
> >
> >> Hi Jonathan,
> >>
> >> current 7.1.1-SNAPSHOT branch is on ActiveMQ 5.15.10
> >>
> >> This update was conducted due to several CVE's related to its transient
> >> jackson-databind dependency.
> >>
> >> But, if I am right, you are still on 7.0.x - which has not been updated
> >> yet :)
> >>
> >> Best,
> >> Richard
> >>
> >> Am Dienstag, den 24.09.2019, 10:57 -0500 schrieb Jonathan S. Fisher:
> >>
> >> So I've got a test case, but it will likely just be isolated to us. We
> were
> >>
> >> upgrading the ActiveMQ RAR to 5.15.9 to enable strict host checking on
> TLS
> >>
> >> certificates. If we keep the stock ActiveMQ rar/jar we don't see the
> >>
> >> problem.
> >>
> >>
> >> So I guess take note of that if someone ever asks for an upgrade, the
> >>
> >> failover protocol will collapse a 32m JVM after about 10k messages.
> >>
> >>
> >> On Mon, Sep 23, 2019 at 5:20 PM Jean-Louis Monteiro <
> >>
> >> jlmonte...@tomitribe.com> wrote:
> >>
> >>
> >> I have opened this ticket and pushed a fix on both Java EE 7 and 8 API
> jar.
> >>
> >> New snapshot deployed.
> >>
> >>
> >> I'm waiting for the full build on master to pass and then I'll close 
the
> >>
> >> ticket and fire up the 2 releases so you can move on with TomEE
> >>
> >>
> >> --
> >>
> >> Jean-Louis Monteiro
> >>
> >> http://twitter.com/jlouismonteiro
> >>
> >> http://www.tomitribe.com
> >>
> >>
> >>
> >> On Mon, Sep 23, 2019 at 3:03 PM Jonathan Gallimore <
> >>
> >> jonathan.gallim...@gmail.com> wrote:
> >>
> >>
> >> Oh wow, that would be amazing!
> >>
> >>
> >> On Mon, Sep 23, 2019 at 10:49 PM Jonathan S. Fisher  >
> >>
> >> wrote:
> >>
> >>
> >> I'll get a reproducer project put together that demos the bug.
> >>
> >>
> >> On Mon, Sep 23, 2019 at 4:32 PM Jonathan Gallimore <
> >>
> >> jonathan.gallim...@gmail.com> wrote:
> >>
> >>
> >> If we can come up with some good tests for it, I don't see why not.
> >>
> >>
> >> Jon
&

Re: 7.1.x and 7.0.x releases

2019-11-07 Thread Jonathan Gallimore

Reviving this thread. I have one further update that I'd like to get in,
which is to update commons-daemon to the latest version which resolves an
issue running the Windows service with a 32bit JVM on a 64bit server. If
there's no objections, I'll roll releases for 7.0.7, 7.1.2 and 8.0.1 as ass
three have some dependency updates.

If you have any objections, please shout.

Jon

On Mon, Sep 30, 2019 at 6:10 PM Jonathan S. Fisher 
wrote:

> It was 5.15.9 that was causing problems with the failover transport (Which
> is a best practice to use). Essentially you memory leak when two or more
> physical activemq connections get involved in an XA transaction
>
> On Fri, Sep 27, 2019 at 3:55 AM Jonathan Gallimore <
> jonathan.gallim...@gmail.com> wrote:
>
> > I'm not against updating ActiveMQ on 7.0.x, but I suspect that might mean
> > we lose compatibility with Java 7. I forget which version Jonathan
> (Fisher)
> > is running, but I suspect that's not an issue for him.
> >
> > I'll take a look at the versions, and start a thread so the community can
> > decide what to do.
> >
> > Jon
> >
> > On Fri, Sep 27, 2019 at 9:39 AM Zowalla, Richard <
> > richard.zowa...@hs-heilbronn.de> wrote:
> >
> >> Hi Jonathan,
> >>
> >> current 7.1.1-SNAPSHOT branch is on ActiveMQ 5.15.10
> >>
> >> This update was conducted due to several CVE's related to its transient
> >> jackson-databind dependency.
> >>
> >> But, if I am right, you are still on 7.0.x - which has not been updated
> >> yet :)
> >>
> >> Best,
> >> Richard
> >>
> >> Am Dienstag, den 24.09.2019, 10:57 -0500 schrieb Jonathan S. Fisher:
> >>
> >> So I've got a test case, but it will likely just be isolated to us. We
> were
> >>
> >> upgrading the ActiveMQ RAR to 5.15.9 to enable strict host checking on
> TLS
> >>
> >> certificates. If we keep the stock ActiveMQ rar/jar we don't see the
> >>
> >> problem.
> >>
> >>
> >> So I guess take note of that if someone ever asks for an upgrade, the
> >>
> >> failover protocol will collapse a 32m JVM after about 10k messages.
> >>
> >>
> >> On Mon, Sep 23, 2019 at 5:20 PM Jean-Louis Monteiro <
> >>
> >> jlmonte...@tomitribe.com> wrote:
> >>
> >>
> >> I have opened this ticket and pushed a fix on both Java EE 7 and 8 API
> jar.
> >>
> >> New snapshot deployed.
> >>
> >>
> >> I'm waiting for the full build on master to pass and then I'll close the
> >>
> >> ticket and fire up the 2 releases so you can move on with TomEE
> >>
> >>
> >> --
> >>
> >> Jean-Louis Monteiro
> >>
> >> http://twitter.com/jlouismonteiro
> >>
> >> http://www.tomitribe.com
> >>
> >>
> >>
> >> On Mon, Sep 23, 2019 at 3:03 PM Jonathan Gallimore <
> >>
> >> jonathan.gallim...@gmail.com> wrote:
> >>
> >>
> >> Oh wow, that would be amazing!
> >>
> >>
> >> On Mon, Sep 23, 2019 at 10:49 PM Jonathan S. Fisher  >
> >>
> >> wrote:
> >>
> >>
> >> I'll get a reproducer project put together that demos the bug.
> >>
> >>
> >> On Mon, Sep 23, 2019 at 4:32 PM Jonathan Gallimore <
> >>
> >> jonathan.gallim...@gmail.com> wrote:
> >>
> >>
> >> If we can come up with some good tests for it, I don't see why not.
> >>
> >>
> >> Jon
> >>
> >>
> >> On Mon, Sep 23, 2019 at 10:25 PM Jonathan S. Fisher <
> >>
> >> exabr...@gmail.com>
> >>
> >> wrote:
> >>
> >>
> >> We've been running 7.0.x latest in prod for a few weeks with no
> >>
> >> issues
> >>
> >> other than the ActiveMQ Failover protocol memory leak issue (which
> >>
> >> affects
> >>
> >> all versions of TomEE).
> >>
> >> https://issues.apache.org/jira/browse/AMQ-6391 This is an issue
> >>
> >> now
> >>
> >> because
> >>
> >> our JMS Context / Connection Factories will actually be
> >>
> >> transactional
> >>
> >>
> >> Should/Could we patch the ActiveMQ jar?
> >>
> >>
> >>
> >>
> >> On Mon, Sep 23, 2019 at 3:24 PM Jean-Louis Monteiro <
> >>
>

Re: 7.1.x and 7.0.x releases

2019-10-01 Thread Jonathan S. Fisher

No, normal operation causes the problem

On Mon, Sep 30, 2019 at 4:11 PM Jonathan Gallimore <
jonathan.gallim...@gmail.com> wrote:

> Does something need to failover in this scenario, in order to reproduce it?
>
> Jon
>
> On Mon, Sep 30, 2019 at 8:49 PM Jonathan S. Fisher 
> wrote:
>
> >  Here's the ref: https://issues.apache.org/jira/browse/AMQ-6391 The
> > scenario mentioned in the ticket is sending a message from an MDB, which
> > call connectionPool.getConnecion() twice. We actually haven't observed
> that
> > problem in practice (doesn't mean it's not happening though).
> >
> > >  I’d expect that transaction caching in the pooling would result in all
> > connection handles being associated with one managed connection in one
> > transaction
> > I actually wasn't aware this existed (go figure). This could be why we're
> > not seeing the issue on the MDB/Send a Message scenario.
> >
> > The scenario where we can reliably reproduce the problem is to have a
> Bean
> > Managed Transaction  start, send a bunch of messages, then commit the
> > transaction, all in the loop. While this isn't explicitly stated in the
> > original ticket, it has the same leak.
> >
> >
> >
> > On Mon, Sep 30, 2019 at 1:13 PM David Jencks 
> > wrote:
> >
> > > Could you explain this scenario further? Are there multiple activemq
> > > managed connections to different brokers but associated with the same
> > > connection handle? Or one managed connection associated with more than
> > one
> > > “physical” connection? I’d expect that transaction caching in the
> pooling
> > > would result in all connection handles being associated with one
> managed
> > > connection in one transaction.
> > >
> > > Thanks
> > > David Jencks
> > > Sent from my iPhone
> > >
> > > > On Sep 30, 2019, at 10:10 AM, Jonathan S. Fisher  >
> > > wrote:
> > > >
> > > > It was 5.15.9 that was causing problems with the failover transport
> > > (Which
> > > > is a best practice to use). Essentially you memory leak when two or
> > more
> > > > physical activemq connections get involved in an XA transaction
> > > >
> > > > On Fri, Sep 27, 2019 at 3:55 AM Jonathan Gallimore <
> > > > jonathan.gallim...@gmail.com> wrote:
> > > >
> > > >> I'm not against updating ActiveMQ on 7.0.x, but I suspect that might
> > > mean
> > > >> we lose compatibility with Java 7. I forget which version Jonathan
> > > (Fisher)
> > > >> is running, but I suspect that's not an issue for him.
> > > >>
> > > >> I'll take a look at the versions, and start a thread so the
> community
> > > can
> > > >> decide what to do.
> > > >>
> > > >> Jon
> > > >>
> > > >> On Fri, Sep 27, 2019 at 9:39 AM Zowalla, Richard <
> > > >> richard.zowa...@hs-heilbronn.de> wrote:
> > > >>
> > > >>> Hi Jonathan,
> > > >>>
> > > >>> current 7.1.1-SNAPSHOT branch is on ActiveMQ 5.15.10
> > > >>>
> > > >>> This update was conducted due to several CVE's related to its
> > transient
> > > >>> jackson-databind dependency.
> > > >>>
> > > >>> But, if I am right, you are still on 7.0.x - which has not been
> > updated
> > > >>> yet :)
> > > >>>
> > > >>> Best,
> > > >>> Richard
> > > >>>
> > > >>> Am Dienstag, den 24.09.2019, 10:57 -0500 schrieb Jonathan S.
> Fisher:
> > > >>>
> > > >>> So I've got a test case, but it will likely just be isolated to us.
> > We
> > > were
> > > >>>
> > > >>> upgrading the ActiveMQ RAR to 5.15.9 to enable strict host checking
> > on
> > > TLS
> > > >>>
> > > >>> certificates. If we keep the stock ActiveMQ rar/jar we don't see
> the
> > > >>>
> > > >>> problem.
> > > >>>
> > > >>>
> > > >>> So I guess take note of that if someone ever asks for an upgrade,
> the
> > > >>>
> > > >>> failover protocol will collapse a 32m JVM after about 10k messages.
> > > >>>
> > > >>>
> > > >

Re: 7.1.x and 7.0.x releases

2019-09-30 Thread Jonathan Gallimore

Does something need to failover in this scenario, in order to reproduce it?

Jon

On Mon, Sep 30, 2019 at 8:49 PM Jonathan S. Fisher 
wrote:

>  Here's the ref: https://issues.apache.org/jira/browse/AMQ-6391 The
> scenario mentioned in the ticket is sending a message from an MDB, which
> call connectionPool.getConnecion() twice. We actually haven't observed that
> problem in practice (doesn't mean it's not happening though).
>
> >  I’d expect that transaction caching in the pooling would result in all
> connection handles being associated with one managed connection in one
> transaction
> I actually wasn't aware this existed (go figure). This could be why we're
> not seeing the issue on the MDB/Send a Message scenario.
>
> The scenario where we can reliably reproduce the problem is to have a Bean
> Managed Transaction  start, send a bunch of messages, then commit the
> transaction, all in the loop. While this isn't explicitly stated in the
> original ticket, it has the same leak.
>
>
>
> On Mon, Sep 30, 2019 at 1:13 PM David Jencks 
> wrote:
>
> > Could you explain this scenario further? Are there multiple activemq
> > managed connections to different brokers but associated with the same
> > connection handle? Or one managed connection associated with more than
> one
> > “physical” connection? I’d expect that transaction caching in the pooling
> > would result in all connection handles being associated with one managed
> > connection in one transaction.
> >
> > Thanks
> > David Jencks
> > Sent from my iPhone
> >
> > > On Sep 30, 2019, at 10:10 AM, Jonathan S. Fisher 
> > wrote:
> > >
> > > It was 5.15.9 that was causing problems with the failover transport
> > (Which
> > > is a best practice to use). Essentially you memory leak when two or
> more
> > > physical activemq connections get involved in an XA transaction
> > >
> > > On Fri, Sep 27, 2019 at 3:55 AM Jonathan Gallimore <
> > > jonathan.gallim...@gmail.com> wrote:
> > >
> > >> I'm not against updating ActiveMQ on 7.0.x, but I suspect that might
> > mean
> > >> we lose compatibility with Java 7. I forget which version Jonathan
> > (Fisher)
> > >> is running, but I suspect that's not an issue for him.
> > >>
> > >> I'll take a look at the versions, and start a thread so the community
> > can
> > >> decide what to do.
> > >>
> > >> Jon
> > >>
> > >> On Fri, Sep 27, 2019 at 9:39 AM Zowalla, Richard <
> > >> richard.zowa...@hs-heilbronn.de> wrote:
> > >>
> > >>> Hi Jonathan,
> > >>>
> > >>> current 7.1.1-SNAPSHOT branch is on ActiveMQ 5.15.10
> > >>>
> > >>> This update was conducted due to several CVE's related to its
> transient
> > >>> jackson-databind dependency.
> > >>>
> > >>> But, if I am right, you are still on 7.0.x - which has not been
> updated
> > >>> yet :)
> > >>>
> > >>> Best,
> > >>> Richard
> > >>>
> > >>> Am Dienstag, den 24.09.2019, 10:57 -0500 schrieb Jonathan S. Fisher:
> > >>>
> > >>> So I've got a test case, but it will likely just be isolated to us.
> We
> > were
> > >>>
> > >>> upgrading the ActiveMQ RAR to 5.15.9 to enable strict host checking
> on
> > TLS
> > >>>
> > >>> certificates. If we keep the stock ActiveMQ rar/jar we don't see the
> > >>>
> > >>> problem.
> > >>>
> > >>>
> > >>> So I guess take note of that if someone ever asks for an upgrade, the
> > >>>
> > >>> failover protocol will collapse a 32m JVM after about 10k messages.
> > >>>
> > >>>
> > >>> On Mon, Sep 23, 2019 at 5:20 PM Jean-Louis Monteiro <
> > >>>
> > >>> jlmonte...@tomitribe.com> wrote:
> > >>>
> > >>>
> > >>> I have opened this ticket and pushed a fix on both Java EE 7 and 8
> API
> > jar.
> > >>>
> > >>> New snapshot deployed.
> > >>>
> > >>>
> > >>> I'm waiting for the full build on master to pass and then I'll close
> > the
> > >>>
> > >>> ticket and fire up the 2 releases so you can move on with TomEE
> > >>>
> > >>>
> > >>> --
> > &

Re: 7.1.x and 7.0.x releases

2019-09-30 Thread Jonathan S. Fisher

 Here's the ref: https://issues.apache.org/jira/browse/AMQ-6391 The
scenario mentioned in the ticket is sending a message from an MDB, which
call connectionPool.getConnecion() twice. We actually haven't observed that
problem in practice (doesn't mean it's not happening though).

>  I’d expect that transaction caching in the pooling would result in all
connection handles being associated with one managed connection in one
transaction
I actually wasn't aware this existed (go figure). This could be why we're
not seeing the issue on the MDB/Send a Message scenario.

The scenario where we can reliably reproduce the problem is to have a Bean
Managed Transaction  start, send a bunch of messages, then commit the
transaction, all in the loop. While this isn't explicitly stated in the
original ticket, it has the same leak.



On Mon, Sep 30, 2019 at 1:13 PM David Jencks 
wrote:

> Could you explain this scenario further? Are there multiple activemq
> managed connections to different brokers but associated with the same
> connection handle? Or one managed connection associated with more than one
> “physical” connection? I’d expect that transaction caching in the pooling
> would result in all connection handles being associated with one managed
> connection in one transaction.
>
> Thanks
> David Jencks
> Sent from my iPhone
>
> > On Sep 30, 2019, at 10:10 AM, Jonathan S. Fisher 
> wrote:
> >
> > It was 5.15.9 that was causing problems with the failover transport
> (Which
> > is a best practice to use). Essentially you memory leak when two or more
> > physical activemq connections get involved in an XA transaction
> >
> > On Fri, Sep 27, 2019 at 3:55 AM Jonathan Gallimore <
> > jonathan.gallim...@gmail.com> wrote:
> >
> >> I'm not against updating ActiveMQ on 7.0.x, but I suspect that might
> mean
> >> we lose compatibility with Java 7. I forget which version Jonathan
> (Fisher)
> >> is running, but I suspect that's not an issue for him.
> >>
> >> I'll take a look at the versions, and start a thread so the community
> can
> >> decide what to do.
> >>
> >> Jon
> >>
> >> On Fri, Sep 27, 2019 at 9:39 AM Zowalla, Richard <
> >> richard.zowa...@hs-heilbronn.de> wrote:
> >>
> >>> Hi Jonathan,
> >>>
> >>> current 7.1.1-SNAPSHOT branch is on ActiveMQ 5.15.10
> >>>
> >>> This update was conducted due to several CVE's related to its transient
> >>> jackson-databind dependency.
> >>>
> >>> But, if I am right, you are still on 7.0.x - which has not been updated
> >>> yet :)
> >>>
> >>> Best,
> >>> Richard
> >>>
> >>> Am Dienstag, den 24.09.2019, 10:57 -0500 schrieb Jonathan S. Fisher:
> >>>
> >>> So I've got a test case, but it will likely just be isolated to us. We
> were
> >>>
> >>> upgrading the ActiveMQ RAR to 5.15.9 to enable strict host checking on
> TLS
> >>>
> >>> certificates. If we keep the stock ActiveMQ rar/jar we don't see the
> >>>
> >>> problem.
> >>>
> >>>
> >>> So I guess take note of that if someone ever asks for an upgrade, the
> >>>
> >>> failover protocol will collapse a 32m JVM after about 10k messages.
> >>>
> >>>
> >>> On Mon, Sep 23, 2019 at 5:20 PM Jean-Louis Monteiro <
> >>>
> >>> jlmonte...@tomitribe.com> wrote:
> >>>
> >>>
> >>> I have opened this ticket and pushed a fix on both Java EE 7 and 8 API
> jar.
> >>>
> >>> New snapshot deployed.
> >>>
> >>>
> >>> I'm waiting for the full build on master to pass and then I'll close
> the
> >>>
> >>> ticket and fire up the 2 releases so you can move on with TomEE
> >>>
> >>>
> >>> --
> >>>
> >>> Jean-Louis Monteiro
> >>>
> >>> http://twitter.com/jlouismonteiro
> >>>
> >>> http://www.tomitribe.com
> >>>
> >>>
> >>>
> >>> On Mon, Sep 23, 2019 at 3:03 PM Jonathan Gallimore <
> >>>
> >>> jonathan.gallim...@gmail.com> wrote:
> >>>
> >>>
> >>> Oh wow, that would be amazing!
> >>>
> >>>
> >>> On Mon, Sep 23, 2019 at 10:49 PM Jonathan S. Fisher <
> exabr...@gmail.com>
> >>>
> >>> wrote:
> >>>
> >>>
> >>> I'll

Re: 7.1.x and 7.0.x releases

2019-09-30 Thread David Jencks

Could you explain this scenario further? Are there multiple activemq managed 
connections to different brokers but associated with the same connection 
handle? Or one managed connection associated with more than one “physical” 
connection? I’d expect that transaction caching in the pooling would result in 
all connection handles being associated with one managed connection in one 
transaction.

Thanks
David Jencks 
Sent from my iPhone

> On Sep 30, 2019, at 10:10 AM, Jonathan S. Fisher  wrote:
> 
> It was 5.15.9 that was causing problems with the failover transport (Which
> is a best practice to use). Essentially you memory leak when two or more
> physical activemq connections get involved in an XA transaction
> 
> On Fri, Sep 27, 2019 at 3:55 AM Jonathan Gallimore <
> jonathan.gallim...@gmail.com> wrote:
> 
>> I'm not against updating ActiveMQ on 7.0.x, but I suspect that might mean
>> we lose compatibility with Java 7. I forget which version Jonathan (Fisher)
>> is running, but I suspect that's not an issue for him.
>> 
>> I'll take a look at the versions, and start a thread so the community can
>> decide what to do.
>> 
>> Jon
>> 
>> On Fri, Sep 27, 2019 at 9:39 AM Zowalla, Richard <
>> richard.zowa...@hs-heilbronn.de> wrote:
>> 
>>> Hi Jonathan,
>>> 
>>> current 7.1.1-SNAPSHOT branch is on ActiveMQ 5.15.10
>>> 
>>> This update was conducted due to several CVE's related to its transient
>>> jackson-databind dependency.
>>> 
>>> But, if I am right, you are still on 7.0.x - which has not been updated
>>> yet :)
>>> 
>>> Best,
>>> Richard
>>> 
>>> Am Dienstag, den 24.09.2019, 10:57 -0500 schrieb Jonathan S. Fisher:
>>> 
>>> So I've got a test case, but it will likely just be isolated to us. We were
>>> 
>>> upgrading the ActiveMQ RAR to 5.15.9 to enable strict host checking on TLS
>>> 
>>> certificates. If we keep the stock ActiveMQ rar/jar we don't see the
>>> 
>>> problem.
>>> 
>>> 
>>> So I guess take note of that if someone ever asks for an upgrade, the
>>> 
>>> failover protocol will collapse a 32m JVM after about 10k messages.
>>> 
>>> 
>>> On Mon, Sep 23, 2019 at 5:20 PM Jean-Louis Monteiro <
>>> 
>>> jlmonte...@tomitribe.com> wrote:
>>> 
>>> 
>>> I have opened this ticket and pushed a fix on both Java EE 7 and 8 API jar.
>>> 
>>> New snapshot deployed.
>>> 
>>> 
>>> I'm waiting for the full build on master to pass and then I'll close the
>>> 
>>> ticket and fire up the 2 releases so you can move on with TomEE
>>> 
>>> 
>>> --
>>> 
>>> Jean-Louis Monteiro
>>> 
>>> http://twitter.com/jlouismonteiro
>>> 
>>> http://www.tomitribe.com
>>> 
>>> 
>>> 
>>> On Mon, Sep 23, 2019 at 3:03 PM Jonathan Gallimore <
>>> 
>>> jonathan.gallim...@gmail.com> wrote:
>>> 
>>> 
>>> Oh wow, that would be amazing!
>>> 
>>> 
>>> On Mon, Sep 23, 2019 at 10:49 PM Jonathan S. Fisher 
>>> 
>>> wrote:
>>> 
>>> 
>>> I'll get a reproducer project put together that demos the bug.
>>> 
>>> 
>>> On Mon, Sep 23, 2019 at 4:32 PM Jonathan Gallimore <
>>> 
>>> jonathan.gallim...@gmail.com> wrote:
>>> 
>>> 
>>> If we can come up with some good tests for it, I don't see why not.
>>> 
>>> 
>>> Jon
>>> 
>>> 
>>> On Mon, Sep 23, 2019 at 10:25 PM Jonathan S. Fisher <
>>> 
>>> exabr...@gmail.com>
>>> 
>>> wrote:
>>> 
>>> 
>>> We've been running 7.0.x latest in prod for a few weeks with no
>>> 
>>> issues
>>> 
>>> other than the ActiveMQ Failover protocol memory leak issue (which
>>> 
>>> affects
>>> 
>>> all versions of TomEE).
>>> 
>>> https://issues.apache.org/jira/browse/AMQ-6391 This is an issue
>>> 
>>> now
>>> 
>>> because
>>> 
>>> our JMS Context / Connection Factories will actually be
>>> 
>>> transactional
>>> 
>>> 
>>> Should/Could we patch the ActiveMQ jar?
>>> 
>>> 
>>> 
>>> 
>>> On Mon, Sep 23, 2019 at 3:24 PM Jean-Louis Monteiro

Re: 7.1.x and 7.0.x releases

2019-09-30 Thread Jonathan S. Fisher

It was 5.15.9 that was causing problems with the failover transport (Which
is a best practice to use). Essentially you memory leak when two or more
physical activemq connections get involved in an XA transaction

On Fri, Sep 27, 2019 at 3:55 AM Jonathan Gallimore <
jonathan.gallim...@gmail.com> wrote:

> I'm not against updating ActiveMQ on 7.0.x, but I suspect that might mean
> we lose compatibility with Java 7. I forget which version Jonathan (Fisher)
> is running, but I suspect that's not an issue for him.
>
> I'll take a look at the versions, and start a thread so the community can
> decide what to do.
>
> Jon
>
> On Fri, Sep 27, 2019 at 9:39 AM Zowalla, Richard <
> richard.zowa...@hs-heilbronn.de> wrote:
>
>> Hi Jonathan,
>>
>> current 7.1.1-SNAPSHOT branch is on ActiveMQ 5.15.10
>>
>> This update was conducted due to several CVE's related to its transient
>> jackson-databind dependency.
>>
>> But, if I am right, you are still on 7.0.x - which has not been updated
>> yet :)
>>
>> Best,
>> Richard
>>
>> Am Dienstag, den 24.09.2019, 10:57 -0500 schrieb Jonathan S. Fisher:
>>
>> So I've got a test case, but it will likely just be isolated to us. We were
>>
>> upgrading the ActiveMQ RAR to 5.15.9 to enable strict host checking on TLS
>>
>> certificates. If we keep the stock ActiveMQ rar/jar we don't see the
>>
>> problem.
>>
>>
>> So I guess take note of that if someone ever asks for an upgrade, the
>>
>> failover protocol will collapse a 32m JVM after about 10k messages.
>>
>>
>> On Mon, Sep 23, 2019 at 5:20 PM Jean-Louis Monteiro <
>>
>> jlmonte...@tomitribe.com> wrote:
>>
>>
>> I have opened this ticket and pushed a fix on both Java EE 7 and 8 API jar.
>>
>> New snapshot deployed.
>>
>>
>> I'm waiting for the full build on master to pass and then I'll close the
>>
>> ticket and fire up the 2 releases so you can move on with TomEE
>>
>>
>> --
>>
>> Jean-Louis Monteiro
>>
>> http://twitter.com/jlouismonteiro
>>
>> http://www.tomitribe.com
>>
>>
>>
>> On Mon, Sep 23, 2019 at 3:03 PM Jonathan Gallimore <
>>
>> jonathan.gallim...@gmail.com> wrote:
>>
>>
>> Oh wow, that would be amazing!
>>
>>
>> On Mon, Sep 23, 2019 at 10:49 PM Jonathan S. Fisher 
>>
>> wrote:
>>
>>
>> I'll get a reproducer project put together that demos the bug.
>>
>>
>> On Mon, Sep 23, 2019 at 4:32 PM Jonathan Gallimore <
>>
>> jonathan.gallim...@gmail.com> wrote:
>>
>>
>> If we can come up with some good tests for it, I don't see why not.
>>
>>
>> Jon
>>
>>
>> On Mon, Sep 23, 2019 at 10:25 PM Jonathan S. Fisher <
>>
>> exabr...@gmail.com>
>>
>> wrote:
>>
>>
>> We've been running 7.0.x latest in prod for a few weeks with no
>>
>> issues
>>
>> other than the ActiveMQ Failover protocol memory leak issue (which
>>
>> affects
>>
>> all versions of TomEE).
>>
>> https://issues.apache.org/jira/browse/AMQ-6391 This is an issue
>>
>> now
>>
>> because
>>
>> our JMS Context / Connection Factories will actually be
>>
>> transactional
>>
>>
>> Should/Could we patch the ActiveMQ jar?
>>
>>
>>
>>
>> On Mon, Sep 23, 2019 at 3:24 PM Jean-Louis Monteiro <
>>
>> jlmonte...@tomitribe.com> wrote:
>>
>>
>> The Locator issue raised earlier today. Would be great to get the
>>
>> fix
>>
>> in
>>
>> before rolling.
>>
>> --
>>
>> Jean-Louis Monteiro
>>
>> http://twitter.com/jlouismonteiro
>>
>> http://www.tomitribe.com
>>
>>
>>
>> On Mon, Sep 23, 2019 at 12:33 PM Jonathan Gallimore <
>>
>> jonathan.gallim...@gmail.com> wrote:
>>
>>
>> I'm just doing some cleanup on these branches. I'm thinking its
>>
>> probably time we put out new releases as these branches have
>>
>> seen
>>
>> some
>>
>> fixes.
>>
>>
>> Is there anything that we think is missing before I kick off
>>
>> some
>>
>> releases
>>
>> and votes?
>>
>>
>> I'd like to get the quartz-openejb-shade update if possible -
>>
>> that
>>
>> needs
>>
>> some more reviewers and votes.
>>
>>
>> Jon
>>
>>
>>
>>
>>
>> --
>>
>> Jonathan | exabr...@gmail.com
>>
>> Pessimists, see a jar as half empty. Optimists, in contrast, see it
>>
>> as
>>
>> half
>>
>> full.
>>
>> Engineers, of course, understand the glass is twice as big as it
>>
>> needs
>>
>> to
>>
>> be.
>>
>>
>>
>>
>>
>> --
>>
>> Jonathan | exabr...@gmail.com
>>
>> Pessimists, see a jar as half empty. Optimists, in contrast, see it as
>>
>> half
>>
>> full.
>>
>> Engineers, of course, understand the glass is twice as big as it needs
>>
>> to
>>
>> be.
>>
>>
>>
>>
>>
>>
>>
>> --
>>
>> Richard Zowalla, M.Sc.
>> Research Associate, PhD Student | Medical Informatics
>>
>>
>>
>> Hochschule Heilbronn – University of Applied Sciences
>> Max-Planck-Str. 39
>> D-74081 Heilbronn
>> phone: +49 7131 504 6791
>> mail: richard.zowa...@hs-heilbronn.de
>> web: http://www.mi.hs-heilbronn.de/
>>
>

-- 
Jonathan | exabr...@gmail.com
Pessimists, see a jar as half empty. Optimists, in contrast, see it as half
full.
Engineers, of course, understand the glass is twice as big as it needs to
be.

Re: 7.1.x and 7.0.x releases

2019-09-27 Thread Jonathan Gallimore

I'm not against updating ActiveMQ on 7.0.x, but I suspect that might mean
we lose compatibility with Java 7. I forget which version Jonathan (Fisher)
is running, but I suspect that's not an issue for him.

I'll take a look at the versions, and start a thread so the community can
decide what to do.

Jon

On Fri, Sep 27, 2019 at 9:39 AM Zowalla, Richard <
richard.zowa...@hs-heilbronn.de> wrote:

> Hi Jonathan,
>
> current 7.1.1-SNAPSHOT branch is on ActiveMQ 5.15.10
>
> This update was conducted due to several CVE's related to its transient
> jackson-databind dependency.
>
> But, if I am right, you are still on 7.0.x - which has not been updated
> yet :)
>
> Best,
> Richard
>
> Am Dienstag, den 24.09.2019, 10:57 -0500 schrieb Jonathan S. Fisher:
>
> So I've got a test case, but it will likely just be isolated to us. We were
>
> upgrading the ActiveMQ RAR to 5.15.9 to enable strict host checking on TLS
>
> certificates. If we keep the stock ActiveMQ rar/jar we don't see the
>
> problem.
>
>
> So I guess take note of that if someone ever asks for an upgrade, the
>
> failover protocol will collapse a 32m JVM after about 10k messages.
>
>
> On Mon, Sep 23, 2019 at 5:20 PM Jean-Louis Monteiro <
>
> jlmonte...@tomitribe.com> wrote:
>
>
> I have opened this ticket and pushed a fix on both Java EE 7 and 8 API jar.
>
> New snapshot deployed.
>
>
> I'm waiting for the full build on master to pass and then I'll close the
>
> ticket and fire up the 2 releases so you can move on with TomEE
>
>
> --
>
> Jean-Louis Monteiro
>
> http://twitter.com/jlouismonteiro
>
> http://www.tomitribe.com
>
>
>
> On Mon, Sep 23, 2019 at 3:03 PM Jonathan Gallimore <
>
> jonathan.gallim...@gmail.com> wrote:
>
>
> Oh wow, that would be amazing!
>
>
> On Mon, Sep 23, 2019 at 10:49 PM Jonathan S. Fisher 
>
> wrote:
>
>
> I'll get a reproducer project put together that demos the bug.
>
>
> On Mon, Sep 23, 2019 at 4:32 PM Jonathan Gallimore <
>
> jonathan.gallim...@gmail.com> wrote:
>
>
> If we can come up with some good tests for it, I don't see why not.
>
>
> Jon
>
>
> On Mon, Sep 23, 2019 at 10:25 PM Jonathan S. Fisher <
>
> exabr...@gmail.com>
>
> wrote:
>
>
> We've been running 7.0.x latest in prod for a few weeks with no
>
> issues
>
> other than the ActiveMQ Failover protocol memory leak issue (which
>
> affects
>
> all versions of TomEE).
>
> https://issues.apache.org/jira/browse/AMQ-6391 This is an issue
>
> now
>
> because
>
> our JMS Context / Connection Factories will actually be
>
> transactional
>
>
> Should/Could we patch the ActiveMQ jar?
>
>
>
>
> On Mon, Sep 23, 2019 at 3:24 PM Jean-Louis Monteiro <
>
> jlmonte...@tomitribe.com> wrote:
>
>
> The Locator issue raised earlier today. Would be great to get the
>
> fix
>
> in
>
> before rolling.
>
> --
>
> Jean-Louis Monteiro
>
> http://twitter.com/jlouismonteiro
>
> http://www.tomitribe.com
>
>
>
> On Mon, Sep 23, 2019 at 12:33 PM Jonathan Gallimore <
>
> jonathan.gallim...@gmail.com> wrote:
>
>
> I'm just doing some cleanup on these branches. I'm thinking its
>
> probably time we put out new releases as these branches have
>
> seen
>
> some
>
> fixes.
>
>
> Is there anything that we think is missing before I kick off
>
> some
>
> releases
>
> and votes?
>
>
> I'd like to get the quartz-openejb-shade update if possible -
>
> that
>
> needs
>
> some more reviewers and votes.
>
>
> Jon
>
>
>
>
>
> --
>
> Jonathan | exabr...@gmail.com
>
> Pessimists, see a jar as half empty. Optimists, in contrast, see it
>
> as
>
> half
>
> full.
>
> Engineers, of course, understand the glass is twice as big as it
>
> needs
>
> to
>
> be.
>
>
>
>
>
> --
>
> Jonathan | exabr...@gmail.com
>
> Pessimists, see a jar as half empty. Optimists, in contrast, see it as
>
> half
>
> full.
>
> Engineers, of course, understand the glass is twice as big as it needs
>
> to
>
> be.
>
>
>
>
>
>
>
> --
>
> Richard Zowalla, M.Sc.
> Research Associate, PhD Student | Medical Informatics
>
>
>
> Hochschule Heilbronn – University of Applied Sciences
> Max-Planck-Str. 39
> D-74081 Heilbronn
> phone: +49 7131 504 6791
> mail: richard.zowa...@hs-heilbronn.de
> web: http://www.mi.hs-heilbronn.de/
>

Re: 7.1.x and 7.0.x releases

2019-09-27 Thread Zowalla, Richard

Hi Jonathan,
current 7.1.1-SNAPSHOT branch is on ActiveMQ 5.15.10
This update was conducted due to several CVE's related to its transient
jackson-databind dependency.
But, if I am right, you are still on 7.0.x - which has not been updated
yet :)
Best,Richard
Am Dienstag, den 24.09.2019, 10:57 -0500 schrieb Jonathan S. Fisher:
> So I've got a test case, but it will likely just be isolated to us.
> We wereupgrading the ActiveMQ RAR to 5.15.9 to enable strict host
> checking on TLScertificates. If we keep the stock ActiveMQ rar/jar we
> don't see theproblem.
> So I guess take note of that if someone ever asks for an upgrade,
> thefailover protocol will collapse a 32m JVM after about 10k
> messages.
> On Mon, Sep 23, 2019 at 5:20 PM Jean-Louis Monteiro <
> jlmonte...@tomitribe.com> wrote:
> I have opened this ticket and pushed a fix on both Java EE 7 and 8
> API jar.New snapshot deployed.
> I'm waiting for the full build on master to pass and then I'll close
> theticket and fire up the 2 releases so you can move on with TomEE
> --Jean-Louis Monteiro
> http://twitter.com/jlouismonteirohttp://www.tomitribe.com
> 
> On Mon, Sep 23, 2019 at 3:03 PM Jonathan Gallimore <
> jonathan.gallim...@gmail.com> wrote:
> Oh wow, that would be amazing!
> On Mon, Sep 23, 2019 at 10:49 PM Jonathan S. Fisher <
> exabr...@gmail.com>wrote:
> I'll get a reproducer project put together that demos the bug.
> On Mon, Sep 23, 2019 at 4:32 PM Jonathan Gallimore <
> jonathan.gallim...@gmail.com> wrote:
> If we can come up with some good tests for it, I don't see why not.
> Jon
> On Mon, Sep 23, 2019 at 10:25 PM Jonathan S. Fisher <
> exabr...@gmail.com>
> wrote:
> We've been running 7.0.x latest in prod for a few weeks with noissues
> other than the ActiveMQ Failover protocol memory leak issue
> (whichaffects
> all versions of TomEE).https://issues.apache.org/jira/browse/AMQ-6391
>  This is an issuenow
> becauseour JMS Context / Connection Factories will actually
> betransactional
> 
> Should/Could we patch the ActiveMQ jar?
> 
> 
> On Mon, Sep 23, 2019 at 3:24 PM Jean-Louis Monteiro <
> jlmonte...@tomitribe.com> wrote:
> The Locator issue raised earlier today. Would be great to get thefix
> in
> before rolling.--Jean-Louis Monteiro
> http://twitter.com/jlouismonteirohttp://www.tomitribe.com
> 
> On Mon, Sep 23, 2019 at 12:33 PM Jonathan Gallimore <
> jonathan.gallim...@gmail.com> wrote:
> I'm just doing some cleanup on these branches. I'm thinking
> itsprobably time we put out new releases as these branches haveseen
> some
> fixes.
> Is there anything that we think is missing before I kick offsome
> releases
> and votes?
> I'd like to get the quartz-openejb-shade update if possible -that
> needs
> some more reviewers and votes.
> Jon
> 
> 
> 
> --Jonathan | exabrial@gmail.comPessimists, see a jar as half empty.
> Optimists, in contrast, see itas
> half
> full.Engineers, of course, understand the glass is twice as big as
> itneeds
> to
> be.
> 
> 
> 
> --Jonathan | exabrial@gmail.comPessimists, see a jar as half empty.
> Optimists, in contrast, see it ashalf
> full.Engineers, of course, understand the glass is twice as big as it
> needsto
> be.
> 
> 
> 
> 
> 
-- 
Richard Zowalla, M.Sc.Research Associate, PhD Student | Medical Informatics


Hochschule Heilbronn – University of Applied SciencesMax-Planck-Str. 39 D-74081 
Heilbronn phone: +49 7131 504 6791mail: richard.zowalla@hs-heilbronn.deweb: 
http://www.mi.hs-heilbronn.de/ 


smime.p7s
Description: S/MIME cryptographic signature

Re: 7.1.x and 7.0.x releases

2019-09-24 Thread Alex The Rocker

Hello Jon,

As long latest CVE fixes are part of upcoming 7.0.x & 7.1.x, that's a
very good thing to have such refresh as soon as possible.

Kind regards,
Alexandre

Le lun. 23 sept. 2019 à 21:33, Jonathan Gallimore
 a écrit :
>
> I'm just doing some cleanup on these branches. I'm thinking its
> probably time we put out new releases as these branches have seen some
> fixes.
>
> Is there anything that we think is missing before I kick off some releases
> and votes?
>
> I'd like to get the quartz-openejb-shade update if possible - that needs
> some more reviewers and votes.
>
> Jon

Re: 7.1.x and 7.0.x releases

2019-09-24 Thread Jonathan S. Fisher

So I've got a test case, but it will likely just be isolated to us. We were
upgrading the ActiveMQ RAR to 5.15.9 to enable strict host checking on TLS
certificates. If we keep the stock ActiveMQ rar/jar we don't see the
problem.

So I guess take note of that if someone ever asks for an upgrade, the
failover protocol will collapse a 32m JVM after about 10k messages.

On Mon, Sep 23, 2019 at 5:20 PM Jean-Louis Monteiro <
jlmonte...@tomitribe.com> wrote:

> I have opened this ticket and pushed a fix on both Java EE 7 and 8 API jar.
> New snapshot deployed.
>
> I'm waiting for the full build on master to pass and then I'll close the
> ticket and fire up the 2 releases so you can move on with TomEE
>
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>
>
> On Mon, Sep 23, 2019 at 3:03 PM Jonathan Gallimore <
> jonathan.gallim...@gmail.com> wrote:
>
> > Oh wow, that would be amazing!
> >
> > On Mon, Sep 23, 2019 at 10:49 PM Jonathan S. Fisher 
> > wrote:
> >
> > > I'll get a reproducer project put together that demos the bug.
> > >
> > > On Mon, Sep 23, 2019 at 4:32 PM Jonathan Gallimore <
> > > jonathan.gallim...@gmail.com> wrote:
> > >
> > > > If we can come up with some good tests for it, I don't see why not.
> > > >
> > > > Jon
> > > >
> > > > On Mon, Sep 23, 2019 at 10:25 PM Jonathan S. Fisher <
> > exabr...@gmail.com>
> > > > wrote:
> > > >
> > > > > We've been running 7.0.x latest in prod for a few weeks with no
> > issues
> > > > > other than the ActiveMQ Failover protocol memory leak issue (which
> > > > affects
> > > > > all versions of TomEE).
> > > > > https://issues.apache.org/jira/browse/AMQ-6391 This is an issue
> now
> > > > > because
> > > > > our JMS Context / Connection Factories will actually be
> transactional
> > > > >
> > > > > Should/Could we patch the ActiveMQ jar?
> > > > >
> > > > >
> > > > >
> > > > > On Mon, Sep 23, 2019 at 3:24 PM Jean-Louis Monteiro <
> > > > > jlmonte...@tomitribe.com> wrote:
> > > > >
> > > > > > The Locator issue raised earlier today. Would be great to get the
> > fix
> > > > in
> > > > > > before rolling.
> > > > > > --
> > > > > > Jean-Louis Monteiro
> > > > > > http://twitter.com/jlouismonteiro
> > > > > > http://www.tomitribe.com
> > > > > >
> > > > > >
> > > > > > On Mon, Sep 23, 2019 at 12:33 PM Jonathan Gallimore <
> > > > > > jonathan.gallim...@gmail.com> wrote:
> > > > > >
> > > > > > > I'm just doing some cleanup on these branches. I'm thinking its
> > > > > > > probably time we put out new releases as these branches have
> seen
> > > > some
> > > > > > > fixes.
> > > > > > >
> > > > > > > Is there anything that we think is missing before I kick off
> some
> > > > > > releases
> > > > > > > and votes?
> > > > > > >
> > > > > > > I'd like to get the quartz-openejb-shade update if possible -
> > that
> > > > > needs
> > > > > > > some more reviewers and votes.
> > > > > > >
> > > > > > > Jon
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Jonathan | exabr...@gmail.com
> > > > > Pessimists, see a jar as half empty. Optimists, in contrast, see it
> > as
> > > > half
> > > > > full.
> > > > > Engineers, of course, understand the glass is twice as big as it
> > needs
> > > to
> > > > > be.
> > > > >
> > > >
> > >
> > >
> > > --
> > > Jonathan | exabr...@gmail.com
> > > Pessimists, see a jar as half empty. Optimists, in contrast, see it as
> > half
> > > full.
> > > Engineers, of course, understand the glass is twice as big as it needs
> to
> > > be.
> > >
> >
>


-- 
Jonathan | exabr...@gmail.com
Pessimists, see a jar as half empty. Optimists, in contrast, see it as half
full.
Engineers, of course, understand the glass is twice as big as it needs to
be.

Re: 7.1.x and 7.0.x releases

2019-09-23 Thread Jean-Louis Monteiro

I have opened this ticket and pushed a fix on both Java EE 7 and 8 API jar.
New snapshot deployed.

I'm waiting for the full build on master to pass and then I'll close the
ticket and fire up the 2 releases so you can move on with TomEE

--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com


On Mon, Sep 23, 2019 at 3:03 PM Jonathan Gallimore <
jonathan.gallim...@gmail.com> wrote:

> Oh wow, that would be amazing!
>
> On Mon, Sep 23, 2019 at 10:49 PM Jonathan S. Fisher 
> wrote:
>
> > I'll get a reproducer project put together that demos the bug.
> >
> > On Mon, Sep 23, 2019 at 4:32 PM Jonathan Gallimore <
> > jonathan.gallim...@gmail.com> wrote:
> >
> > > If we can come up with some good tests for it, I don't see why not.
> > >
> > > Jon
> > >
> > > On Mon, Sep 23, 2019 at 10:25 PM Jonathan S. Fisher <
> exabr...@gmail.com>
> > > wrote:
> > >
> > > > We've been running 7.0.x latest in prod for a few weeks with no
> issues
> > > > other than the ActiveMQ Failover protocol memory leak issue (which
> > > affects
> > > > all versions of TomEE).
> > > > https://issues.apache.org/jira/browse/AMQ-6391 This is an issue now
> > > > because
> > > > our JMS Context / Connection Factories will actually be transactional
> > > >
> > > > Should/Could we patch the ActiveMQ jar?
> > > >
> > > >
> > > >
> > > > On Mon, Sep 23, 2019 at 3:24 PM Jean-Louis Monteiro <
> > > > jlmonte...@tomitribe.com> wrote:
> > > >
> > > > > The Locator issue raised earlier today. Would be great to get the
> fix
> > > in
> > > > > before rolling.
> > > > > --
> > > > > Jean-Louis Monteiro
> > > > > http://twitter.com/jlouismonteiro
> > > > > http://www.tomitribe.com
> > > > >
> > > > >
> > > > > On Mon, Sep 23, 2019 at 12:33 PM Jonathan Gallimore <
> > > > > jonathan.gallim...@gmail.com> wrote:
> > > > >
> > > > > > I'm just doing some cleanup on these branches. I'm thinking its
> > > > > > probably time we put out new releases as these branches have seen
> > > some
> > > > > > fixes.
> > > > > >
> > > > > > Is there anything that we think is missing before I kick off some
> > > > > releases
> > > > > > and votes?
> > > > > >
> > > > > > I'd like to get the quartz-openejb-shade update if possible -
> that
> > > > needs
> > > > > > some more reviewers and votes.
> > > > > >
> > > > > > Jon
> > > > > >
> > > > >
> > > >
> > > >
> > > > --
> > > > Jonathan | exabr...@gmail.com
> > > > Pessimists, see a jar as half empty. Optimists, in contrast, see it
> as
> > > half
> > > > full.
> > > > Engineers, of course, understand the glass is twice as big as it
> needs
> > to
> > > > be.
> > > >
> > >
> >
> >
> > --
> > Jonathan | exabr...@gmail.com
> > Pessimists, see a jar as half empty. Optimists, in contrast, see it as
> half
> > full.
> > Engineers, of course, understand the glass is twice as big as it needs to
> > be.
> >
>

Re: 7.1.x and 7.0.x releases

2019-09-23 Thread Jonathan Gallimore

Oh wow, that would be amazing!

On Mon, Sep 23, 2019 at 10:49 PM Jonathan S. Fisher 
wrote:

> I'll get a reproducer project put together that demos the bug.
>
> On Mon, Sep 23, 2019 at 4:32 PM Jonathan Gallimore <
> jonathan.gallim...@gmail.com> wrote:
>
> > If we can come up with some good tests for it, I don't see why not.
> >
> > Jon
> >
> > On Mon, Sep 23, 2019 at 10:25 PM Jonathan S. Fisher 
> > wrote:
> >
> > > We've been running 7.0.x latest in prod for a few weeks with no issues
> > > other than the ActiveMQ Failover protocol memory leak issue (which
> > affects
> > > all versions of TomEE).
> > > https://issues.apache.org/jira/browse/AMQ-6391 This is an issue now
> > > because
> > > our JMS Context / Connection Factories will actually be transactional
> > >
> > > Should/Could we patch the ActiveMQ jar?
> > >
> > >
> > >
> > > On Mon, Sep 23, 2019 at 3:24 PM Jean-Louis Monteiro <
> > > jlmonte...@tomitribe.com> wrote:
> > >
> > > > The Locator issue raised earlier today. Would be great to get the fix
> > in
> > > > before rolling.
> > > > --
> > > > Jean-Louis Monteiro
> > > > http://twitter.com/jlouismonteiro
> > > > http://www.tomitribe.com
> > > >
> > > >
> > > > On Mon, Sep 23, 2019 at 12:33 PM Jonathan Gallimore <
> > > > jonathan.gallim...@gmail.com> wrote:
> > > >
> > > > > I'm just doing some cleanup on these branches. I'm thinking its
> > > > > probably time we put out new releases as these branches have seen
> > some
> > > > > fixes.
> > > > >
> > > > > Is there anything that we think is missing before I kick off some
> > > > releases
> > > > > and votes?
> > > > >
> > > > > I'd like to get the quartz-openejb-shade update if possible - that
> > > needs
> > > > > some more reviewers and votes.
> > > > >
> > > > > Jon
> > > > >
> > > >
> > >
> > >
> > > --
> > > Jonathan | exabr...@gmail.com
> > > Pessimists, see a jar as half empty. Optimists, in contrast, see it as
> > half
> > > full.
> > > Engineers, of course, understand the glass is twice as big as it needs
> to
> > > be.
> > >
> >
>
>
> --
> Jonathan | exabr...@gmail.com
> Pessimists, see a jar as half empty. Optimists, in contrast, see it as half
> full.
> Engineers, of course, understand the glass is twice as big as it needs to
> be.
>

Re: 7.1.x and 7.0.x releases

2019-09-23 Thread Jonathan S. Fisher

I'll get a reproducer project put together that demos the bug.

On Mon, Sep 23, 2019 at 4:32 PM Jonathan Gallimore <
jonathan.gallim...@gmail.com> wrote:

> If we can come up with some good tests for it, I don't see why not.
>
> Jon
>
> On Mon, Sep 23, 2019 at 10:25 PM Jonathan S. Fisher 
> wrote:
>
> > We've been running 7.0.x latest in prod for a few weeks with no issues
> > other than the ActiveMQ Failover protocol memory leak issue (which
> affects
> > all versions of TomEE).
> > https://issues.apache.org/jira/browse/AMQ-6391 This is an issue now
> > because
> > our JMS Context / Connection Factories will actually be transactional
> >
> > Should/Could we patch the ActiveMQ jar?
> >
> >
> >
> > On Mon, Sep 23, 2019 at 3:24 PM Jean-Louis Monteiro <
> > jlmonte...@tomitribe.com> wrote:
> >
> > > The Locator issue raised earlier today. Would be great to get the fix
> in
> > > before rolling.
> > > --
> > > Jean-Louis Monteiro
> > > http://twitter.com/jlouismonteiro
> > > http://www.tomitribe.com
> > >
> > >
> > > On Mon, Sep 23, 2019 at 12:33 PM Jonathan Gallimore <
> > > jonathan.gallim...@gmail.com> wrote:
> > >
> > > > I'm just doing some cleanup on these branches. I'm thinking its
> > > > probably time we put out new releases as these branches have seen
> some
> > > > fixes.
> > > >
> > > > Is there anything that we think is missing before I kick off some
> > > releases
> > > > and votes?
> > > >
> > > > I'd like to get the quartz-openejb-shade update if possible - that
> > needs
> > > > some more reviewers and votes.
> > > >
> > > > Jon
> > > >
> > >
> >
> >
> > --
> > Jonathan | exabr...@gmail.com
> > Pessimists, see a jar as half empty. Optimists, in contrast, see it as
> half
> > full.
> > Engineers, of course, understand the glass is twice as big as it needs to
> > be.
> >
>


-- 
Jonathan | exabr...@gmail.com
Pessimists, see a jar as half empty. Optimists, in contrast, see it as half
full.
Engineers, of course, understand the glass is twice as big as it needs to
be.

Re: 7.1.x and 7.0.x releases

2019-09-23 Thread Jonathan Gallimore

If we can come up with some good tests for it, I don't see why not.

Jon

On Mon, Sep 23, 2019 at 10:25 PM Jonathan S. Fisher 
wrote:

> We've been running 7.0.x latest in prod for a few weeks with no issues
> other than the ActiveMQ Failover protocol memory leak issue (which affects
> all versions of TomEE).
> https://issues.apache.org/jira/browse/AMQ-6391 This is an issue now
> because
> our JMS Context / Connection Factories will actually be transactional
>
> Should/Could we patch the ActiveMQ jar?
>
>
>
> On Mon, Sep 23, 2019 at 3:24 PM Jean-Louis Monteiro <
> jlmonte...@tomitribe.com> wrote:
>
> > The Locator issue raised earlier today. Would be great to get the fix in
> > before rolling.
> > --
> > Jean-Louis Monteiro
> > http://twitter.com/jlouismonteiro
> > http://www.tomitribe.com
> >
> >
> > On Mon, Sep 23, 2019 at 12:33 PM Jonathan Gallimore <
> > jonathan.gallim...@gmail.com> wrote:
> >
> > > I'm just doing some cleanup on these branches. I'm thinking its
> > > probably time we put out new releases as these branches have seen some
> > > fixes.
> > >
> > > Is there anything that we think is missing before I kick off some
> > releases
> > > and votes?
> > >
> > > I'd like to get the quartz-openejb-shade update if possible - that
> needs
> > > some more reviewers and votes.
> > >
> > > Jon
> > >
> >
>
>
> --
> Jonathan | exabr...@gmail.com
> Pessimists, see a jar as half empty. Optimists, in contrast, see it as half
> full.
> Engineers, of course, understand the glass is twice as big as it needs to
> be.
>

Re: 7.1.x and 7.0.x releases

2019-09-23 Thread Jonathan S. Fisher

We've been running 7.0.x latest in prod for a few weeks with no issues
other than the ActiveMQ Failover protocol memory leak issue (which affects
all versions of TomEE).
https://issues.apache.org/jira/browse/AMQ-6391 This is an issue now because
our JMS Context / Connection Factories will actually be transactional

Should/Could we patch the ActiveMQ jar?



On Mon, Sep 23, 2019 at 3:24 PM Jean-Louis Monteiro <
jlmonte...@tomitribe.com> wrote:

> The Locator issue raised earlier today. Would be great to get the fix in
> before rolling.
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>
>
> On Mon, Sep 23, 2019 at 12:33 PM Jonathan Gallimore <
> jonathan.gallim...@gmail.com> wrote:
>
> > I'm just doing some cleanup on these branches. I'm thinking its
> > probably time we put out new releases as these branches have seen some
> > fixes.
> >
> > Is there anything that we think is missing before I kick off some
> releases
> > and votes?
> >
> > I'd like to get the quartz-openejb-shade update if possible - that needs
> > some more reviewers and votes.
> >
> > Jon
> >
>


-- 
Jonathan | exabr...@gmail.com
Pessimists, see a jar as half empty. Optimists, in contrast, see it as half
full.
Engineers, of course, understand the glass is twice as big as it needs to
be.

Re: 7.1.x and 7.0.x releases

2019-09-23 Thread Jean-Louis Monteiro

The Locator issue raised earlier today. Would be great to get the fix in
before rolling.
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com


On Mon, Sep 23, 2019 at 12:33 PM Jonathan Gallimore <
jonathan.gallim...@gmail.com> wrote:

> I'm just doing some cleanup on these branches. I'm thinking its
> probably time we put out new releases as these branches have seen some
> fixes.
>
> Is there anything that we think is missing before I kick off some releases
> and votes?
>
> I'd like to get the quartz-openejb-shade update if possible - that needs
> some more reviewers and votes.
>
> Jon
>

7.1.x and 7.0.x releases

2019-09-23 Thread Jonathan Gallimore

I'm just doing some cleanup on these branches. I'm thinking its
probably time we put out new releases as these branches have seen some
fixes.

Is there anything that we think is missing before I kick off some releases
and votes?

I'd like to get the quartz-openejb-shade update if possible - that needs
some more reviewers and votes.

Jon

Re: TomEE 7.0.6 and 7.1.1 releases

2019-08-26 Thread Salomon Mayengue

Hi Jonathan,
I missed this email and I just see the content of the release 7.1.1. Any
idea why the issue TOMEE-2465 is not inside?
Thank You

Le ven. 28 juin 2019 à 16:32, COURTAULT Francois <
francois.courta...@thalesgroup.com> a écrit :

> Hello Jonathan,
>
> It will be great because this issue  was really a blocking one for us.
> Any release date for TomEE 7.1.2  ?
>
> Best Regards.
>
> -Original Message-
> From: Jonathan Gallimore [mailto:jonathan.gallim...@gmail.com]
> Sent: vendredi 28 juin 2019 16:19
> To: us...@tomee.apache.org
> Subject: Re: TomEE 7.0.6 and 7.1.1 releases
>
> At the time of the rollback, the artifacts hadn't been released, and
> therefore the change ended up breaking the build. I see no reason why we
> can't update this to 3.1.18 now, and I'll commit that change.
>
> Jon
>
> On Thu, Jun 27, 2019 at 4:31 PM COURTAULT Francois <
> francois.courta...@thalesgroup.com> wrote:
>
> > Hello,
> >
> > Any reason for the rollback ?
> >
> > I ask this question because we have a CXF issue (CXF-7869) which has
> > been fixed in cxf 3.1.18 when using TomEE 7.1.0.
> > So I would be pleased to have this version included in TomEE 7.x.
> >
> > Best Regards.
> >
> > -Original Message-
> > From: Jonathan Gallimore [mailto:jonathan.gallim...@gmail.com]
> > Sent: mardi 25 juin 2019 22:20
> > To: us...@tomee.apache.org
> > Cc: dev@tomee.apache.org
> > Subject: Re: TomEE 7.0.6 and 7.1.1 releases
> >
> > Correct - apologies for the mistake. We'll update that ticket and
> > (hopefully) it'll drop off the release notes.
> >
> > On Tue, Jun 25, 2019 at 9:12 PM Jonathan S. Fisher
> > 
> > wrote:
> >
> > > IIRC that was my patch and we rolled it back...
> > >
> > > On Tue, Jun 25, 2019 at 2:11 PM COURTAULT Francois <
> > > francois.courta...@thalesgroup.com> wrote:
> > >
> > > > Hello Jonathan,
> > > >
> > > > In the release note you provide, it's written: [TOMEE-2268] -
> > > > Upgrade to CXF to 3.1.18 But after downloading TomEE 7.1.1 web
> > > > profile, TomEE 7.1.1 micro profile and TomEE 7.1.1 plus, and
> > > > looking under the lib folder, I only see:
> > > > cxf-core-3.1.17.jar and cxf-rt-*-3.1.17.jar.
> > > > No 3.1.18 at all.
> > > >
> > > > Mistake ?
> > > >
> > > > Best Regards.
> > > >
> > > >
> > > > -Original Message-
> > > > From: Jonathan Gallimore [mailto:jonathan.gallim...@gmail.com]
> > > > Sent: vendredi 21 juin 2019 15:12
> > > > To: us...@tomee.apache.org; dev@tomee.apache.org
> > > > Subject: TomEE 7.0.6 and 7.1.1 releases
> > > >
> > > > Hi All,
> > > >
> > > > I'm pleased to announce that new releases of TomEE - versions
> > > > 7.0.6 and
> > > > 7.1.1 - are now available. These are maintenance releases of the
> > > > 7.0.x
> > > and
> > > > 7.1.x branches respectively.
> > > >
> > > > The JIRAs for each release are here:
> > > >
> > > > 7.0.6:
> > > >
> > > >
> > > https://issu
> > > es.apache.org%2Fjira%2Fsecure%2FReleaseNote.jspa%3FprojectId%3D12312
> > > 32
> > > 0%26version%3D12342069data=02%7C01%7CFrancois.COURTAULT%40gemal
> > > to
> > > .com%7C37c9b3e7ef43408c267408d6f9aa8312%7C37d0a9db7c464096bfe31add5b
> > > 49
> > > 5d6d%7C0%7C0%7C636970908073437656sdata=w%2BE%2FfaAS9mOQAfaF2Tfl
> > > Fn
> > > lDRxmDlsuTVGyWBX46UHo%3Dreserved=0
> > > >
> > > > 7.1.1:
> > > >
> > > >
> > > https://issu
> > > es.apache.org%2Fjira%2Fsecure%2FReleaseNote.jspa%3FprojectId%3D12312
> > > 32
> > > 0%26version%3D12344119data=02%7C01%7CFrancois.COURTAULT%40gemal
> > > to
> > > .com%7C37c9b3e7ef43408c267408d6f9aa8312%7C37d0a9db7c464096bfe31add5b
> > > 49
> > > 5d6d%7C0%7C0%7C636970908073437656sdata=Jo6DO9MIcyOMZzCFi1h0SNtk
> > > 0a
> > > %2FvUTSYZFGYNdZn%2FAc%3Dreserved=0
> > > >
> > > > Jon
> > > > 
> > > >  This message and any attachments are intended solely for the
> > > > addressees and may contain confidential information. Any
> > > > unauthorized use or disclosure, either whole or partial, is
> prohibited.
> > > > E-mails are susceptible to alteration. Our

RE: TomEE 7.0.6 and 7.1.1 releases

2019-06-28 Thread COURTAULT Francois

Hello Jonathan,

It will be great because this issue  was really a blocking one for us.
Any release date for TomEE 7.1.2  ?

Best Regards.

-Original Message-
From: Jonathan Gallimore [mailto:jonathan.gallim...@gmail.com]
Sent: vendredi 28 juin 2019 16:19
To: us...@tomee.apache.org
Subject: Re: TomEE 7.0.6 and 7.1.1 releases

At the time of the rollback, the artifacts hadn't been released, and therefore 
the change ended up breaking the build. I see no reason why we can't update 
this to 3.1.18 now, and I'll commit that change.

Jon

On Thu, Jun 27, 2019 at 4:31 PM COURTAULT Francois < 
francois.courta...@thalesgroup.com> wrote:

> Hello,
>
> Any reason for the rollback ?
>
> I ask this question because we have a CXF issue (CXF-7869) which has
> been fixed in cxf 3.1.18 when using TomEE 7.1.0.
> So I would be pleased to have this version included in TomEE 7.x.
>
> Best Regards.
>
> -Original Message-
> From: Jonathan Gallimore [mailto:jonathan.gallim...@gmail.com]
> Sent: mardi 25 juin 2019 22:20
> To: us...@tomee.apache.org
> Cc: dev@tomee.apache.org
> Subject: Re: TomEE 7.0.6 and 7.1.1 releases
>
> Correct - apologies for the mistake. We'll update that ticket and
> (hopefully) it'll drop off the release notes.
>
> On Tue, Jun 25, 2019 at 9:12 PM Jonathan S. Fisher
> 
> wrote:
>
> > IIRC that was my patch and we rolled it back...
> >
> > On Tue, Jun 25, 2019 at 2:11 PM COURTAULT Francois <
> > francois.courta...@thalesgroup.com> wrote:
> >
> > > Hello Jonathan,
> > >
> > > In the release note you provide, it's written: [TOMEE-2268] -
> > > Upgrade to CXF to 3.1.18 But after downloading TomEE 7.1.1 web
> > > profile, TomEE 7.1.1 micro profile and TomEE 7.1.1 plus, and
> > > looking under the lib folder, I only see:
> > > cxf-core-3.1.17.jar and cxf-rt-*-3.1.17.jar.
> > > No 3.1.18 at all.
> > >
> > > Mistake ?
> > >
> > > Best Regards.
> > >
> > >
> > > -Original Message-
> > > From: Jonathan Gallimore [mailto:jonathan.gallim...@gmail.com]
> > > Sent: vendredi 21 juin 2019 15:12
> > > To: us...@tomee.apache.org; dev@tomee.apache.org
> > > Subject: TomEE 7.0.6 and 7.1.1 releases
> > >
> > > Hi All,
> > >
> > > I'm pleased to announce that new releases of TomEE - versions
> > > 7.0.6 and
> > > 7.1.1 - are now available. These are maintenance releases of the
> > > 7.0.x
> > and
> > > 7.1.x branches respectively.
> > >
> > > The JIRAs for each release are here:
> > >
> > > 7.0.6:
> > >
> > >
> > https://issu
> > es.apache.org%2Fjira%2Fsecure%2FReleaseNote.jspa%3FprojectId%3D12312
> > 32
> > 0%26version%3D12342069data=02%7C01%7CFrancois.COURTAULT%40gemal
> > to
> > .com%7C37c9b3e7ef43408c267408d6f9aa8312%7C37d0a9db7c464096bfe31add5b
> > 49
> > 5d6d%7C0%7C0%7C636970908073437656sdata=w%2BE%2FfaAS9mOQAfaF2Tfl
> > Fn
> > lDRxmDlsuTVGyWBX46UHo%3Dreserved=0
> > >
> > > 7.1.1:
> > >
> > >
> > https://issu
> > es.apache.org%2Fjira%2Fsecure%2FReleaseNote.jspa%3FprojectId%3D12312
> > 32
> > 0%26version%3D12344119data=02%7C01%7CFrancois.COURTAULT%40gemal
> > to
> > .com%7C37c9b3e7ef43408c267408d6f9aa8312%7C37d0a9db7c464096bfe31add5b
> > 49
> > 5d6d%7C0%7C0%7C636970908073437656sdata=Jo6DO9MIcyOMZzCFi1h0SNtk
> > 0a
> > %2FvUTSYZFGYNdZn%2FAc%3Dreserved=0
> > >
> > > Jon
> > > 
> > >  This message and any attachments are intended solely for the
> > > addressees and may contain confidential information. Any
> > > unauthorized use or disclosure, either whole or partial, is prohibited.
> > > E-mails are susceptible to alteration. Our company shall not be
> > > liable
> > for
> > > the message if altered, changed or falsified. If you are not the
> > > intended recipient of this message, please delete it and notify
> > > the
> sender.
> > > Although all reasonable efforts have been made to keep this
> > > transmission free from viruses, the sender will not be liable for
> > > damages caused by a transmitted virus.
> > >
> >
> >
> > --
> > Jonathan | exabr...@gmail.com
> > Pessimists, see a jar as half empty. Optimists, in contrast, see it
> > as half full.
> > Engineers, of course, understand the glass is twice as big as it
> > needs to be.
> >
> 
>  This message and any

Re: TomEE 7.0.6 and 7.1.1 releases

2019-06-25 Thread Jonathan Gallimore

Correct - apologies for the mistake. We'll update that ticket and
(hopefully) it'll drop off the release notes.

On Tue, Jun 25, 2019 at 9:12 PM Jonathan S. Fisher 
wrote:

> IIRC that was my patch and we rolled it back...
>
> On Tue, Jun 25, 2019 at 2:11 PM COURTAULT Francois <
> francois.courta...@thalesgroup.com> wrote:
>
> > Hello Jonathan,
> >
> > In the release note you provide, it's written: [TOMEE-2268] - Upgrade to
> > CXF to 3.1.18
> > But after downloading TomEE 7.1.1 web profile, TomEE 7.1.1 micro profile
> > and TomEE 7.1.1 plus, and looking under the lib folder, I only see:
> > cxf-core-3.1.17.jar and cxf-rt-*-3.1.17.jar.
> > No 3.1.18 at all.
> >
> > Mistake ?
> >
> > Best Regards.
> >
> >
> > -Original Message-
> > From: Jonathan Gallimore [mailto:jonathan.gallim...@gmail.com]
> > Sent: vendredi 21 juin 2019 15:12
> > To: us...@tomee.apache.org; dev@tomee.apache.org
> > Subject: TomEE 7.0.6 and 7.1.1 releases
> >
> > Hi All,
> >
> > I'm pleased to announce that new releases of TomEE - versions 7.0.6 and
> > 7.1.1 - are now available. These are maintenance releases of the 7.0.x
> and
> > 7.1.x branches respectively.
> >
> > The JIRAs for each release are here:
> >
> > 7.0.6:
> >
> >
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fsecure%2FReleaseNote.jspa%3FprojectId%3D12312320%26version%3D12342069data=02%7C01%7CFrancois.COURTAULT%40gemalto.com%7C2dba21e784d94e84ec1908d6f64a1b3b%7C37d0a9db7c464096bfe31add5b495d6d%7C0%7C0%7C636967195474769730sdata=mwJ5H7GANFODrnuQxk62sf3m18OuFDAtjPaJDBcj4vQ%3Dreserved=0
> >
> > 7.1.1:
> >
> >
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fsecure%2FReleaseNote.jspa%3FprojectId%3D12312320%26version%3D12344119data=02%7C01%7CFrancois.COURTAULT%40gemalto.com%7C2dba21e784d94e84ec1908d6f64a1b3b%7C37d0a9db7c464096bfe31add5b495d6d%7C0%7C0%7C636967195474769730sdata=vWlP3n7BSzQxZjXsBrHOdnAo4mUdDBVdXL1D6TI5uiE%3Dreserved=0
> >
> > Jon
> > 
> >  This message and any attachments are intended solely for the addressees
> > and may contain confidential information. Any unauthorized use or
> > disclosure, either whole or partial, is prohibited.
> > E-mails are susceptible to alteration. Our company shall not be liable
> for
> > the message if altered, changed or falsified. If you are not the intended
> > recipient of this message, please delete it and notify the sender.
> > Although all reasonable efforts have been made to keep this transmission
> > free from viruses, the sender will not be liable for damages caused by a
> > transmitted virus.
> >
>
>
> --
> Jonathan | exabr...@gmail.com
> Pessimists, see a jar as half empty. Optimists, in contrast, see it as half
> full.
> Engineers, of course, understand the glass is twice as big as it needs to
> be.
>

Re: TomEE 7.0.6 and 7.1.1 releases

2019-06-25 Thread Jonathan S. Fisher

IIRC that was my patch and we rolled it back...

On Tue, Jun 25, 2019 at 2:11 PM COURTAULT Francois <
francois.courta...@thalesgroup.com> wrote:

> Hello Jonathan,
>
> In the release note you provide, it's written: [TOMEE-2268] - Upgrade to
> CXF to 3.1.18
> But after downloading TomEE 7.1.1 web profile, TomEE 7.1.1 micro profile
> and TomEE 7.1.1 plus, and looking under the lib folder, I only see:
> cxf-core-3.1.17.jar and cxf-rt-*-3.1.17.jar.
> No 3.1.18 at all.
>
> Mistake ?
>
> Best Regards.
>
>
> -Original Message-
> From: Jonathan Gallimore [mailto:jonathan.gallim...@gmail.com]
> Sent: vendredi 21 juin 2019 15:12
> To: us...@tomee.apache.org; dev@tomee.apache.org
> Subject: TomEE 7.0.6 and 7.1.1 releases
>
> Hi All,
>
> I'm pleased to announce that new releases of TomEE - versions 7.0.6 and
> 7.1.1 - are now available. These are maintenance releases of the 7.0.x and
> 7.1.x branches respectively.
>
> The JIRAs for each release are here:
>
> 7.0.6:
>
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fsecure%2FReleaseNote.jspa%3FprojectId%3D12312320%26version%3D12342069data=02%7C01%7CFrancois.COURTAULT%40gemalto.com%7C2dba21e784d94e84ec1908d6f64a1b3b%7C37d0a9db7c464096bfe31add5b495d6d%7C0%7C0%7C636967195474769730sdata=mwJ5H7GANFODrnuQxk62sf3m18OuFDAtjPaJDBcj4vQ%3Dreserved=0
>
> 7.1.1:
>
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fsecure%2FReleaseNote.jspa%3FprojectId%3D12312320%26version%3D12344119data=02%7C01%7CFrancois.COURTAULT%40gemalto.com%7C2dba21e784d94e84ec1908d6f64a1b3b%7C37d0a9db7c464096bfe31add5b495d6d%7C0%7C0%7C636967195474769730sdata=vWlP3n7BSzQxZjXsBrHOdnAo4mUdDBVdXL1D6TI5uiE%3Dreserved=0
>
> Jon
> 
>  This message and any attachments are intended solely for the addressees
> and may contain confidential information. Any unauthorized use or
> disclosure, either whole or partial, is prohibited.
> E-mails are susceptible to alteration. Our company shall not be liable for
> the message if altered, changed or falsified. If you are not the intended
> recipient of this message, please delete it and notify the sender.
> Although all reasonable efforts have been made to keep this transmission
> free from viruses, the sender will not be liable for damages caused by a
> transmitted virus.
>


-- 
Jonathan | exabr...@gmail.com
Pessimists, see a jar as half empty. Optimists, in contrast, see it as half
full.
Engineers, of course, understand the glass is twice as big as it needs to
be.

RE: TomEE 7.0.6 and 7.1.1 releases

2019-06-25 Thread COURTAULT Francois

Hello Jonathan,

In the release note you provide, it's written: [TOMEE-2268] - Upgrade to CXF to 
3.1.18
But after downloading TomEE 7.1.1 web profile, TomEE 7.1.1 micro profile and 
TomEE 7.1.1 plus, and looking under the lib folder, I only see: 
cxf-core-3.1.17.jar and cxf-rt-*-3.1.17.jar.
No 3.1.18 at all.

Mistake ?

Best Regards.


-Original Message-
From: Jonathan Gallimore [mailto:jonathan.gallim...@gmail.com]
Sent: vendredi 21 juin 2019 15:12
To: us...@tomee.apache.org; dev@tomee.apache.org
Subject: TomEE 7.0.6 and 7.1.1 releases

Hi All,

I'm pleased to announce that new releases of TomEE - versions 7.0.6 and
7.1.1 - are now available. These are maintenance releases of the 7.0.x and 
7.1.x branches respectively.

The JIRAs for each release are here:

7.0.6:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fsecure%2FReleaseNote.jspa%3FprojectId%3D12312320%26version%3D12342069data=02%7C01%7CFrancois.COURTAULT%40gemalto.com%7C2dba21e784d94e84ec1908d6f64a1b3b%7C37d0a9db7c464096bfe31add5b495d6d%7C0%7C0%7C636967195474769730sdata=mwJ5H7GANFODrnuQxk62sf3m18OuFDAtjPaJDBcj4vQ%3Dreserved=0

7.1.1:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fsecure%2FReleaseNote.jspa%3FprojectId%3D12312320%26version%3D12344119data=02%7C01%7CFrancois.COURTAULT%40gemalto.com%7C2dba21e784d94e84ec1908d6f64a1b3b%7C37d0a9db7c464096bfe31add5b495d6d%7C0%7C0%7C636967195474769730sdata=vWlP3n7BSzQxZjXsBrHOdnAo4mUdDBVdXL1D6TI5uiE%3Dreserved=0

Jon

 This message and any attachments are intended solely for the addressees and 
may contain confidential information. Any unauthorized use or disclosure, 
either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the 
message if altered, changed or falsified. If you are not the intended recipient 
of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free 
from viruses, the sender will not be liable for damages caused by a transmitted 
virus.

TomEE 7.0.6 and 7.1.1 releases

2019-06-21 Thread Jonathan Gallimore

Hi All,

I'm pleased to announce that new releases of TomEE - versions 7.0.6 and
7.1.1 - are now available. These are maintenance releases of the 7.0.x and
7.1.x branches respectively.

The JIRAs for each release are here:

7.0.6:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320=12342069

7.1.1:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312320=12344119

Jon

Re: Is TomEE ready to ship for Santa? - Conducting pre-xmas releases: 7.0.6, 7.1.1, 8.0.0-M2

2018-12-13 Thread Mark Struberg

+1, just ping me if you need some help.

LieGrue,
strub

> Am 13.12.2018 um 17:57 schrieb Jonathan Gallimore 
> :
> 
> There's some stuff I need to finish backporting, but I'm generally in
> favour. We have a Johnzon vote in progress, and could do with an OWB
> release for the 7.0.x and 7.1.x branches.
> 
> Jon
> 
> On Thu, Dec 13, 2018 at 12:16 PM Wiesner, Martin <
> martin.wies...@hs-heilbronn.de> wrote:
> 
>> Hey guys,
>> 
>> Richard (Z, @rzo1) and me are having some coffee in the office and are
>> discussing several ideas. One them is that we’d like to propose that TomEE
>> project kicks out a pre-xmas release for 7.1.1 and/or 7.0.6, and even more
>> interesting: a 8.0.0-M2 milestone preview.
>> 
>> The rationale behind it is that we all might get (more) valuable feedback
>> on the current state by the TomEE community. With many bugs fixed and
>> improvements made recently, it might be worth considering such a step.
>> 
>> What do you all think of our proposal? Any opinions much welcome.
>> 
>> Best
>> Martin
>> --
>> https://twitter.com/mawiesne
>> 
>>

Re: Is TomEE ready to ship for Santa? - Conducting pre-xmas releases: 7.0.6, 7.1.1, 8.0.0-M2

2018-12-13 Thread Jonathan Gallimore

There's some stuff I need to finish backporting, but I'm generally in
favour. We have a Johnzon vote in progress, and could do with an OWB
release for the 7.0.x and 7.1.x branches.

Jon

On Thu, Dec 13, 2018 at 12:16 PM Wiesner, Martin <
martin.wies...@hs-heilbronn.de> wrote:

> Hey guys,
>
> Richard (Z, @rzo1) and me are having some coffee in the office and are
> discussing several ideas. One them is that we’d like to propose that TomEE
> project kicks out a pre-xmas release for 7.1.1 and/or 7.0.6, and even more
> interesting: a 8.0.0-M2 milestone preview.
>
> The rationale behind it is that we all might get (more) valuable feedback
> on the current state by the TomEE community. With many bugs fixed and
> improvements made recently, it might be worth considering such a step.
>
> What do you all think of our proposal? Any opinions much welcome.
>
> Best
> Martin
> --
> https://twitter.com/mawiesne
>
>

Re: Is TomEE ready to ship for Santa? - Conducting pre-xmas releases: 7.0.6, 7.1.1, 8.0.0-M2

2018-12-13 Thread Alex The Rocker

Hello,

Huge +1, especially if that includes official Java 11 support.
Think about this : Java 12 will be RTM in January, would be a shame if
no TomEE+ release wouldn't even support Java 11 before...
(and yes, we need it for TomEE+ 7.0.6, we're targeting 7.1.x next
year, that's life..)

Kind regards,
Alexandre

Le jeu. 13 déc. 2018 à 13:43, Otávio Gonçalves de Santana
 a écrit :
>
> +1
>
> On Thu, Dec 13, 2018, 10:37 Roberto Cortez  wrote:
>
> > Hi Martin,
> >
> > Yes, my idea was to push for another Milestone release once we stabilise
> > the build.
> >
> > Cheers,
> > Roberto
> >
> > > On 13 Dec 2018, at 12:16, Wiesner, Martin <
> > martin.wies...@hs-heilbronn.de> wrote:
> > >
> > > Hey guys,
> > >
> > > Richard (Z, @rzo1) and me are having some coffee in the office and are
> > discussing several ideas. One them is that we’d like to propose that TomEE
> > project kicks out a pre-xmas release for 7.1.1 and/or 7.0.6, and even more
> > interesting: a 8.0.0-M2 milestone preview.
> > >
> > > The rationale behind it is that we all might get (more) valuable
> > feedback on the current state by the TomEE community. With many bugs fixed
> > and improvements made recently, it might be worth considering such a step.
> > >
> > > What do you all think of our proposal? Any opinions much welcome.
> > >
> > > Best
> > > Martin
> > > --
> > > https://twitter.com/mawiesne 
> > >
> >
> >

Re: Is TomEE ready to ship for Santa? - Conducting pre-xmas releases: 7.0.6, 7.1.1, 8.0.0-M2

2018-12-13 Thread Otávio Gonçalves de Santana

+1

On Thu, Dec 13, 2018, 10:37 Roberto Cortez  Hi Martin,
>
> Yes, my idea was to push for another Milestone release once we stabilise
> the build.
>
> Cheers,
> Roberto
>
> > On 13 Dec 2018, at 12:16, Wiesner, Martin <
> martin.wies...@hs-heilbronn.de> wrote:
> >
> > Hey guys,
> >
> > Richard (Z, @rzo1) and me are having some coffee in the office and are
> discussing several ideas. One them is that we’d like to propose that TomEE
> project kicks out a pre-xmas release for 7.1.1 and/or 7.0.6, and even more
> interesting: a 8.0.0-M2 milestone preview.
> >
> > The rationale behind it is that we all might get (more) valuable
> feedback on the current state by the TomEE community. With many bugs fixed
> and improvements made recently, it might be worth considering such a step.
> >
> > What do you all think of our proposal? Any opinions much welcome.
> >
> > Best
> > Martin
> > --
> > https://twitter.com/mawiesne 
> >
>
>

Re: Is TomEE ready to ship for Santa? - Conducting pre-xmas releases: 7.0.6, 7.1.1, 8.0.0-M2

2018-12-13 Thread Roberto Cortez

Hi Martin,

Yes, my idea was to push for another Milestone release once we stabilise the 
build.

Cheers,
Roberto

> On 13 Dec 2018, at 12:16, Wiesner, Martin  
> wrote:
> 
> Hey guys,
> 
> Richard (Z, @rzo1) and me are having some coffee in the office and are 
> discussing several ideas. One them is that we’d like to propose that TomEE 
> project kicks out a pre-xmas release for 7.1.1 and/or 7.0.6, and even more 
> interesting: a 8.0.0-M2 milestone preview. 
> 
> The rationale behind it is that we all might get (more) valuable feedback on 
> the current state by the TomEE community. With many bugs fixed and 
> improvements made recently, it might be worth considering such a step.
> 
> What do you all think of our proposal? Any opinions much welcome.
> 
> Best
> Martin
> --
> https://twitter.com/mawiesne 
>

Is TomEE ready to ship for Santa? - Conducting pre-xmas releases: 7.0.6, 7.1.1, 8.0.0-M2

2018-12-13 Thread Wiesner, Martin

Hey guys,

Richard (Z, @rzo1) and me are having some coffee in the office and are 
discussing several ideas. One them is that we’d like to propose that TomEE 
project kicks out a pre-xmas release for 7.1.1 and/or 7.0.6, and even more 
interesting: a 8.0.0-M2 milestone preview. 

The rationale behind it is that we all might get (more) valuable feedback on 
the current state by the TomEE community. With many bugs fixed and improvements 
made recently, it might be worth considering such a step.

What do you all think of our proposal? Any opinions much welcome.

Best
Martin
--
https://twitter.com/mawiesne 



smime.p7s
Description: S/MIME cryptographic signature

Re: Any EE8 spec API releases needed?

2017-06-17 Thread Mark Struberg

It's on my list to review that one. 

txs and LieGrue,
strub

> Am 17.06.2017 um 22:11 schrieb Svetlin Zarev 
> :
> 
> Hi Mark,
> 
> Have you considered fixing
> https://issues.apache.org/jira/browse/GERONIMO-6569 ? It's about common
> annotations spec compliance.
> 
> Kind regards,
> SVetlin
> 
> 2017-06-17 19:37 GMT+03:00 Mark Struberg :
> 
>> Hi folks!
>> 
>> I'm about to release the common-annotation-1.3 and jcdi-2.0 APIs over in
>> Geronimo.
>> Does TomEE also need some API to be released?
>> Would like to do things only once if possible ;)
>> 
>> txs and LieGrue,
>> strub

Re: Any EE8 spec API releases needed?

2017-06-17 Thread Svetlin Zarev

Hi Mark,

Have you considered fixing
https://issues.apache.org/jira/browse/GERONIMO-6569 ? It's about common
annotations spec compliance.

Kind regards,
SVetlin

2017-06-17 19:37 GMT+03:00 Mark Struberg :

> Hi folks!
>
> I'm about to release the common-annotation-1.3 and jcdi-2.0 APIs over in
> Geronimo.
> Does TomEE also need some API to be released?
> Would like to do things only once if possible ;)
>
> txs and LieGrue,
> strub

Re: javaee-api releases

2017-02-15 Thread Romain Manni-Bucau

Hi

2017-02-15 14:34 GMT+01:00 Mark Struberg :

> Hi folks!
>
> Just noticed that we did not release a javaee-api.jar with 7.0.2.
> That feels kind of wrong to me (personal opinion so far).
>
> Until now I just had a
>
> 
>   nnn
>
> in my pom and used this version for all the tomee artifacts.
> That doesn't work anymore for 7.0.2.
>
> Is there a reason we stopped bundling this?
>

we never did, javaee-api always has been another project.


> I mean we have an ongoing effort do document the geronimo-spec apis over
> in geronimo.
> So with every release the JavaDoc would become a tad better.
>
> Do we like to add this again?
>

we do each time we have a reason (change in API for instance)


>
> LieGrue,
> strub

Re: [ANNOUNCE][CVE-2016-0779] Apache TomEE 1.7.4 and 7.0.0-M3 releases

2016-03-09 Thread Andy


+++1 Nice one Romain, thanks for the hard work.

Andy.

On 07/03/2016 18:57, Romain Manni-Bucau wrote:

The Apache Team Team is pleased to announce the availability of:

Apache TomEE 7.0.0-M3 and 1.7.4

When downloading, please verify signatures using the KEYS file available at:
http://www.apache.org/dist/tomee

Maven artifacts are also available in the central Maven repository.

The releases are primarily security releases to address CVE-2016-0779, EJBd
protocol allows to exploit 0-day vulnerability in all previous releases.


The Apache TomEE Team



--
  Andy Gumbrecht
  https://twitter.com/AndyGeeDe

[ANNOUNCE][CVE-2016-0779] Apache TomEE 1.7.4 and 7.0.0-M3 releases

2016-03-07 Thread Romain Manni-Bucau

The Apache Team Team is pleased to announce the availability of:

Apache TomEE 7.0.0-M3 and 1.7.4

When downloading, please verify signatures using the KEYS file available at:
http://www.apache.org/dist/tomee

Maven artifacts are also available in the central Maven repository.

The releases are primarily security releases to address CVE-2016-0779, EJBd
protocol allows to exploit 0-day vulnerability in all previous releases.


The Apache TomEE Team

Security releases

2014-02-19 Thread David Blevins

So as I mentioned in the security reporting thread, although we do always use 
the most recent versions of everything in our releases, we should probably 
address our timing.

Over the lifetime of TomEE we average 4.14 months between releases.  Also in 
the lifetime of TomEE, there've been about 18 CVEs that affect us.  That's one 
every 1.61 months.

On top of that, once a new TomEE 1.x version comes out we don't really keep 
supporting the previous 1.x release, which we should -- at least for security 
fixes.

 - - - 

The fastest and most realistic way I can see to continuously turn out releases 
that contain security updates with the least amount time is to:

  - branch from the latest supported tags (1.5.x, 1.6.x)
  - apply the security patch or do the library upgrade
  - release them as 1.5.x.y, 1.6.x.y

My gut says anything else will just encounter the usual 4 month delay.  As well 
I can see there being a significant advantage to having security only releases:

  - a lot easier to do the legal screening, code header scanning, etc.
  - far less community time spent on rigorously testing all our applications
  - less regression testing users have to do to upgrade.  (We're always adding 
new features to 1.x.y releases)
  - doesn't disrupt or put pressure on our development cycle

With the current Tomcat CVE now fixed, that'd give us:

 - 1.5.2.1
 - 1.6.0.1

Thoughts?


-David

Re: Security releases

2014-02-19 Thread Jean-Louis MONTEIRO

+1 looks good.

Just regarding the latest digit, was wondering is we could use instead:
su1, security update 1
sec01, security 01

The latest one is the more commonly used.

JLouis


2014-02-19 18:08 GMT+01:00 David Blevins david.blev...@gmail.com:

 So as I mentioned in the security reporting thread, although we do always
 use the most recent versions of everything in our releases, we should
 probably address our timing.

 Over the lifetime of TomEE we average 4.14 months between releases.  Also
 in the lifetime of TomEE, there've been about 18 CVEs that affect us.
  That's one every 1.61 months.

 On top of that, once a new TomEE 1.x version comes out we don't really
 keep supporting the previous 1.x release, which we should -- at least for
 security fixes.

  - - -

 The fastest and most realistic way I can see to continuously turn out
 releases that contain security updates with the least amount time is to:

   - branch from the latest supported tags (1.5.x, 1.6.x)
   - apply the security patch or do the library upgrade
   - release them as 1.5.x.y, 1.6.x.y

 My gut says anything else will just encounter the usual 4 month delay.  As
 well I can see there being a significant advantage to having security only
 releases:

   - a lot easier to do the legal screening, code header scanning, etc.
   - far less community time spent on rigorously testing all our
 applications
   - less regression testing users have to do to upgrade.  (We're always
 adding new features to 1.x.y releases)
   - doesn't disrupt or put pressure on our development cycle

 With the current Tomcat CVE now fixed, that'd give us:

  - 1.5.2.1
  - 1.6.0.1

 Thoughts?


 -David








-- 
Jean-Louis

Re: Security releases

2014-02-19 Thread Romain Manni-Bucau

+1 if possible (the issue will be to upgrade a lib without uprgading
to next version, can need as much work as upgrading to trunk
sometimes...)
Romain Manni-Bucau
Twitter: @rmannibucau
Blog: http://rmannibucau.wordpress.com/
LinkedIn: http://fr.linkedin.com/in/rmannibucau
Github: https://github.com/rmannibucau



2014-02-19 20:27 GMT+01:00 Bjorn Danielsson bjorn-apa...@lists.cuspycode.com:
 +1 for having quick and minimal effort security-only releases.

 At least for updating the latest release in cases where the
 patch has limited impact on everything else (minimal effort).

 --
 Bjorn Danielsson
 Cuspy Code AB


 David Blevins david.blev...@gmail.com wrote:
 So as I mentioned in the security reporting thread, although we do always 
 use the most recent versions of everything in our releases, we should 
 probably address our timing.

 Over the lifetime of TomEE we average 4.14 months between releases.  Also in 
 the lifetime of TomEE, there've been about 18 CVEs that affect us.  That's 
 one every 1.61 months.

 On top of that, once a new TomEE 1.x version comes out we don't really keep 
 supporting the previous 1.x release, which we should -- at least for 
 security fixes.

  - - -

 The fastest and most realistic way I can see to continuously turn out 
 releases that contain security updates with the least amount time is to:

   - branch from the latest supported tags (1.5.x, 1.6.x)
   - apply the security patch or do the library upgrade
   - release them as 1.5.x.y, 1.6.x.y

 My gut says anything else will just encounter the usual 4 month delay.  As 
 well I can see there being a significant advantage to having security only 
 releases:

   - a lot easier to do the legal screening, code header scanning, etc.
   - far less community time spent on rigorously testing all our applications
   - less regression testing users have to do to upgrade.  (We're always 
 adding new features to 1.x.y releases)
   - doesn't disrupt or put pressure on our development cycle

 With the current Tomcat CVE now fixed, that'd give us:

  - 1.5.2.1
  - 1.6.0.1

 Thoughts?


 -David

Re: Security releases

2014-02-19 Thread Jean-Louis MONTEIRO

Agree with the possible more work, but it should be hopefully for us, isn't
it?
I mean, the main goal is to have limited changes so that customers/users
are confident in upgrading.

So, if more work for us, but less for users, the target is achieved IMHO.

JLouis


2014-02-19 21:54 GMT+01:00 Romain Manni-Bucau rmannibu...@gmail.com:

 +1 if possible (the issue will be to upgrade a lib without uprgading
 to next version, can need as much work as upgrading to trunk
 sometimes...)
 Romain Manni-Bucau
 Twitter: @rmannibucau
 Blog: http://rmannibucau.wordpress.com/
 LinkedIn: http://fr.linkedin.com/in/rmannibucau
 Github: https://github.com/rmannibucau



 2014-02-19 20:27 GMT+01:00 Bjorn Danielsson 
 bjorn-apa...@lists.cuspycode.com:
  +1 for having quick and minimal effort security-only releases.
 
  At least for updating the latest release in cases where the
  patch has limited impact on everything else (minimal effort).
 
  --
  Bjorn Danielsson
  Cuspy Code AB
 
 
  David Blevins david.blev...@gmail.com wrote:
  So as I mentioned in the security reporting thread, although we do
 always use the most recent versions of everything in our releases, we
 should probably address our timing.
 
  Over the lifetime of TomEE we average 4.14 months between releases.
  Also in the lifetime of TomEE, there've been about 18 CVEs that affect us.
  That's one every 1.61 months.
 
  On top of that, once a new TomEE 1.x version comes out we don't really
 keep supporting the previous 1.x release, which we should -- at least for
 security fixes.
 
   - - -
 
  The fastest and most realistic way I can see to continuously turn out
 releases that contain security updates with the least amount time is to:
 
- branch from the latest supported tags (1.5.x, 1.6.x)
- apply the security patch or do the library upgrade
- release them as 1.5.x.y, 1.6.x.y
 
  My gut says anything else will just encounter the usual 4 month delay.
  As well I can see there being a significant advantage to having security
 only releases:
 
- a lot easier to do the legal screening, code header scanning, etc.
- far less community time spent on rigorously testing all our
 applications
- less regression testing users have to do to upgrade.  (We're always
 adding new features to 1.x.y releases)
- doesn't disrupt or put pressure on our development cycle
 
  With the current Tomcat CVE now fixed, that'd give us:
 
   - 1.5.2.1
   - 1.6.0.1
 
  Thoughts?
 
 
  -David




-- 
Jean-Louis

74 matches

Mail list logo