[jira] [Comment Edited] (VELTOOLS-202) VelocityViewServlet extending from jakarta.servlet instead of javax.servlet
[ https://issues.apache.org/jira/browse/VELTOOLS-202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17805082#comment-17805082 ] Martin Tzvetanov Grigorov edited comment on VELTOOLS-202 at 1/10/24 11:33 AM: -- OK, we have a progress on the technical part! Let's continue! Which module has been renamed ? In https://github.com/apache/velocity-tools/pull/15/files I don't see renamed (Maven?!) module. I see updated Maven dependencies and updated Java imports. This matches with my idea of having two branches - one for javax and one for jakarta. The contributor offered a PR against `master` branch. Here any Velocity maintainer can create a branch for Javax from master before merging this PR and use this new branch for Javax releases and use master for Jakarta releases. The (Maven) version in the PR should be updated to 4.0-SNAPSHOT too. Later when there is a fix/improvement in either branches the maintainers could easily use `git cherry-pick -x someSHA` to port the commit to the other branch, if needed. If the cherry-pick fails then some manual work may be needed! It is a small effort! But the maintainer could always ask the contributor to open a second PR for the other branch if the effort is bigger! The release manager will have to make two releases until there are users for Javax but this is how it is. Again I think this is little extra work! You can also explain how you think it should be done and hopefully someone will do it one day! was (Author: mgrigorov): OK, we have a progress on the technical part! Let's continue! Which module has been renamed ? In https://github.com/apache/velocity-tools/pull/15/files I don't see renamed (Maven?!) module. I see updated Maven dependencies and updated Java imports. This matches with my idea of having two branches - one for javax and one for jakarta. The contributor offered a PR against `master` branch. Here any Velocity maintainer can create a branch for Javax from master before merging this PR and use this new branch for Javax releases and use master for Jakarta releases. The Maven version in the PR should be updated to 4.0-SNAPSHOT too. Later when there is a fix/improvement in either branches the maintainers could easily use `git cherry-pick -x someSHA` to port the commit to the other branch, if needed. If the cherry-pick fails then some manual work may be needed! It is a small effort! But the maintainer could always ask the contributor to open a second PR for the other branch if the effort is bigger! The release manager will have to make two releases until there are users for Javax but this is how it is. Again I think this is little extra work! You can also explain how you think it should be done and hopefully someone will do it one day! > VelocityViewServlet extending from jakarta.servlet instead of javax.servlet > --- > > Key: VELTOOLS-202 > URL: https://issues.apache.org/jira/browse/VELTOOLS-202 > Project: Velocity Tools > Issue Type: New Feature > Components: VelocityView >Reporter: David Ruiz de Azua >Priority: Trivial > > To whom may concern, > Currently VelocityViewServlet extends from javax rather than jakarta. > Due the cutover from Java to Jakarta, *is there any plan to make Apache > Velocity compatible with Servlet 5.0?* > Not sure if there are any plans to make the transition to Jakarta namespace > and if there is any ETA for it. > [https://jakarta.ee/specifications/servlet/5.0/apidocs/jakarta/servlet/http/httpservlet] -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELTOOLS-202) VelocityViewServlet extending from jakarta.servlet instead of javax.servlet
[ https://issues.apache.org/jira/browse/VELTOOLS-202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17805082#comment-17805082 ] Martin Tzvetanov Grigorov commented on VELTOOLS-202: OK, we have a progress on the technical part! Let's continue! Which module has been renamed ? In https://github.com/apache/velocity-tools/pull/15/files I don't see renamed (Maven?!) module. I see updated Maven dependencies and updated Java imports. This matches with my idea of having two branches - one for javax and one for jakarta. The contributor offered a PR against `master` branch. Here any Velocity maintainer can create a branch for Javax from master before merging this PR and use this new branch for Javax releases and use master for Jakarta releases. The Maven version in the PR should be updated to 4.0-SNAPSHOT too. Later when there is a fix/improvement in either branches the maintainers could easily use `git cherry-pick -x someSHA` to port the commit to the other branch, if needed. If the cherry-pick fails then some manual work may be needed! It is a small effort! But the maintainer could always ask the contributor to open a second PR for the other branch if the effort is bigger! The release manager will have to make two releases until there are users for Javax but this is how it is. Again I think this is little extra work! You can also explain how you think it should be done and hopefully someone will do it one day! > VelocityViewServlet extending from jakarta.servlet instead of javax.servlet > --- > > Key: VELTOOLS-202 > URL: https://issues.apache.org/jira/browse/VELTOOLS-202 > Project: Velocity Tools > Issue Type: New Feature > Components: VelocityView >Reporter: David Ruiz de Azua >Priority: Trivial > > To whom may concern, > Currently VelocityViewServlet extends from javax rather than jakarta. > Due the cutover from Java to Jakarta, *is there any plan to make Apache > Velocity compatible with Servlet 5.0?* > Not sure if there are any plans to make the transition to Jakarta namespace > and if there is any ETA for it. > [https://jakarta.ee/specifications/servlet/5.0/apidocs/jakarta/servlet/http/httpservlet] -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELTOOLS-202) VelocityViewServlet extending from jakarta.servlet instead of javax.servlet
[ https://issues.apache.org/jira/browse/VELTOOLS-202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17805044#comment-17805044 ] Martin Tzvetanov Grigorov commented on VELTOOLS-202: Define "reasonable"! Most people (me included) don't like being treated as in https://github.com/apache/velocity-tools/pull/15#issuecomment-1632855512 (closing the PR with a simple comment like "This can't be serious") The discussion in the mailing list could happen in parallel by asking the contributor more politely, or by starting it yourself, or by adding a comment how you think it should be done, or ... (many other options). Doing what you did there just gives bad impression to Velocity project and to Apache in general! IMO your behavior is not reasonable but this is getting personal, so let's stop! > VelocityViewServlet extending from jakarta.servlet instead of javax.servlet > --- > > Key: VELTOOLS-202 > URL: https://issues.apache.org/jira/browse/VELTOOLS-202 > Project: Velocity Tools > Issue Type: New Feature > Components: VelocityView >Reporter: David Ruiz de Azua >Priority: Trivial > > To whom may concern, > Currently VelocityViewServlet extends from javax rather than jakarta. > Due the cutover from Java to Jakarta, *is there any plan to make Apache > Velocity compatible with Servlet 5.0?* > Not sure if there are any plans to make the transition to Jakarta namespace > and if there is any ETA for it. > [https://jakarta.ee/specifications/servlet/5.0/apidocs/jakarta/servlet/http/httpservlet] -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELTOOLS-202) VelocityViewServlet extending from jakarta.servlet instead of javax.servlet
[ https://issues.apache.org/jira/browse/VELTOOLS-202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17804998#comment-17804998 ] Martin Tzvetanov Grigorov commented on VELTOOLS-202: I guess you want only the javax version of the code, otherwise this ticket won't be still opened after 3 years! ;-) Anyway, I am not a member of this project, so I have no voice here. > VelocityViewServlet extending from jakarta.servlet instead of javax.servlet > --- > > Key: VELTOOLS-202 > URL: https://issues.apache.org/jira/browse/VELTOOLS-202 > Project: Velocity Tools > Issue Type: New Feature > Components: VelocityView >Reporter: David Ruiz de Azua >Priority: Trivial > > To whom may concern, > Currently VelocityViewServlet extends from javax rather than jakarta. > Due the cutover from Java to Jakarta, *is there any plan to make Apache > Velocity compatible with Servlet 5.0?* > Not sure if there are any plans to make the transition to Jakarta namespace > and if there is any ETA for it. > [https://jakarta.ee/specifications/servlet/5.0/apidocs/jakarta/servlet/http/httpservlet] -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELTOOLS-202) VelocityViewServlet extending from jakarta.servlet instead of javax.servlet
[ https://issues.apache.org/jira/browse/VELTOOLS-202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17804979#comment-17804979 ] Martin Tzvetanov Grigorov commented on VELTOOLS-202: "single release management" is not something needed by the end users. The users need a release either for javax or for jakarta, not both in the same time. > VelocityViewServlet extending from jakarta.servlet instead of javax.servlet > --- > > Key: VELTOOLS-202 > URL: https://issues.apache.org/jira/browse/VELTOOLS-202 > Project: Velocity Tools > Issue Type: New Feature > Components: VelocityView >Reporter: David Ruiz de Azua >Priority: Trivial > > To whom may concern, > Currently VelocityViewServlet extends from javax rather than jakarta. > Due the cutover from Java to Jakarta, *is there any plan to make Apache > Velocity compatible with Servlet 5.0?* > Not sure if there are any plans to make the transition to Jakarta namespace > and if there is any ETA for it. > [https://jakarta.ee/specifications/servlet/5.0/apidocs/jakarta/servlet/http/httpservlet] -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELTOOLS-202) VelocityViewServlet extending from jakarta.servlet instead of javax.servlet
[ https://issues.apache.org/jira/browse/VELTOOLS-202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17804828#comment-17804828 ] Martin Tzvetanov Grigorov commented on VELTOOLS-202: I'd suggest to have two Git/SVN branches - one for javax and another for jakarta. Cherry-picking would be non-problematic most of the time. > VelocityViewServlet extending from jakarta.servlet instead of javax.servlet > --- > > Key: VELTOOLS-202 > URL: https://issues.apache.org/jira/browse/VELTOOLS-202 > Project: Velocity Tools > Issue Type: New Feature > Components: VelocityView >Reporter: David Ruiz de Azua >Priority: Trivial > > To whom may concern, > Currently VelocityViewServlet extends from javax rather than jakarta. > Due the cutover from Java to Jakarta, *is there any plan to make Apache > Velocity compatible with Servlet 5.0?* > Not sure if there are any plans to make the transition to Jakarta namespace > and if there is any ETA for it. > [https://jakarta.ee/specifications/servlet/5.0/apidocs/jakarta/servlet/http/httpservlet] -- This message was sent by Atlassian Jira (v8.20.10#820010) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELOCITY-946) Questions about the existing velocity safety mechanism
[ https://issues.apache.org/jira/browse/VELOCITY-946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17389744#comment-17389744 ] Martin Tzvetanov Grigorov commented on VELOCITY-946: [~n4nch341] Security related issues should be discussed privately. This way if there is a vulnerability the developers will have a chance to fix it before it becomes public. See [https://apache.org/security/#vulnerability-handling] for more details. > Questions about the existing velocity safety mechanism > -- > > Key: VELOCITY-946 > URL: https://issues.apache.org/jira/browse/VELOCITY-946 > Project: Velocity > Issue Type: Bug >Reporter: n4nch341 >Priority: Major > > hello sir: > I noticed that velocity-core fixes CVE-2020-13936 > https://github.com/apache/velocity-engine/pull/16/files, but follow content > > "introspector.restrict.classes = > org.apache.catalina.core.DefaultInstanceManager > introspector.restrict.classes = org.apache.tomcat.SimpleInstanceManager > introspector.restrict.classes = > org.wildfly.extension.undertow.deployment.UndertowJSPInstanceManager > introspector.restrict.classes = org.eclipse.jetty.util.DecoratedObjectFactory" > > be added in the > velocity-engine-core/src/test/resources/oldproperties/velocity.properties > file. I think this is a test file and wouldn't take effect at runtime. > > As for the valid org\apache\velocity\runtime\defaults\velocity.properties > file Has not been added to these blacklists, so in the velocity-tools-view > framework > $\{req.getServletContext().getAttribute('org.apache.tomcat.InstanceManager').newInstance('javax.script.ScriptEngineManager').getEngineByName > ('js').eval(xx) This payload is still valid, and the Velocity-tools-view > does not enable SecureUberspector by default. > so I don’t know that writing this blacklist under the test file means that > the application that calls velocity-core needs its own to add blacklists or > is it because velocity-core forgot to add these blacklists to > org\apache\velocity\runtime\defaults\velocity.properties, can this be > considered a vulnerability? -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELOCITY-942) VelocityViewServlet extending from jakarta.servlet instead of javax.servlet
[ https://issues.apache.org/jira/browse/VELOCITY-942?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17307750#comment-17307750 ] Martin Tzvetanov Grigorov commented on VELOCITY-942: If you use Tomcat 10.0.4 then you can deploy your app to $CATALINA_HOME/webapps-{color:#22}javaee{color}/ folder instead of webapps/. This way Tomcat will migrate the application automatically. Otherwise you can use [https://github.com/apache/tomcat-jakartaee-migration] if you want to migrate the application at build time. > VelocityViewServlet extending from jakarta.servlet instead of javax.servlet > --- > > Key: VELOCITY-942 > URL: https://issues.apache.org/jira/browse/VELOCITY-942 > Project: Velocity > Issue Type: New Feature > Components: Engine >Reporter: David Ruiz de Azua >Priority: Trivial > > To whom may concern, > Currently VelocityViewServlet extends from javax rather than jakarta. > Due the cutover from Java to Jakarta, *is there any plan to make Apache > Velocity compatible with Servlet 5.0?* > Not sure if there are any plans to make the transition to Jakarta namespace > and if there is any ETA for it. > [https://jakarta.ee/specifications/servlet/5.0/apidocs/jakarta/servlet/http/httpservlet] -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org
[jira] [Commented] (VELOCITY-907) Moderators needed for general list
[ https://issues.apache.org/jira/browse/VELOCITY-907?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17292243#comment-17292243 ] Martin Tzvetanov Grigorov commented on VELOCITY-907: May I volunteer ? My apache id is 'mgrigorov'. I am not Velocity PMC member but this shouldn't be a problem, right ? > Moderators needed for general list > -- > > Key: VELOCITY-907 > URL: https://issues.apache.org/jira/browse/VELOCITY-907 > Project: Velocity > Issue Type: Bug >Reporter: Sebb >Priority: Major > > There are currently no moderators for the -commits@- or general@ lists [1] > Some volunteers need to step up. > In the meantime I have added myself, but that can only be temporary. > [1] > [https://whimsy.apache.org/roster/committee/velocity#mail|https://whimsy.apache.org/roster/committee/santuario#mail] -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@velocity.apache.org For additional commands, e-mail: dev-h...@velocity.apache.org