I'm cancelling this vote to fix
https://issues.apache.org/jira/browse/MNG-7228
which can be very nasty and expose sensitive information if you ever do a
release involving the shade plugin. This is not a new bug but the fact
we've just discovered that it can leak passwords / passphrase from the us
Seems to work fine in my pipelines.
+1
The changed behavior for plugin validation should be documented; just
reading the release notes gives no clear indication what changed.
-h
(I can haz wrapper plugin and mvnd as well plz?)
On Fri, Jun 23, 2023 at 6:34 AM Tamás Cservenák wrote:
> Howdy,
>
Guillaume,
The change in the behavior is introduced here:
https://github.com/apache/maven/commit/967d8fc19cbb8a78410ceed70bd91c2e628da813#diff-64f7dba44bfc4bf654efbd092058718253adde1449ce9fc63ac5531fba20a071R97
. *RepositorySystem.buildArtifactRepository* behaves differently compared
to *MavenRepo
I recently attempted to modernize the HPI plugin used in the Jenkins project:
https://github.com/jenkinsci/maven-hpi-plugin
This plugin has a Maven baseline of 3.8.1. I think I migrated all
usages away from deprecated functionality and onto the recommended
modern Maven functionality.
If a Maven
+1
Le ven. 23 juin 2023 à 16:08, Tamás Cservenák a
écrit :
> Yup, it would be nice to backport it, agreed.
>
> But this is a release [VOTE] thread, it would be better to spawn different
> threads for proposals like this, and leave this thread for voting :)
>
> Thanka
> T
>
> On Fri, Jun 23, 2023
Le ven. 23 juin 2023 à 15:21, Alexey Venderov a
écrit :
> Hi!
>
> After this change
>
> https://github.com/apache/maven/commit/967d8fc19cbb8a78410ceed70bd91c2e628da813#diff-64f7dba44bfc4bf654efbd092058718253adde1449ce9fc63ac5531fba20a071R97
> it looks like that *layout *repository property is not
Yup, it would be nice to backport it, agreed.
But this is a release [VOTE] thread, it would be better to spawn different
threads for proposals like this, and leave this thread for voting :)
Thanka
T
On Fri, Jun 23, 2023 at 4:05 PM Elliotte Rusty Harold
wrote:
> It would also be nice to get
> h
It would also be nice to get
https://issues.apache.org/jira/browse/MNG-7714 backported into 3.9.x
assuming I'm correct that it's currently only fixed on the 4.x branch.
On Fri, Jun 23, 2023 at 9:34 AM Tamás Cservenák wrote:
>
> Howdy,
>
> We solved 22 issues:
> https://issues.apache.org/jira/secu
The release notes link below, as link Guillaume added is not visible for
not logged in users:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316922&version=12353052
On Fri, Jun 23, 2023 at 3:49 PM Guillaume Nodet wrote:
> I'm starting a vote to release this new alpha.
>
> 64
Howdy,
Maven carries (does not use) guava 31.1 as dependency of guice.
No code (including Guice) uses the CVE affected File related classes.
Also, guava is NOT exposed to plugins either.
Hence, I think we are fine.
HTH
Tamas
On Fri, Jun 23, 2023 at 3:55 PM Elliotte Rusty Harold
wrote:
> There
There seems to be a recent security fix in Guava in 32.0.0 which broke
other things, so 32.0.1 is recommended. I'm not sure if any of this
affects Maven, but it's probably good to get this in.
On Fri, Jun 23, 2023 at 9:34 AM Tamás Cservenák wrote:
>
> Howdy,
>
> We solved 22 issues:
> https://iss
I'm starting a vote to release this new alpha.
64 issues solved:
https://issues.apache.org/jira/projects/MNG/versions/12353052
Staging repository:
https://repository.apache.org/content/repositories/maven-1969
Dev dist directory:
https://dist.apache.org/repos/dist/dev/maven/maven-4/4.0.0-alpha-6/
Great! Thank you, Tamás!
Would it make sense to log some kind of a warning to tell the user that the
value that they have configured in the config will be ignored?
Best regards,
Alexey Venderov
mailto: avende...@gmail.com
On Fri, Jun 23, 2023 at 3:29 PM Tamás Cservenák wrote:
> Howdy,
>
> Yes
Howdy,
We solved 22 issues:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12316922&version=12353255
There are still a couple of issues left in JIRA:
https://issues.apache.org/jira/issues/?jql=project%20%3D%20MNG%20AND%20resolution%20%3D%20Unresolved
Staging repo:
https://repos
Howdy,
Yes, that;s right.
Maven3 had Maven2 support, Maven4 will have Maven3 support only, we don't
plan to support several generations backward.
Everything moves off from "legacy" :)
Thanks
T
On Fri, Jun 23, 2023 at 3:21 PM Alexey Venderov wrote:
> Hi!
>
> After this change
>
> https://github
Hi!
After this change
https://github.com/apache/maven/commit/967d8fc19cbb8a78410ceed70bd91c2e628da813#diff-64f7dba44bfc4bf654efbd092058718253adde1449ce9fc63ac5531fba20a071R97
it looks like that *layout *repository property is not supported anymore.
*buildArtifactRepostitory* method in *MavenReposi
The Apache Maven team is pleased to announce the release of the
Maven Resolver 1.9.13
https://maven.apache.org/resolver/
Release Notes - Maven Resolver - Version 1.9.13
** Bug
* [MRESOLVER-373] - Remove lock upgrading code
** Improvement
* [MRESOLVER-220] - Modify signaling for unsupporte
The vote has passed with the following result:
+1: Guillaume, Sylwester, Slawomir, Herve
PMC quorum: reached
I will promote the source release zip file to the Apache distribution area
and the artifacts to the central repo.
Thanks
T
18 matches
Mail list logo