Re: [git] New git repository for retired module - sling-org-apache-sling-commons-json
On Tue, 2024-03-05 at 10:22 +0100, Robert Munteanu wrote: > Given no other comments came in, I will create the git repository as > already 'deprecated' and we'll figure out the release process > changes, > if needed, at the time of the potential release. > > I kicked off a `git svn clone` for commons.json since we don't have > it > mirrorred as part of > https://github.com/apache/sling-old-svn-mirror/tree/trunk . I hope it > will finish today. This was more fun than expected. The repository is at https://github.com/apache/sling-org-apache-sling-commons-json and it's already marked as deprecated. I was unable to create a git svn clone, so I extracted the code from https://github.com/apache/sling-old-svn-mirror/commits using the 'bundles/commons/json' path, before the move to attic. Thanks, Robert > > Thanks, > Robert > > On Thu, 2024-02-29 at 13:12 +0100, Robert Munteanu wrote: > > On Wed, 2024-02-28 at 11:22 +0100, Carsten Ziegeler wrote: > > > Can we do this without creating a new git repo? Creating a > > > separate > > > new > > > repo gives a different message than what we intend it to be. > > > > > > It would be great if we could do this directly in SVN :) > > > > I think that would be pretty complex; the SVN repo is read-only and > > we > > haven't done a release from SVN for years - not sure if the plug-in > > / > > SVN versions we used back then still work with the current Maven > > versions. > > > > I also am not very concerned about people misintepreting Sling git > > repo > > number 347 :-) But if we want to be extra careful, we could create > > it > > a > > and immediately deprecate it [1]. Any potential contributions would > > land in the 'maintenance' branch and any potential releases would > > be > > created from the same place. > > > > Robert > > > > [1]: > > https://sling.apache.org/documentation/development/deprecating-sling-modules.html > > > > > > > > Regards > > > Carsten > > > > > > On 28.02.2024 10:52, Robert Munteanu wrote: > > > > Hi Jörg > > > > > > > > On Tue, 2024-02-27 at 11:06 +0100, Jörg Hoh wrote: > > > > > Hi Robert, > > > > > > > > > > makes sense. > > > > > > > > > > To clarify: We just provide this final version of > > > > > commons.json > > > > > as > > > > > a > > > > > convenience for all users who are still depending on > > > > > commons.json; > > > > > but > > > > > there is no intention to continue development of commons.json > > > > > or > > > > > to > > > > > re-introducing this dependency again into other areas of > > > > > Sling. > > > > > > > > > > > > There is no intention to use this again in any other modules, > > > > add > > > > it to > > > > the Starter, etc. We will keep the code deprecated. At the same > > > > time, > > > > we may choose to apply fixes for the reported CVEs, if those > > > > are > > > > already available upstream, and cut a new release. > > > > > > > > Thanks, > > > > Robert > > > > > > > > > > > > > > Correct? > > > > > > > > > > Jörg > > > > > > > > > > > > > > > Am Mo., 26. Feb. 2024 um 16:30 Uhr schrieb Robert Munteanu < > > > > > romb...@apache.org>: > > > > > > > > > > > Hi, > > > > > > > > > > > > A long time ago we retired the commons.json module for > > > > > > legal > > > > > > reasons > > > > > > [1], leaving it only in the SVN attic [2]. > > > > > > > > > > > > After some time a CVE was reported against this module [3] > > > > > > which we > > > > > > could not fix as we could not release new versions. > > > > > > > > > > > > In the meantime, the JSON library we have been using has > > > > > > changed > > > > > > its > > > > > > license to 'Public domain', which makes it acceptable for > > > > > > use > > > > > > at > > > > > > the > > > > > > ASF. [4] > > > > > > > > > > > > I would like to create a GitHub repository for this module > > > > > > and > > > > > > include > > > > > > the current state from the attic. This opens up the way for > > > > > > creating a > > > > > > final service release, allowing consumers of this bundle > > > > > > that > > > > > > have > > > > > > not > > > > > > cleaned up their usages to use non-vulnerable versions. > > > > > > > > > > > > I will leave this thread open for comments for 72 hours. > > > > > > > > > > > > Thanks, > > > > > > Robert > > > > > > > > > > > > > > > > > > [1]: > > > > > > https://lists.apache.org/thread/p9rmd9dvgk04h36dtm6vn0bj6dkx0hkk > > > > > > [2]: > > > > > > https://svn.apache.org/repos/asf/sling/attic/commons.json/ > > > > > > [3]: https://www.cve.org/CVERecord?id=CVE-2022-47937 > > > > > > [4]: https://issues.apache.org/jira/browse/LEGAL-666 > > > > > > > > > > > > > > > > > > > > > > > > > >
Re: [git] New git repository for retired module - sling-org-apache-sling-commons-json
Given no other comments came in, I will create the git repository as already 'deprecated' and we'll figure out the release process changes, if needed, at the time of the potential release. I kicked off a `git svn clone` for commons.json since we don't have it mirrorred as part of https://github.com/apache/sling-old-svn-mirror/tree/trunk . I hope it will finish today. Thanks, Robert On Thu, 2024-02-29 at 13:12 +0100, Robert Munteanu wrote: > On Wed, 2024-02-28 at 11:22 +0100, Carsten Ziegeler wrote: > > Can we do this without creating a new git repo? Creating a separate > > new > > repo gives a different message than what we intend it to be. > > > > It would be great if we could do this directly in SVN :) > > I think that would be pretty complex; the SVN repo is read-only and > we > haven't done a release from SVN for years - not sure if the plug-in / > SVN versions we used back then still work with the current Maven > versions. > > I also am not very concerned about people misintepreting Sling git > repo > number 347 :-) But if we want to be extra careful, we could create it > a > and immediately deprecate it [1]. Any potential contributions would > land in the 'maintenance' branch and any potential releases would be > created from the same place. > > Robert > > [1]: > https://sling.apache.org/documentation/development/deprecating-sling-modules.html > > > > > Regards > > Carsten > > > > On 28.02.2024 10:52, Robert Munteanu wrote: > > > Hi Jörg > > > > > > On Tue, 2024-02-27 at 11:06 +0100, Jörg Hoh wrote: > > > > Hi Robert, > > > > > > > > makes sense. > > > > > > > > To clarify: We just provide this final version of commons.json > > > > as > > > > a > > > > convenience for all users who are still depending on > > > > commons.json; > > > > but > > > > there is no intention to continue development of commons.json > > > > or > > > > to > > > > re-introducing this dependency again into other areas of Sling. > > > > > > > > > There is no intention to use this again in any other modules, add > > > it to > > > the Starter, etc. We will keep the code deprecated. At the same > > > time, > > > we may choose to apply fixes for the reported CVEs, if those are > > > already available upstream, and cut a new release. > > > > > > Thanks, > > > Robert > > > > > > > > > > > Correct? > > > > > > > > Jörg > > > > > > > > > > > > Am Mo., 26. Feb. 2024 um 16:30 Uhr schrieb Robert Munteanu < > > > > romb...@apache.org>: > > > > > > > > > Hi, > > > > > > > > > > A long time ago we retired the commons.json module for legal > > > > > reasons > > > > > [1], leaving it only in the SVN attic [2]. > > > > > > > > > > After some time a CVE was reported against this module [3] > > > > > which we > > > > > could not fix as we could not release new versions. > > > > > > > > > > In the meantime, the JSON library we have been using has > > > > > changed > > > > > its > > > > > license to 'Public domain', which makes it acceptable for use > > > > > at > > > > > the > > > > > ASF. [4] > > > > > > > > > > I would like to create a GitHub repository for this module > > > > > and > > > > > include > > > > > the current state from the attic. This opens up the way for > > > > > creating a > > > > > final service release, allowing consumers of this bundle that > > > > > have > > > > > not > > > > > cleaned up their usages to use non-vulnerable versions. > > > > > > > > > > I will leave this thread open for comments for 72 hours. > > > > > > > > > > Thanks, > > > > > Robert > > > > > > > > > > > > > > > [1]: > > > > > https://lists.apache.org/thread/p9rmd9dvgk04h36dtm6vn0bj6dkx0hkk > > > > > [2]: > > > > > https://svn.apache.org/repos/asf/sling/attic/commons.json/ > > > > > [3]: https://www.cve.org/CVERecord?id=CVE-2022-47937 > > > > > [4]: https://issues.apache.org/jira/browse/LEGAL-666 > > > > > > > > > > > > > > > > > > >
Re: [git] New git repository for retired module - sling-org-apache-sling-commons-json
On Wed, 2024-02-28 at 11:22 +0100, Carsten Ziegeler wrote: > Can we do this without creating a new git repo? Creating a separate > new > repo gives a different message than what we intend it to be. > > It would be great if we could do this directly in SVN :) I think that would be pretty complex; the SVN repo is read-only and we haven't done a release from SVN for years - not sure if the plug-in / SVN versions we used back then still work with the current Maven versions. I also am not very concerned about people misintepreting Sling git repo number 347 :-) But if we want to be extra careful, we could create it a and immediately deprecate it [1]. Any potential contributions would land in the 'maintenance' branch and any potential releases would be created from the same place. Robert [1]: https://sling.apache.org/documentation/development/deprecating-sling-modules.html > > Regards > Carsten > > On 28.02.2024 10:52, Robert Munteanu wrote: > > Hi Jörg > > > > On Tue, 2024-02-27 at 11:06 +0100, Jörg Hoh wrote: > > > Hi Robert, > > > > > > makes sense. > > > > > > To clarify: We just provide this final version of commons.json as > > > a > > > convenience for all users who are still depending on > > > commons.json; > > > but > > > there is no intention to continue development of commons.json or > > > to > > > re-introducing this dependency again into other areas of Sling. > > > > > > There is no intention to use this again in any other modules, add > > it to > > the Starter, etc. We will keep the code deprecated. At the same > > time, > > we may choose to apply fixes for the reported CVEs, if those are > > already available upstream, and cut a new release. > > > > Thanks, > > Robert > > > > > > > > Correct? > > > > > > Jörg > > > > > > > > > Am Mo., 26. Feb. 2024 um 16:30 Uhr schrieb Robert Munteanu < > > > romb...@apache.org>: > > > > > > > Hi, > > > > > > > > A long time ago we retired the commons.json module for legal > > > > reasons > > > > [1], leaving it only in the SVN attic [2]. > > > > > > > > After some time a CVE was reported against this module [3] > > > > which we > > > > could not fix as we could not release new versions. > > > > > > > > In the meantime, the JSON library we have been using has > > > > changed > > > > its > > > > license to 'Public domain', which makes it acceptable for use > > > > at > > > > the > > > > ASF. [4] > > > > > > > > I would like to create a GitHub repository for this module and > > > > include > > > > the current state from the attic. This opens up the way for > > > > creating a > > > > final service release, allowing consumers of this bundle that > > > > have > > > > not > > > > cleaned up their usages to use non-vulnerable versions. > > > > > > > > I will leave this thread open for comments for 72 hours. > > > > > > > > Thanks, > > > > Robert > > > > > > > > > > > > [1]: > > > > https://lists.apache.org/thread/p9rmd9dvgk04h36dtm6vn0bj6dkx0hkk > > > > [2]: https://svn.apache.org/repos/asf/sling/attic/commons.json/ > > > > [3]: https://www.cve.org/CVERecord?id=CVE-2022-47937 > > > > [4]: https://issues.apache.org/jira/browse/LEGAL-666 > > > > > > > > > > > > >
Re: [git] New git repository for retired module - sling-org-apache-sling-commons-json
Can we do this without creating a new git repo? Creating a separate new repo gives a different message than what we intend it to be. It would be great if we could do this directly in SVN :) Regards Carsten On 28.02.2024 10:52, Robert Munteanu wrote: Hi Jörg On Tue, 2024-02-27 at 11:06 +0100, Jörg Hoh wrote: Hi Robert, makes sense. To clarify: We just provide this final version of commons.json as a convenience for all users who are still depending on commons.json; but there is no intention to continue development of commons.json or to re-introducing this dependency again into other areas of Sling. There is no intention to use this again in any other modules, add it to the Starter, etc. We will keep the code deprecated. At the same time, we may choose to apply fixes for the reported CVEs, if those are already available upstream, and cut a new release. Thanks, Robert Correct? Jörg Am Mo., 26. Feb. 2024 um 16:30 Uhr schrieb Robert Munteanu < romb...@apache.org>: Hi, A long time ago we retired the commons.json module for legal reasons [1], leaving it only in the SVN attic [2]. After some time a CVE was reported against this module [3] which we could not fix as we could not release new versions. In the meantime, the JSON library we have been using has changed its license to 'Public domain', which makes it acceptable for use at the ASF. [4] I would like to create a GitHub repository for this module and include the current state from the attic. This opens up the way for creating a final service release, allowing consumers of this bundle that have not cleaned up their usages to use non-vulnerable versions. I will leave this thread open for comments for 72 hours. Thanks, Robert [1]: https://lists.apache.org/thread/p9rmd9dvgk04h36dtm6vn0bj6dkx0hkk [2]: https://svn.apache.org/repos/asf/sling/attic/commons.json/ [3]: https://www.cve.org/CVERecord?id=CVE-2022-47937 [4]: https://issues.apache.org/jira/browse/LEGAL-666 -- Carsten Ziegeler Adobe cziege...@apache.org
Re: [git] New git repository for retired module - sling-org-apache-sling-commons-json
Hi Jörg On Tue, 2024-02-27 at 11:06 +0100, Jörg Hoh wrote: > Hi Robert, > > makes sense. > > To clarify: We just provide this final version of commons.json as a > convenience for all users who are still depending on commons.json; > but > there is no intention to continue development of commons.json or to > re-introducing this dependency again into other areas of Sling. There is no intention to use this again in any other modules, add it to the Starter, etc. We will keep the code deprecated. At the same time, we may choose to apply fixes for the reported CVEs, if those are already available upstream, and cut a new release. Thanks, Robert > > Correct? > > Jörg > > > Am Mo., 26. Feb. 2024 um 16:30 Uhr schrieb Robert Munteanu < > romb...@apache.org>: > > > Hi, > > > > A long time ago we retired the commons.json module for legal > > reasons > > [1], leaving it only in the SVN attic [2]. > > > > After some time a CVE was reported against this module [3] which we > > could not fix as we could not release new versions. > > > > In the meantime, the JSON library we have been using has changed > > its > > license to 'Public domain', which makes it acceptable for use at > > the > > ASF. [4] > > > > I would like to create a GitHub repository for this module and > > include > > the current state from the attic. This opens up the way for > > creating a > > final service release, allowing consumers of this bundle that have > > not > > cleaned up their usages to use non-vulnerable versions. > > > > I will leave this thread open for comments for 72 hours. > > > > Thanks, > > Robert > > > > > > [1]: > > https://lists.apache.org/thread/p9rmd9dvgk04h36dtm6vn0bj6dkx0hkk > > [2]: https://svn.apache.org/repos/asf/sling/attic/commons.json/ > > [3]: https://www.cve.org/CVERecord?id=CVE-2022-47937 > > [4]: https://issues.apache.org/jira/browse/LEGAL-666 > > > >
Re: [git] New git repository for retired module - sling-org-apache-sling-commons-json
Hi Robert, makes sense. To clarify: We just provide this final version of commons.json as a convenience for all users who are still depending on commons.json; but there is no intention to continue development of commons.json or to re-introducing this dependency again into other areas of Sling. Correct? Jörg Am Mo., 26. Feb. 2024 um 16:30 Uhr schrieb Robert Munteanu < romb...@apache.org>: > Hi, > > A long time ago we retired the commons.json module for legal reasons > [1], leaving it only in the SVN attic [2]. > > After some time a CVE was reported against this module [3] which we > could not fix as we could not release new versions. > > In the meantime, the JSON library we have been using has changed its > license to 'Public domain', which makes it acceptable for use at the > ASF. [4] > > I would like to create a GitHub repository for this module and include > the current state from the attic. This opens up the way for creating a > final service release, allowing consumers of this bundle that have not > cleaned up their usages to use non-vulnerable versions. > > I will leave this thread open for comments for 72 hours. > > Thanks, > Robert > > > [1]: https://lists.apache.org/thread/p9rmd9dvgk04h36dtm6vn0bj6dkx0hkk > [2]: https://svn.apache.org/repos/asf/sling/attic/commons.json/ > [3]: https://www.cve.org/CVERecord?id=CVE-2022-47937 > [4]: https://issues.apache.org/jira/browse/LEGAL-666 > -- https://cqdump.joerghoh.de
[git] New git repository for retired module - sling-org-apache-sling-commons-json
Hi, A long time ago we retired the commons.json module for legal reasons [1], leaving it only in the SVN attic [2]. After some time a CVE was reported against this module [3] which we could not fix as we could not release new versions. In the meantime, the JSON library we have been using has changed its license to 'Public domain', which makes it acceptable for use at the ASF. [4] I would like to create a GitHub repository for this module and include the current state from the attic. This opens up the way for creating a final service release, allowing consumers of this bundle that have not cleaned up their usages to use non-vulnerable versions. I will leave this thread open for comments for 72 hours. Thanks, Robert [1]: https://lists.apache.org/thread/p9rmd9dvgk04h36dtm6vn0bj6dkx0hkk [2]: https://svn.apache.org/repos/asf/sling/attic/commons.json/ [3]: https://www.cve.org/CVERecord?id=CVE-2022-47937 [4]: https://issues.apache.org/jira/browse/LEGAL-666