Reverted my change back to the openejb-jstl on 1.7.x just until I have a patch for the Tomcat JSTL jars ready.
Jon On Fri, Sep 1, 2017 at 10:10 AM, Jonathan Gallimore < jonathan.gallim...@gmail.com> wrote: > Awesome, thanks! > > Jon > > On Fri, Sep 1, 2017 at 6:34 AM, Svetlin Zarev < > svetlin.angelov.za...@gmail.com> wrote: > >> Here it is: https://issues.apache.org/jira/browse/TOMEE-2113 >> >> 2017-08-31 19:05 GMT+03:00 Jonathan Gallimore < >> jonathan.gallim...@gmail.com> >> : >> >> > I'll do a search and see if I can dig that out. Good shout - thank you. >> > >> > Jon >> > >> > On Thu, Aug 31, 2017 at 5:00 PM, Romain Manni-Bucau < >> rmannibu...@gmail.com >> > > >> > wrote: >> > >> > > +1 >> > > >> > > side note: we should pby link this to the user thread, can try to >> find it >> > > back later this week if needed >> > > >> > > >> > > Romain Manni-Bucau >> > > @rmannibucau <https://twitter.com/rmannibucau> | Blog >> > > <https://blog-rmannibucau.rhcloud.com> | Old Blog >> > > <http://rmannibucau.wordpress.com> | Github <https://github.com/ >> > > rmannibucau> | >> > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE Factory >> > > <https://javaeefactory-rmannibucau.rhcloud.com> >> > > >> > > 2017-08-31 17:54 GMT+02:00 Jonathan Gallimore < >> > > jonathan.gallim...@gmail.com> >> > > : >> > > >> > > > Just to make sure I understand - (3) would be your preference, but >> if >> > > > that's difficult you'd live with (1) if it came to it, with (2) >> being >> > > your >> > > > least favorite. >> > > > >> > > > We should only need to pick one - I can confirm that option (1) on >> its >> > > own >> > > > works, as does option (2) on its own. I'm definitely happy to have a >> > > crack >> > > > at option (3) and present a PR for each and let the community decide >> > > which >> > > > it likes the best. >> > > > >> > > > Thanks for your input, I appreciate it. >> > > > >> > > > Jon >> > > > >> > > > On Thu, Aug 31, 2017 at 4:42 PM, Romain Manni-Bucau < >> > > rmannibu...@gmail.com >> > > > > >> > > > wrote: >> > > > >> > > > > yep, 3, 1, 2 for the complete order (a mix of compatibility and >> > > > > influence/asf consistence). >> > > > > >> > > > > >> > > > > Romain Manni-Bucau >> > > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog >> > > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog >> > > > > <http://rmannibucau.wordpress.com> | Github <https://github.com/ >> > > > > rmannibucau> | >> > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE >> Factory >> > > > > <https://javaeefactory-rmannibucau.rhcloud.com> >> > > > > >> > > > > 2017-08-31 16:53 GMT+02:00 Jonathan Gallimore < >> > > > > jonathan.gallim...@gmail.com> >> > > > > : >> > > > > >> > > > > > Uh, yeah, I think I misunderstood. I think we agree that the >> code I >> > > > > > attached should work out of the box, requiring no changes to >> TomEE. >> > > > That >> > > > > > leaves us with a few options: >> > > > > > >> > > > > > 1. Use the taglibs-standard-jstlel jars as we are now, and add >> the >> > > > > > dependency for Xalan -> trivial change, but adds 3MB to our >> > binaries. >> > > > > > 2. Switch to org.glassfish.web:javax.servlet.jsp.jstl which >> uses a >> > > > > > CDDL/GPL >> > > > > > + CP exception licence. Does not require Xalan -> easy change to >> > make >> > > > and >> > > > > > appears to work (I believe the license is ok for us to use it). >> Not >> > > > sure >> > > > > if >> > > > > > there are other restrictions or issues with us using that. >> > > > > > 3. Patch the Tomcat taglibs libraries to use the XPath support >> > built >> > > > into >> > > > > > the JVM as opposed to Xalan. I did have a look at this >> yesterday, >> > and >> > > > it >> > > > > > didn't look like a straightforward change at the time. I'm >> happy to >> > > > look >> > > > > at >> > > > > > it again though if we feel that's the way forward. >> > > > > > >> > > > > > I think you're stating a preference for (3) - is that correct? >> > > > > > >> > > > > > Cheers >> > > > > > >> > > > > > Jon >> > > > > > >> > > > > > On Thu, Aug 31, 2017 at 3:25 PM, Romain Manni-Bucau < >> > > > > rmannibu...@gmail.com >> > > > > > > >> > > > > > wrote: >> > > > > > >> > > > > > > Hmm, shout if wrong but think you misunderstood the >> "optional" in >> > > my >> > > > > > > sentence. I meant we patch trunk to remove the adherence to >> > xalan. >> > > > > > > >> > > > > > > >> > > > > > > Romain Manni-Bucau >> > > > > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog >> > > > > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog >> > > > > > > <http://rmannibucau.wordpress.com> | Github < >> https://github.com/ >> > > > > > > rmannibucau> | >> > > > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | JavaEE >> > > Factory >> > > > > > > <https://javaeefactory-rmannibucau.rhcloud.com> >> > > > > > > >> > > > > > > 2017-08-31 15:41 GMT+02:00 Jonathan Gallimore < >> > > > > > > jonathan.gallim...@gmail.com> >> > > > > > > : >> > > > > > > >> > > > > > > > Thanks Romain. That is definitely the simplest path - xalan >> is >> > > > > already >> > > > > > > > marked as an optional dependency, so we wouldn't need to do >> > > > anything. >> > > > > > > From >> > > > > > > > a compliance perspective, where would this leave us? >> Wouldn't >> > we >> > > > need >> > > > > > > this >> > > > > > > > to work out of the box without adding libraries to be >> > compliant? >> > > If >> > > > > it >> > > > > > > > doesn't affect us in that respect, then I think we're >> probably >> > > good >> > > > > to >> > > > > > > go. >> > > > > > > > >> > > > > > > > Jon >> > > > > > > > >> > > > > > > > On Thu, Aug 31, 2017 at 1:57 PM, Romain Manni-Bucau < >> > > > > > > rmannibu...@gmail.com >> > > > > > > > > >> > > > > > > > wrote: >> > > > > > > > >> > > > > > > > > Hi Jon >> > > > > > > > > >> > > > > > > > > there is another thread on it (probably on user@) >> > > > > > > > > >> > > > > > > > > I think we should just make xalan optional in the lib and >> > > > upgrade. >> > > > > > > > > >> > > > > > > > > >> > > > > > > > > Romain Manni-Bucau >> > > > > > > > > @rmannibucau <https://twitter.com/rmannibucau> | Blog >> > > > > > > > > <https://blog-rmannibucau.rhcloud.com> | Old Blog >> > > > > > > > > <http://rmannibucau.wordpress.com> | Github < >> > > https://github.com/ >> > > > > > > > > rmannibucau> | >> > > > > > > > > LinkedIn <https://www.linkedin.com/in/rmannibucau> | >> JavaEE >> > > > > Factory >> > > > > > > > > <https://javaeefactory-rmannibucau.rhcloud.com> >> > > > > > > > > >> > > > > > > > > 2017-08-31 13:19 GMT+02:00 Jonathan Gallimore < >> > > > > > > > > jonathan.gallim...@gmail.com> >> > > > > > > > > : >> > > > > > > > > >> > > > > > > > > > Correction - that should be: "CDDL or GPL with classpath >> > > > > > exception". >> > > > > > > > > > >> > > > > > > > > > On Thu, Aug 31, 2017 at 12:16 PM, Jonathan Gallimore < >> > > > > > > > > > jonathan.gallim...@gmail.com> wrote: >> > > > > > > > > > >> > > > > > > > > > > Great question. CDDL _or_ GPL, by the look of it. >> > > > > > > > > > > https://github.com/javaee/jstl >> -api/blob/master/LICENSE - >> > > > same >> > > > > as >> > > > > > > > JAXB >> > > > > > > > > I >> > > > > > > > > > > believe. >> > > > > > > > > > > >> > > > > > > > > > > Jon >> > > > > > > > > > > >> > > > > > > > > > > >> > > > > > > > > > > >> > > > > > > > > > > On Thu, Aug 31, 2017 at 11:55 AM, Jean-Louis Monteiro >> < >> > > > > > > > > > > jlmonte...@tomitribe.com> wrote: >> > > > > > > > > > > >> > > > > > > > > > >> What is the licence for GlassFish one? >> > > > > > > > > > >> >> > > > > > > > > > >> Le 31 août 2017 12:38, "Jonathan Gallimore" < >> > > > > > > > > > jonathan.gallim...@gmail.com >> > > > > > > > > > >> > >> > > > > > > > > > >> a écrit : >> > > > > > > > > > >> >> > > > > > > > > > >> > Hi >> > > > > > > > > > >> > >> > > > > > > > > > >> > On master we shifted from openejb-jstl to >> > > > > > > > taglibs-standard-jstlel. I >> > > > > > > > > > >> have >> > > > > > > > > > >> > done the same on the 1.7.x branch, specifically to >> > move >> > > on >> > > > > > from >> > > > > > > > the >> > > > > > > > > > old >> > > > > > > > > > >> > openejb-jstl (looking at >> > > > > > > > > > >> > https://nvd.nist.gov/vuln/detail/CVE-2015-0254). >> The >> > > > > > > > > > >> > taglibs-standard-jstlel >> > > > > > > > > > >> > library does seem to depend on xalan, which we >> > currently >> > > > do >> > > > > > not >> > > > > > > > > > include >> > > > > > > > > > >> in >> > > > > > > > > > >> > TomEE. >> > > > > > > > > > >> > >> > > > > > > > > > >> > The impact is that some XML functions in JSP code >> does >> > > not >> > > > > > work, >> > > > > > > > for >> > > > > > > > > > >> > example: >> > > > > > > > > > >> > >> > > > > > > > > > >> > <%@ taglib prefix="x" uri=" >> http://java.sun.com/jstl/ >> > xml >> > > " >> > > > %> >> > > > > > > > > > >> > >> > > > > > > > > > >> > <x:parse var="movies"> >> > > > > > > > > > >> > <movies> >> > > > > > > > > > >> > <movie id="1" name="Wedding Crashers" >> > > > director="David >> > > > > > > > Dobkin" >> > > > > > > > > > >> > genre="Comedy" rating="7" year="2005" /> >> > > > > > > > > > >> > <movie id="2" name="Starsky & Hutch" >> > > > > director="Todd >> > > > > > > > > > Phillips" >> > > > > > > > > > >> > genre="Action" rating="6" year="2004" /> >> > > > > > > > > > >> > <movie id="3" name="Shanghai Knights" >> > > > director="David >> > > > > > > > Dobkin" >> > > > > > > > > > >> > genre="Action" rating="6" year="2003" /> >> > > > > > > > > > >> > <movie id="4" name="I-Spy" director="Betty >> > Thomas" >> > > > > > > > > > >> genre="Adventure" >> > > > > > > > > > >> > rating="5" year="2002" /> >> > > > > > > > > > >> > <movie id="5" name="The Royal Tenenbaums" >> > > > > director="Wes >> > > > > > > > > > Anderson" >> > > > > > > > > > >> > genre="Comedy" rating="8" year="2001" /> >> > > > > > > > > > >> > <movie id="6" name="Zoolander" director="Ben >> > > > Stiller" >> > > > > > > > > > >> genre="Comedy" >> > > > > > > > > > >> > rating="6" year="2001" /> >> > > > > > > > > > >> > <movie id="7" name="Shanghai Noon" >> director="Tom >> > > > Dey" >> > > > > > > > > > >> genre="Comedy" >> > > > > > > > > > >> > rating="7" year="2000" /> >> > > > > > > > > > >> > </movies> >> > > > > > > > > > >> > </x:parse> >> > > > > > > > > > >> > >> > > > > > > > > > >> > Movie 1 Genre: <x:out >> select="$movies//movie[@id='1' >> > > > > ]/@genre" >> > > > > > > > /><br >> > > > > > > > > > /> >> > > > > > > > > > >> > >> > > > > > > > > > >> > fails with java.lang.NoClassDefFoundError: >> > > > > > > org/apache/xpath/XPath >> > > > > > > > > > >> (this on >> > > > > > > > > > >> > both 1.7.x and master) >> > > > > > > > > > >> > >> > > > > > > > > > >> > Including Xalan does fix this, but its a 3MB >> > dependency. >> > > > > > > > > > >> > >> > > > > > > > > > >> > The alternative is to use org.glassfish.web:javax. >> > > > > > > > servlet.jsp.jstl >> > > > > > > > > > >> > instead, >> > > > > > > > > > >> > which I have tested and seems to work. Anyone have >> any >> > > > > > thoughts? >> > > > > > > > > > >> > >> > > > > > > > > > >> > Jon >> > > > > > > > > > >> > >> > > > > > > > > > >> >> > > > > > > > > > > >> > > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > >> > > > > > > > >> > > > > > > >> > > > > > >> > > > > >> > > > >> > > >> > >> > >
