Hello,
[-1] (non binding)
Indeed, I downloaded TomEE+ 7.1.5 binary (from
https://dist.apache.org/repos/dist/dev/tomee/staging-1206/tomee-7.1.5/apache-tomee-7.1.5-plus.tar.gz)
and then I ran Grype (https://github.com/anchore/grype) on TomEE+'s
archive extract directory.
That gives 2 Critical and
-1 (binding)
Something went bad during the release. Looks like our libs are still
1.7.5-SNAPSHOT.
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com
On Tue, Aug 2, 2022 at 2:37 PM Alex The Rocker wrote:
> Hello,
>
> [-1] (non binding)
>
> Indeed, I downloaded Tom
Hi,
thanks for the concerns raised. Better to check the CVE report and do a re-roll
;-)
@JL: Will take a look.
@Alex Thanks. We might not be able to address all CVEs as some of the libs used
for EE7 aren't patched / updated anymore. I will have a look.
Gruß
Richard
___
Hi all,
Don't want to hijack the other thread, so starting a new one based on the
discussion.
I don't think releasing a "last 7.1.x" version with CVEs would be of
> any good
I join Alex on this one. Does it really make sense to release a TomEE app
server with known CVEs?
I'm not arguing on the
Hi all,
thanks for the thread, JL! Sorry, a bit longer than anticipated ;)
As promised in the other thread, I took a look at the grype scan
results. While were are many false positives (mostly related to the
Geronimo specs and ActiveMQ), there are indeed some CVEs of interest:
- cxf
- tomcat (wi
Hi Richard,
I vote (non-binding) for option B, i.e. releasing a TomEE 7.1.5 with
patched CVEs and annoucing that this will be the last one of 7.1.x
series and that users must have a plan to migrate to 8.0.x (or 9.0.x
when it'll be released).
Thanks,
Alex
Le mar. 2 août 2022 à 20:19, Richard Zowa
My personal perspective is that if there are people who want to focus their
time on 7.1.x (option B), I’m happy to let them. They would need to do a
complete job however (I.e. not option A).
That said, if I had to do the work it’d be option C, D, or E.
My discomfort with labeling something EOL i
Late reply: we're running Tomee 8.0.12 in prod with JDK 17 on 9 apps :) no
issues to report.
On Thu, Jul 7, 2022 at 3:56 AM Jean-Louis Monteiro
wrote:
> Hi all,
>
> I took some time to fix a couple of things in the TomEE 8.x maintenance
> branch so it can build under a JDK 11+ JVM. It's still bu
How about a simple “inactive” label?
-David
On Tue, Aug 2, 2022 at 2:41 PM David Blevins
wrote:
> My personal perspective is that if there are people who want to focus their
> time on 7.1.x (option B), I’m happy to let them. They would need to do a
> complete job however (I.e. not option A).
>
Yeah if users want to maintain and fix third party libraries, I'm fine with
that and I'm also fine to do a release when it's ok.
Inactive is fine. We just need to find something and document it on our
website.
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com
On T
10 matches
Mail list logo
