Hi there,
It's been more than 3 monthes since TomEE 9.1.2 was released.
Couples of updates have been delivered in 9.1.3 in-work, including 2 CVE fixes.
Wouln't it be a good thing to release a 9.1.3 within coming weeks?
(I know we would like to have 10.0.0 asap, but a small patch release
on 9.2.x
Hi,
I would love it!
Frankie
> -Ursprüngliche Nachricht-
> Von: Alex The Rocker
> Gesendet: Freitag, 29. März 2024 11:01
> An: dev@tomee.apache.org
> Betreff: About a TomEE 9.1.3 soon?
>
> Hi there,
>
> It's been more than 3 monthes since TomEE 9.1.2 was released.
> Couples of updates
Hi all,
I want to bring to your attention, that we had recently some discussion
around our current strategy of backporting cve related fixes to TomEE
9.1.x [1].
We are in a situation, in which the Tomcat community has decided to
stop Tomcat 10.0.x (Servlet 5) work and only support Tomcat 9, 10.1
Hi,
I have nothing against doing a TomEE 9.1.3, which is merely a time
thing. Doing the actual release preperation, starting the vote, etc.
takes ~ 30-60min depending on a machine.
If we need to do additional library upgrades, it might take some
additional time to wait until CI is complete and to
Hi all,
just to give a short additional note here:
We are currently waiting for a Johnzon 2.0.1 vote to pass [1], which I
expect to be the case after Eastern has passed.
If no one objects, I would like to start the process to get a milestone
release out of the "main" branch rather quickly (i.e.
+1
Richard Zowalla schrieb am Fr., 29. März 2024, 12:50:
> Hi all,
>
> just to give a short additional note here:
>
> We are currently waiting for a Johnzon 2.0.1 vote to pass [1], which I
> expect to be the case after Eastern has passed.
>
> If no one objects, I would like to start the process
Hi Richard,
Maybe not fully answering your request to get dependencies analysis on
lib/, but running latest grype led to this small finding:
NAMEINSTALLED FIXED-IN TYPE VULNERABILITY
SEVERITY
apache-mime4j-core 0.8.7 0.8.10java-archive
GHSA-jw7r-rxff-gv24
+1 for 3)
Richard Zowalla schrieb am Fr., 29. März 2024, 12:38:
> Hi all,
>
> I want to bring to your attention, that we had recently some discussion
> around our current strategy of backporting cve related fixes to TomEE
> 9.1.x [1].
>
> We are in a situation, in which the Tomcat community has
It was more or less a: if you think there is something additional to look at
related to dependencies (CVE or critical bugs), feel free to shout out loud.
Mime4J might be a thing and has already a Jira (If I remember correctly). Boils
down to a dependency management on our side but need to check.
Hello Richard,
I don't see other dependencies which would be vital to upgrade in TomEE 9.1.3.
As discussed on another thread on TomEE dev list, I think that we
should keep 9.1.x series as stable as possible until 10.x is released,
so as to unlock from the weird Tomcat deprecated dependency (Servl
On Fri, Mar 29, 2024 at 12:39 PM Richard Zowalla wrote:
>
> Hi all,
>
> I want to bring to your attention, that we had recently some discussion
> around our current strategy of backporting cve related fixes to TomEE
> 9.1.x [1].
>
> We are in a situation, in which the Tomcat community has decided
About "I don't really understand why many projects focused on EE 9, since
this still looks like a useless release"
=> I disagree, having a Java EE 8 -> Jakarta EE 9 migration path
needing developers to rename javax into jakarta & find compatible
dependencies has been a good "baby step" to leave Ja
I'm more interested in working for 10.x milestone and Jakarta 11 which is
about to be released.
Le ven. 29 mars 2024, 13:52, Alex The Rocker a
écrit :
> Hello Richard,
>
> I don't see other dependencies which would be vital to upgrade in TomEE
> 9.1.3.
>
> As discussed on another thread on TomE
+1 for a milestone release
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com
On Fri, Mar 29, 2024 at 12:58 PM Thomas Andraschko <
andraschko.tho...@gmail.com> wrote:
> +1
>
> Richard Zowalla schrieb am Fr., 29. März 2024, 12:50:
>
> > Hi all,
> >
> > just to give
I fully agree with Alex' point of view.
Frankie
> -Ursprüngliche Nachricht-
> Von: Alex The Rocker
> Gesendet: Freitag, 29. März 2024 14:28
> An: dev@tomee.apache.org
> Betreff: Re: [DISCUSS] TomEE 9.1.x and it's crippling dependency on EOL
> Tomcat 10.0.27 - Thoughts?
>
> About "I don't
Great discussion!
For me it would make sense to stay with (1) until we have the first release of
TomEE 10.x and then depending on the state of that release make a new decision
on 9.x.
As I suspect (2) doesn't help very much since it would add more effort than it
saves: instead of backporting C
+1 for a milestone-releaseand it seems like the vote passed ~ an hour ago.
On 29.03.24 12:50, Richard Zowalla wrote:
Hi all,
just to give a short additional note here:
We are currently waiting for a Johnzon 2.0.1 vote to pass [1], which I
expect to be the case after Eastern has passed.
If no
Great answer !
But something puzzles me: unless I have missed something, for year
with TomEE versions before TomEE 9, I have seen web application
relying on very old Java EE specifications running fine ; for example
Java EE 6 ones running with TomEE 8, and quite many still at Java EE 7
running als
Hi all,
I have done some work to setup the TCK for JAX-RS (See PR
https://github.com/apache/tomee/pull/1063).
Thanks to the help of Richard, we got most tests to pass. Unfortunately
the work can not completed, as there is not yet a CXF-Implementation
with full JAX-RS 3.1 support.
My question w
I guess one would net to try, but I think there are definitely some
breaking changes.
In the Spec there is a Appendix about that:
https://jakarta.ee/specifications/servlet/6.0/jakarta-servlet-spec-6.0#changes-since-jakarta-servlet-5-0
The spec indirectly references this pull-request:
https://git
I'd be 3/ I think.
Anytime I spend on the 9.x branch which is a bytecode transformed version
of TomEE 8 keeps us away from TomEE 10 or even starts TomEE 11.
9.x is equal to 8.x in terms of features. It's meant to be a step to
Jakarta EE 10 to help convert apps to Jakarta namespace. I'd be pushing
FYI: apache-mime4j-core is a shaded dependency of the Jakarta Mail spec
jar inside of Geronimo Mail. I did a quick search in IDE and it's code
doesn't seem to be actually used, so no big deal here (aside from
confusing vulnerability scanners).
Am Freitag, dem 29.03.2024 um 13:07 +0100 schrieb Ale
Guess the answer is "it depends".
As long as your are not using old and deprecated APIs in the webapps,
it shouldn't be a big deal.
Am Freitag, dem 29.03.2024 um 17:51 +0100 schrieb Benedict Eisenkrämer:
> I guess one would net to try, but I think there are definitely some
> breaking changes.
>
Hi,
I guess, we need to have a look into how to run the web plattform tck
[1]. The other tcks, we were currently using, are all more or less
standalone versions of each spec.
At a first glance, it looks familiar to the old(er) tcks for ee8 and
ee91 but didn't look into the zip deeper. Our old se
Hey Rémy,
thanks for your mail on this thread. I also read the thread on the
tomcat list earlier today. I can totally understand the community
decision regarding the EOL date of Tomcat 10.0 - so not an actual thing
to feel sorry about - we just have to deal with it now (and we should
have jumped i
25 matches
Mail list logo
