+1 on spending time to finish EE9 compliance and work on EE10 + MicroProfile
Patching CXF with patch plugin will probably not get the report better
because the jar file will be the same with the same version. Even if we can
maintain a list of fixed CVE using this approach, we'll have to exclude
Hi all,
I see your point, David. If we announce something EOL (which is quite a
„hard“ thing in terms of the ASF), we might loose potential volunteers,
who might want to maintain and contribute by patching and/or fixing 3rd
party vulnerabilities by forking.
I like the idea of labeling something
My general thoughts on this are:
* While I understand the desire for a patched release, forking the CXF
project feels like a lot of work, particularly if we're only looking to do
one final release from this branch. I personally would prefer to spend my
time working on Jakarta EE 9/10 support and
Hi.
I often use website like
https://endoflife.date/tomcat to know if I really must upgrade. Very useful
to know the status of projects. I feel I’m not the only one using it and
people could have a use for TomEE out there, let it be marked as EOL or
inactive.
Swell
On Wed 3 Aug 2022 at 08:48,
Yeah if users want to maintain and fix third party libraries, I'm fine with
that and I'm also fine to do a release when it's ok.
Inactive is fine. We just need to find something and document it on our
website.
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com
On
How about a simple “inactive” label?
-David
On Tue, Aug 2, 2022 at 2:41 PM David Blevins
wrote:
> My personal perspective is that if there are people who want to focus their
> time on 7.1.x (option B), I’m happy to let them. They would need to do a
> complete job however (I.e. not option A).
Hi Richard,
I vote (non-binding) for option B, i.e. releasing a TomEE 7.1.5 with
patched CVEs and annoucing that this will be the last one of 7.1.x
series and that users must have a plan to migrate to 8.0.x (or 9.0.x
when it'll be released).
Thanks,
Alex
Le mar. 2 août 2022 à 20:19, Richard
Hi all,
thanks for the thread, JL! Sorry, a bit longer than anticipated ;)
As promised in the other thread, I took a look at the grype scan
results. While were are many false positives (mostly related to the
Geronimo specs and ActiveMQ), there are indeed some CVEs of interest:
- cxf
- tomcat
Hi all,
Don't want to hijack the other thread, so starting a new one based on the
discussion.
I don't think releasing a "last 7.1.x" version with CVEs would be of
> any good
I join Alex on this one. Does it really make sense to release a TomEE app
server with known CVEs?
I'm not arguing on the
