[MSITE-828] Upgrade jetty to recent version. Update to java 1.8 (required for jetty) #3
Conversation
|
|
|
This seems like a valid reason to require Java 8 for the next release. |
olamy
changed the title
|
However I see a problem right now: |
|
Fixed
|
|
@rfscholte @hboutemy any objections? Dohh might be the first plugin being java8 required!! :) |
|
Seriously, because of the tests we need to force Java 8 with zero benefit? I Have the latest 1.7 Jetty in Wagon which does the job for testing. |
|
@michael-o I would say seriously in November 2018 with 1.8 already EOL and even 9 or 10 what is the point having 1.7. https://www.oracle.com/technetwork/java/javase/eol-135779.html |
|
Hi Michael,
nice to meet again :-)
the change was done on purpose: You know I am hunting down insecure maven configurations in Big Data and IoT projects, though it is the first time I found a maven plugin to be the trigger. The old, deprecated jetty version included an insecure pluginRepository in transitive dependencies to 3rd parties (Fortunately I could arrange the codehaus.org domain to be hosted by apache, but it is still accessed over http).
All maintained jetty versions need java 1.8
http://www.eclipse.org/jetty/documentation/current/what-jetty-version.html
Seriously, my concern was more that we break compatibility through transitive dependecies. Fortunately you don't see this as a problem.
Best Regards,
Olaf
Von meinem iPad gesendet
… Am 08.11.2018 um 22:08 schrieb Michael Osipov ***@***.***>:
Seriously, because of the tests we need to force Java 8 with zero benefit? I Have the latest 1.7 Jetty in Wagon which does the job for testing.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
@olamy @oflebbe I definitvely see your point, but Jetty 9.2 does its job for testing. As for bumping a Java version: I see this as valid as soon as someone provides good code using those features. When I see how slow we are changing stuff, I don't see this happening beyond 2019. Just for the sake of upgrading, I wouldn't do this. |
|
Hi Michael,
latest jetty 9.2.26 has at least four known vulnerabilities: CVE-2017-7656, CVE-2017-7658, CVE-2017-7657, CVE-2017-9735
Some seem pretty serious to me. There seems to be a reason why it is not maintained any more.
Do you want to argue that an Apache project can deliver insecure software since it is only used for "testing" ?
Please keep in mind that the versions chosen will be picked up by 3rd party project through transitive dependencies.
Best Regards,
Olaf
… Am 10.11.2018 um 13:17 schrieb Michael Osipov ***@***.***>:
@olamy <https://github.com/olamy> @oflebbe <https://github.com/oflebbe> I definitvely see your point, but Jetty 9.2 does its job for testing. As for bumping a Java version: I see this as valid as soon as someone provides good code using those features. When I see how slow we are changing stuff, I don't see this happening beyond 2019. Just for the sake of upgrading, I wouldn't do this.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#3 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABH9eeibLjpo2qdLUHT5F8opv07OOdQrks5utsPTgaJpZM4YAUPQ>.
|
|
I see the point, though 9.2 is updated regularily: 9.2.26.v20180806. I don't mind updating per se, but I don't understand how it will improve security if this is testing only and not a compile/runtime dependency. In other words, it is never pulled by a third party. Anyway, I don't see it fixed with https://github.com/eclipse/jetty.project/commits/jetty-9.2.x. It seems fine to me to make this bump for 3.8. BUT I'd like to see "Upgrade to Java 8" with a seperate ticket and a subsequent one with Jetty. It makes the stuff transparent for our users. |
|
a bit of paperwork for sure :) https://issues.apache.org/jira/browse/MSITE-829 |
|
Just for reference https://issues.apache.org/jira/browse/MSITE-830 more libs to update |
|
@olamy |
|
@olamy Rather than lambdas, I'd rather see NIO2 use first in all Maven. |
|
Honestly guys I’m so tired about such discussions still happening in July
2019...
So do whatever you want I’m definitely not interested in participating in
archeology work... :)
To add a bit of rant even ant require java 8 now...
On Fri, 5 Jul 2019 at 10:08 pm, Tibor Digana ***@***.***> wrote:
@olamy <https://github.com/olamy>
You have to differentiate between Java Compiler and Java Runtime version.
Since we have some rules (Java Compiler 1.7) and you are talking about
Java EOL in the comment #3 (comment)
<#3 (comment)>
we can perfectly recommend using JDK 1.8+ to our users due to JDK security
reasons. The Compiler is totally different story. I obey the rules in Maven
ASF and these Java 1.7. Later we will embed the plugins into Maven 3.7.0,
and then I hope we will better organize the transition of plugins from Java
1.7 to 1.8. I hope all of them will be 1.8 related but it's not this time.
We can of course open a branch where we will rework the code to Lambdas
and nobody would say that we have old and ugly code.
My recommendation is to use Jetty 9.2.9 yet. Let's open and work on
branches java8 in all plugins as a parallel activity. Meanwhile we should
work on Maven 3.6.2/3.7.0 and support the plugins at J7 yet.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3?email_source=notifications&email_token=AAAE2EDWWLNH5X5W2Z7DWNTP54MSNA5CNFSM4GABIPIKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZJEIAY#issuecomment-508707843>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAAE2EGPRJLBS4FWAREMKWTP54MSNANCNFSM4GABIPIA>
.
--
Olivier Lamy
http://twitter.com/olamy | http://linkedin.com/in/olamy
|
|
Just to be sure you guys will release a new version with downgrading java
version requirement?
Are you serious?
On Sat, 6 Jul 2019 at 12:30 pm, Olivier Lamy ***@***.***> wrote:
Honestly guys I’m so tired about such discussions still happening in July
2019...
So do whatever you want I’m definitely not interested in participating in
archeology work... :)
To add a bit of rant even ant require java 8 now...
On Fri, 5 Jul 2019 at 10:08 pm, Tibor Digana ***@***.***>
wrote:
> @olamy <https://github.com/olamy>
> You have to differentiate between Java Compiler and Java Runtime version.
> Since we have some rules (Java Compiler 1.7) and you are talking about
> Java EOL in the comment #3 (comment)
> <#3 (comment)>
> we can perfectly recommend using JDK 1.8+ to our users due to JDK security
> reasons. The Compiler is totally different story. I obey the rules in Maven
> ASF and these Java 1.7. Later we will embed the plugins into Maven 3.7.0,
> and then I hope we will better organize the transition of plugins from Java
> 1.7 to 1.8. I hope all of them will be 1.8 related but it's not this time.
> We can of course open a branch where we will rework the code to Lambdas
> and nobody would say that we have old and ugly code.
> My recommendation is to use Jetty 9.2.9 yet. Let's open and work on
> branches java8 in all plugins as a parallel activity. Meanwhile we
> should work on Maven 3.6.2/3.7.0 and support the plugins at J7 yet.
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <#3?email_source=notifications&email_token=AAAE2EDWWLNH5X5W2Z7DWNTP54MSNA5CNFSM4GABIPIKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZJEIAY#issuecomment-508707843>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/AAAE2EGPRJLBS4FWAREMKWTP54MSNANCNFSM4GABIPIA>
> .
>
--
Olivier Lamy
http://twitter.com/olamy | http://linkedin.com/in/olamy
--
Olivier Lamy
http://twitter.com/olamy | http://linkedin.com/in/olamy
|
|
Really? Anyone is free to use old versions of plugins when it fits their needs.
I am leaving this madness.
olaf
… Am 06.07.2019 um 07:31 schrieb Olivier Lamy ***@***.***>:
Just to be sure you guys will release a new version with downgrading java
version requirement?
Are you serious?
On Sat, 6 Jul 2019 at 12:30 pm, Olivier Lamy ***@***.***> wrote:
> Honestly guys I’m so tired about such discussions still happening in July
> 2019...
> So do whatever you want I’m definitely not interested in participating in
> archeology work... :)
> To add a bit of rant even ant require java 8 now...
>
> On Fri, 5 Jul 2019 at 10:08 pm, Tibor Digana ***@***.***>
> wrote:
>
>> @olamy <https://github.com/olamy>
>> You have to differentiate between Java Compiler and Java Runtime version.
>> Since we have some rules (Java Compiler 1.7) and you are talking about
>> Java EOL in the comment #3 (comment)
>> <#3 (comment)>
>> we can perfectly recommend using JDK 1.8+ to our users due to JDK security
>> reasons. The Compiler is totally different story. I obey the rules in Maven
>> ASF and these Java 1.7. Later we will embed the plugins into Maven 3.7.0,
>> and then I hope we will better organize the transition of plugins from Java
>> 1.7 to 1.8. I hope all of them will be 1.8 related but it's not this time.
>> We can of course open a branch where we will rework the code to Lambdas
>> and nobody would say that we have old and ugly code.
>> My recommendation is to use Jetty 9.2.9 yet. Let's open and work on
>> branches java8 in all plugins as a parallel activity. Meanwhile we
>> should work on Maven 3.6.2/3.7.0 and support the plugins at J7 yet.
>>
>> —
>> You are receiving this because you were mentioned.
>> Reply to this email directly, view it on GitHub
>> <#3?email_source=notifications&email_token=AAAE2EDWWLNH5X5W2Z7DWNTP54MSNA5CNFSM4GABIPIKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZJEIAY#issuecomment-508707843>,
>> or mute the thread
>> <https://github.com/notifications/unsubscribe-auth/AAAE2EGPRJLBS4FWAREMKWTP54MSNANCNFSM4GABIPIA>
>> .
>>
> --
> Olivier Lamy
> http://twitter.com/olamy | http://linkedin.com/in/olamy
>
--
Olivier Lamy
http://twitter.com/olamy | http://linkedin.com/in/olamy
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
…va 1.8 (required for jetty) (#3) * Upgrade jetty to recent version. Update to java 1.8 (required for jetty) * Make checkstyle happy * Introduce jettyVersion property * Update jettyVersion to 9.4.12.v20180830 * Work around compilation problem for site:run * Fix obsolete servlet api on classpath
Hi, I am hunting down insecure maven dependencies.
This pull requests tries to start discussion about upgrading jetty to a more recent version.
jetty 6.1.25 does include insecure plugin repositories via its jetty-parent . Found out while I compiled a 3rd party project.
Patch is porting the jetty code to current jetty fixing that issue.
While doing this I found that there is a inner class of a test used in normal business logic "HttpRequest". I refactored it to business logic.
Since jetty is Java 1.8, I changed maven enforcer to check for java 1.8 project wise. Since Java 1.6 is falling out of extended support in a month, java 1.7 now unsupported and java 1.8 now being the old LTS I think there is little reason to stick with java 1.6.