You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "btellier@apache.org" <bt...@apache.org> on 2021/07/23 09:00:43 UTC
[VOTE] Retire Apache James HUPA
Hello all,
Following a first email on the topic [1] I would like to call for a
formal vote on Apache James Hupa retirement.
[1] https://www.mail-archive.com/server-dev@james.apache.org/msg70575.html
Rationnals:
- The latest release (0.3.0) dates from 2012 which is an eternity in
computing.
- The latest tag on Github is 0.0.3
- The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
lost :-(
- This repository is crippled by multiple CVEs (quick dependabot review):
- CVE-2021-29425 (commons-io)
- GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
CVE-2019-10241 CVE-2019-10247 (Jetty server)
- CVE-2020-9447 (gwtupload)
- GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
- CVE-2019-17571 (log4j)
- CVE-2016-1000031 CVE-2016-3092 (commons-fileupload)
- Sporadic activity since 2012
- Zero to no exchanges for several years on the mailing lists.
Given that alternatives exists, given that the project is
likely not mature, unmaintained and unsecure, I propose to retire this
Apache James subproject.
|Voting rules: - This is a majority vote as stated in [2] for procedural
issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
https://www.apache.org/foundation/voting.html Following this retirement,
follow up steps are to be taken as described in [3] [3]
https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html | - 1. Get a formal vote on server-dev mailing list
- 2. Place a RETIRED_PROJECT file marker in the git
- 3. Add a note in the project README
- 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE)
- 5. Announce it on gene...@james.apache.org and announce@apache
- 6. Add a notice to the Apache website, if present
- 7. Remove releases from downloads.apache.org
- 8. Add notices on the Apache release archives (example
https://archive.apache.org/dist/ant/antidote/ <https://archive.apache.org/dist/ant/antidote/>)
Best regards,
Benoit Tellier
||
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
Re: [VOTE] Retire Apache James HUPA
Posted by Eugen Stan <eu...@netdava.com>.
+1
--
Eugen Stan
+40720 898 747 / netdava.com
Re: [VOTE] Retire Apache James HUPA
Posted by Jean Helou <je...@gmail.com>.
+1
Le ven. 23 juil. 2021 à 11:28, Antoine Duprat <ad...@apache.org> a écrit :
> +1
>
> Le ven. 23 juil. 2021 à 11:01, btellier@apache.org <bt...@apache.org> a
> écrit :
>
> > Hello all,
> >
> > Following a first email on the topic [1] I would like to call for a
> > formal vote on Apache James Hupa retirement.
> >
> > [1]
> https://www.mail-archive.com/server-dev@james.apache.org/msg70575.html
> >
> > Rationnals:
> > - The latest release (0.3.0) dates from 2012 which is an eternity in
> > computing.
> > - The latest tag on Github is 0.0.3
> > - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
> > lost :-(
> > - This repository is crippled by multiple CVEs (quick dependabot
> review):
> > - CVE-2021-29425 (commons-io)
> > - GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
> > CVE-2019-10241 CVE-2019-10247 (Jetty server)
> > - CVE-2020-9447 (gwtupload)
> > - GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
> > - CVE-2019-17571 (log4j)
> > - CVE-2016-1000031 CVE-2016-3092 (commons-fileupload)
> > - Sporadic activity since 2012
> > - Zero to no exchanges for several years on the mailing lists.
> >
> > Given that alternatives exists, given that the project is
> > likely not mature, unmaintained and unsecure, I propose to retire this
> > Apache James subproject.
> >
> > |Voting rules: - This is a majority vote as stated in [2] for procedural
> > issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
> > vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
> > https://www.apache.org/foundation/voting.html Following this retirement,
> > follow up steps are to be taken as described in [3] [3]
> > https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html
> > | - 1. Get a formal vote on server-dev mailing list
> > - 2. Place a RETIRED_PROJECT file marker in the git
> > - 3. Add a note in the project README
> > - 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE)
> > - 5. Announce it on gene...@james.apache.org and announce@apache
> > - 6. Add a notice to the Apache website, if present
> > - 7. Remove releases from downloads.apache.org
> > - 8. Add notices on the Apache release archives (example
> > https://archive.apache.org/dist/ant/antidote/ <
> > https://archive.apache.org/dist/ant/antidote/>)
> >
> > Best regards,
> >
> > Benoit Tellier
> > ||
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
> > For additional commands, e-mail: server-dev-help@james.apache.org
> >
> >
>
Re: [VOTE] Retire Apache James HUPA
Posted by Antoine Duprat <ad...@apache.org>.
+1
Le ven. 23 juil. 2021 à 11:01, btellier@apache.org <bt...@apache.org> a
écrit :
> Hello all,
>
> Following a first email on the topic [1] I would like to call for a
> formal vote on Apache James Hupa retirement.
>
> [1] https://www.mail-archive.com/server-dev@james.apache.org/msg70575.html
>
> Rationnals:
> - The latest release (0.3.0) dates from 2012 which is an eternity in
> computing.
> - The latest tag on Github is 0.0.3
> - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
> lost :-(
> - This repository is crippled by multiple CVEs (quick dependabot review):
> - CVE-2021-29425 (commons-io)
> - GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
> CVE-2019-10241 CVE-2019-10247 (Jetty server)
> - CVE-2020-9447 (gwtupload)
> - GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
> - CVE-2019-17571 (log4j)
> - CVE-2016-1000031 CVE-2016-3092 (commons-fileupload)
> - Sporadic activity since 2012
> - Zero to no exchanges for several years on the mailing lists.
>
> Given that alternatives exists, given that the project is
> likely not mature, unmaintained and unsecure, I propose to retire this
> Apache James subproject.
>
> |Voting rules: - This is a majority vote as stated in [2] for procedural
> issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
> vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
> https://www.apache.org/foundation/voting.html Following this retirement,
> follow up steps are to be taken as described in [3] [3]
> https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html
> | - 1. Get a formal vote on server-dev mailing list
> - 2. Place a RETIRED_PROJECT file marker in the git
> - 3. Add a note in the project README
> - 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE)
> - 5. Announce it on gene...@james.apache.org and announce@apache
> - 6. Add a notice to the Apache website, if present
> - 7. Remove releases from downloads.apache.org
> - 8. Add notices on the Apache release archives (example
> https://archive.apache.org/dist/ant/antidote/ <
> https://archive.apache.org/dist/ant/antidote/>)
>
> Best regards,
>
> Benoit Tellier
> ||
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
> For additional commands, e-mail: server-dev-help@james.apache.org
>
>
Re: [VOTE] Retire Apache James HUPA
Posted by Manuel Carrasco Moñino <ma...@apache.org>.
I agree, there is no such interest in using and maintaining that piece of
software, let's retire it.
My vote is +1
Thanks
- Manolo
On Mon, Jul 26, 2021 at 1:39 PM Dongxu Wang <do...@apache.org> wrote:
> +1
>
> On Mon, Jul 26, 2021 at 7:38 PM Dongxu 王东旭 <ec...@gmail.com> wrote:
>
> > +1
> >
> > ccing Manolo, thank you.
> >
> > On Mon, Jul 26, 2021 at 10:16 AM Rene Cordier <rc...@apache.org>
> wrote:
> >
> >> +1,
> >>
> >> Rene.
> >>
> >> On 23/07/2021 16:00, btellier@apache.org wrote:
> >> > Hello all,
> >> >
> >> > Following a first email on the topic [1] I would like to call for a
> >> > formal vote on Apache James Hupa retirement.
> >> >
> >> > [1]
> >> https://www.mail-archive.com/server-dev@james.apache.org/msg70575.html
> >> >
> >> > Rationnals:
> >> > - The latest release (0.3.0) dates from 2012 which is an eternity in
> >> > computing.
> >> > - The latest tag on Github is 0.0.3
> >> > - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
> >> > lost :-(
> >> > - This repository is crippled by multiple CVEs (quick dependabot
> >> review):
> >> > - CVE-2021-29425 (commons-io)
> >> > - GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
> >> > CVE-2019-10241 CVE-2019-10247 (Jetty server)
> >> > - CVE-2020-9447 (gwtupload)
> >> > - GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
> >> > - CVE-2019-17571 (log4j)
> >> > - CVE-2016-1000031 CVE-2016-3092 (commons-fileupload)
> >> > - Sporadic activity since 2012
> >> > - Zero to no exchanges for several years on the mailing lists.
> >> >
> >> > Given that alternatives exists, given that the project is
> >> > likely not mature, unmaintained and unsecure, I propose to retire this
> >> > Apache James subproject.
> >> >
> >> > |Voting rules: - This is a majority vote as stated in [2] for
> procedural
> >> > issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
> >> > vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
> >> > https://www.apache.org/foundation/voting.html Following this
> >> retirement,
> >> > follow up steps are to be taken as described in [3] [3]
> >> >
> https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html
> >> | - 1. Get a formal vote on server-dev mailing list
> >> > - 2. Place a RETIRED_PROJECT file marker in the git
> >> > - 3. Add a note in the project README
> >> > - 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE)
> >> > - 5. Announce it on gene...@james.apache.org and announce@apache
> >> > - 6. Add a notice to the Apache website, if present
> >> > - 7. Remove releases from downloads.apache.org
> >> > - 8. Add notices on the Apache release archives (example
> >> > https://archive.apache.org/dist/ant/antidote/ <
> >> https://archive.apache.org/dist/ant/antidote/>)
> >> >
> >> > Best regards,
> >> >
> >> > Benoit Tellier
> >> > ||
> >> >
> >> >
> >> > ---------------------------------------------------------------------
> >> > To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
> >> > For additional commands, e-mail: server-dev-help@james.apache.org
> >> >
> >> >
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
> >> For additional commands, e-mail: server-dev-help@james.apache.org
> >>
> >>
>
Re: [VOTE] Retire Apache James HUPA
Posted by Dongxu Wang <do...@apache.org>.
+1
On Mon, Jul 26, 2021 at 7:38 PM Dongxu 王东旭 <ec...@gmail.com> wrote:
> +1
>
> ccing Manolo, thank you.
>
> On Mon, Jul 26, 2021 at 10:16 AM Rene Cordier <rc...@apache.org> wrote:
>
>> +1,
>>
>> Rene.
>>
>> On 23/07/2021 16:00, btellier@apache.org wrote:
>> > Hello all,
>> >
>> > Following a first email on the topic [1] I would like to call for a
>> > formal vote on Apache James Hupa retirement.
>> >
>> > [1]
>> https://www.mail-archive.com/server-dev@james.apache.org/msg70575.html
>> >
>> > Rationnals:
>> > - The latest release (0.3.0) dates from 2012 which is an eternity in
>> > computing.
>> > - The latest tag on Github is 0.0.3
>> > - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
>> > lost :-(
>> > - This repository is crippled by multiple CVEs (quick dependabot
>> review):
>> > - CVE-2021-29425 (commons-io)
>> > - GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
>> > CVE-2019-10241 CVE-2019-10247 (Jetty server)
>> > - CVE-2020-9447 (gwtupload)
>> > - GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
>> > - CVE-2019-17571 (log4j)
>> > - CVE-2016-1000031 CVE-2016-3092 (commons-fileupload)
>> > - Sporadic activity since 2012
>> > - Zero to no exchanges for several years on the mailing lists.
>> >
>> > Given that alternatives exists, given that the project is
>> > likely not mature, unmaintained and unsecure, I propose to retire this
>> > Apache James subproject.
>> >
>> > |Voting rules: - This is a majority vote as stated in [2] for procedural
>> > issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
>> > vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
>> > https://www.apache.org/foundation/voting.html Following this
>> retirement,
>> > follow up steps are to be taken as described in [3] [3]
>> > https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html
>> | - 1. Get a formal vote on server-dev mailing list
>> > - 2. Place a RETIRED_PROJECT file marker in the git
>> > - 3. Add a note in the project README
>> > - 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE)
>> > - 5. Announce it on gene...@james.apache.org and announce@apache
>> > - 6. Add a notice to the Apache website, if present
>> > - 7. Remove releases from downloads.apache.org
>> > - 8. Add notices on the Apache release archives (example
>> > https://archive.apache.org/dist/ant/antidote/ <
>> https://archive.apache.org/dist/ant/antidote/>)
>> >
>> > Best regards,
>> >
>> > Benoit Tellier
>> > ||
>> >
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
>> > For additional commands, e-mail: server-dev-help@james.apache.org
>> >
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
>> For additional commands, e-mail: server-dev-help@james.apache.org
>>
>>
Re: [VOTE] Retire Apache James HUPA
Posted by Dongxu 王东旭 <ec...@gmail.com>.
+1
ccing Manolo, thank you.
On Mon, Jul 26, 2021 at 10:16 AM Rene Cordier <rc...@apache.org> wrote:
> +1,
>
> Rene.
>
> On 23/07/2021 16:00, btellier@apache.org wrote:
> > Hello all,
> >
> > Following a first email on the topic [1] I would like to call for a
> > formal vote on Apache James Hupa retirement.
> >
> > [1]
> https://www.mail-archive.com/server-dev@james.apache.org/msg70575.html
> >
> > Rationnals:
> > - The latest release (0.3.0) dates from 2012 which is an eternity in
> > computing.
> > - The latest tag on Github is 0.0.3
> > - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
> > lost :-(
> > - This repository is crippled by multiple CVEs (quick dependabot
> review):
> > - CVE-2021-29425 (commons-io)
> > - GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
> > CVE-2019-10241 CVE-2019-10247 (Jetty server)
> > - CVE-2020-9447 (gwtupload)
> > - GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
> > - CVE-2019-17571 (log4j)
> > - CVE-2016-1000031 CVE-2016-3092 (commons-fileupload)
> > - Sporadic activity since 2012
> > - Zero to no exchanges for several years on the mailing lists.
> >
> > Given that alternatives exists, given that the project is
> > likely not mature, unmaintained and unsecure, I propose to retire this
> > Apache James subproject.
> >
> > |Voting rules: - This is a majority vote as stated in [2] for procedural
> > issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
> > vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
> > https://www.apache.org/foundation/voting.html Following this retirement,
> > follow up steps are to be taken as described in [3] [3]
> > https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html
> | - 1. Get a formal vote on server-dev mailing list
> > - 2. Place a RETIRED_PROJECT file marker in the git
> > - 3. Add a note in the project README
> > - 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE)
> > - 5. Announce it on gene...@james.apache.org and announce@apache
> > - 6. Add a notice to the Apache website, if present
> > - 7. Remove releases from downloads.apache.org
> > - 8. Add notices on the Apache release archives (example
> > https://archive.apache.org/dist/ant/antidote/ <
> https://archive.apache.org/dist/ant/antidote/>)
> >
> > Best regards,
> >
> > Benoit Tellier
> > ||
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
> > For additional commands, e-mail: server-dev-help@james.apache.org
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
> For additional commands, e-mail: server-dev-help@james.apache.org
>
>
Re: [VOTE] Retire Apache James HUPA
Posted by Rene Cordier <rc...@apache.org>.
+1,
Rene.
On 23/07/2021 16:00, btellier@apache.org wrote:
> Hello all,
>
> Following a first email on the topic [1] I would like to call for a
> formal vote on Apache James Hupa retirement.
>
> [1] https://www.mail-archive.com/server-dev@james.apache.org/msg70575.html
>
> Rationnals:
> - The latest release (0.3.0) dates from 2012 which is an eternity in
> computing.
> - The latest tag on Github is 0.0.3
> - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
> lost :-(
> - This repository is crippled by multiple CVEs (quick dependabot review):
> - CVE-2021-29425 (commons-io)
> - GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
> CVE-2019-10241 CVE-2019-10247 (Jetty server)
> - CVE-2020-9447 (gwtupload)
> - GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
> - CVE-2019-17571 (log4j)
> - CVE-2016-1000031 CVE-2016-3092 (commons-fileupload)
> - Sporadic activity since 2012
> - Zero to no exchanges for several years on the mailing lists.
>
> Given that alternatives exists, given that the project is
> likely not mature, unmaintained and unsecure, I propose to retire this
> Apache James subproject.
>
> |Voting rules: - This is a majority vote as stated in [2] for procedural
> issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
> vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
> https://www.apache.org/foundation/voting.html Following this retirement,
> follow up steps are to be taken as described in [3] [3]
> https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html | - 1. Get a formal vote on server-dev mailing list
> - 2. Place a RETIRED_PROJECT file marker in the git
> - 3. Add a note in the project README
> - 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE)
> - 5. Announce it on gene...@james.apache.org and announce@apache
> - 6. Add a notice to the Apache website, if present
> - 7. Remove releases from downloads.apache.org
> - 8. Add notices on the Apache release archives (example
> https://archive.apache.org/dist/ant/antidote/ <https://archive.apache.org/dist/ant/antidote/>)
>
> Best regards,
>
> Benoit Tellier
> ||
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
> For additional commands, e-mail: server-dev-help@james.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
Re: [VOTE] Retire Apache James HUPA
Posted by Raphaël Ouazana-Sustowski <ro...@apache.org>.
+1
Le 23/07/2021 à 11:00, btellier@apache.org a écrit :
> Hello all,
>
> Following a first email on the topic [1] I would like to call for a
> formal vote on Apache James Hupa retirement.
>
> [1] https://www.mail-archive.com/server-dev@james.apache.org/msg70575.html
>
> Rationnals:
> - The latest release (0.3.0) dates from 2012 which is an eternity in
> computing.
> - The latest tag on Github is 0.0.3
> - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
> lost :-(
> - This repository is crippled by multiple CVEs (quick dependabot review):
> - CVE-2021-29425 (commons-io)
> - GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
> CVE-2019-10241 CVE-2019-10247 (Jetty server)
> - CVE-2020-9447 (gwtupload)
> - GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
> - CVE-2019-17571 (log4j)
> - CVE-2016-1000031 CVE-2016-3092 (commons-fileupload)
> - Sporadic activity since 2012
> - Zero to no exchanges for several years on the mailing lists.
>
> Given that alternatives exists, given that the project is
> likely not mature, unmaintained and unsecure, I propose to retire this
> Apache James subproject.
>
> |Voting rules: - This is a majority vote as stated in [2] for procedural
> issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
> vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
> https://www.apache.org/foundation/voting.html Following this retirement,
> follow up steps are to be taken as described in [3] [3]
> https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html | - 1. Get a formal vote on server-dev mailing list
> - 2. Place a RETIRED_PROJECT file marker in the git
> - 3. Add a note in the project README
> - 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE)
> - 5. Announce it on gene...@james.apache.org and announce@apache
> - 6. Add a notice to the Apache website, if present
> - 7. Remove releases from downloads.apache.org
> - 8. Add notices on the Apache release archives (example
> https://archive.apache.org/dist/ant/antidote/ <https://archive.apache.org/dist/ant/antidote/>)
>
> Best regards,
>
> Benoit Tellier
> ||
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
> For additional commands, e-mail: server-dev-help@james.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
Re: [VOTE] Retire Apache James HUPA
Posted by "btellier@apache.org" <bt...@apache.org>.
With 8 vote in favour, 4 of them being binding, this vote is a success.
I will carry over the follow up steps.
Regards,
Benoit
On 23/07/2021 16:00, btellier@apache.org wrote:
> Hello all,
>
> Following a first email on the topic [1] I would like to call for a
> formal vote on Apache James Hupa retirement.
>
> [1] https://www.mail-archive.com/server-dev@james.apache.org/msg70575.html
>
> Rationnals:
> - The latest release (0.3.0) dates from 2012 which is an eternity in
> computing.
> - The latest tag on Github is 0.0.3
> - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
> lost :-(
> - This repository is crippled by multiple CVEs (quick dependabot review):
> - CVE-2021-29425 (commons-io)
> - GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
> CVE-2019-10241 CVE-2019-10247 (Jetty server)
> - CVE-2020-9447 (gwtupload)
> - GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
> - CVE-2019-17571 (log4j)
> - CVE-2016-1000031 CVE-2016-3092 (commons-fileupload)
> - Sporadic activity since 2012
> - Zero to no exchanges for several years on the mailing lists.
>
> Given that alternatives exists, given that the project is
> likely not mature, unmaintained and unsecure, I propose to retire this
> Apache James subproject.
>
> |Voting rules: - This is a majority vote as stated in [2] for procedural
> issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
> vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
> https://www.apache.org/foundation/voting.html Following this retirement,
> follow up steps are to be taken as described in [3] [3]
> https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html | - 1. Get a formal vote on server-dev mailing list
> - 2. Place a RETIRED_PROJECT file marker in the git
> - 3. Add a note in the project README
> - 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE)
> - 5. Announce it on gene...@james.apache.org and announce@apache
> - 6. Add a notice to the Apache website, if present
> - 7. Remove releases from downloads.apache.org
> - 8. Add notices on the Apache release archives (example
> https://archive.apache.org/dist/ant/antidote/ <https://archive.apache.org/dist/ant/antidote/>)
>
> Best regards,
>
> Benoit Tellier
> ||
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
> For additional commands, e-mail: server-dev-help@james.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
Re: [VOTE] Retire Apache James HUPA
Posted by "btellier@linagora.com" <bt...@linagora.com>.
+1
On 23/07/2021 16:00, btellier@apache.org wrote:
> Hello all,
>
> Following a first email on the topic [1] I would like to call for a
> formal vote on Apache James Hupa retirement.
>
> [1] https://www.mail-archive.com/server-dev@james.apache.org/msg70575.html
>
> Rationnals:
> - The latest release (0.3.0) dates from 2012 which is an eternity in
> computing.
> - The latest tag on Github is 0.0.3
> - The pom references 0.0.5-SNAPSHOT suggesting that 0.0.4 release is
> lost :-(
> - This repository is crippled by multiple CVEs (quick dependabot review):
> - CVE-2021-29425 (commons-io)
> - GHSA-m6cp-vxjx-65j6 CVE-2017-7656 CVE-2015-2080 CVE-2017-7657
> CVE-2019-10241 CVE-2019-10247 (Jetty server)
> - CVE-2020-9447 (gwtupload)
> - GHSA-g3wg-6mcf-8jj6 (jetty-webapp)
> - CVE-2019-17571 (log4j)
> - CVE-2016-1000031 CVE-2016-3092 (commons-fileupload)
> - Sporadic activity since 2012
> - Zero to no exchanges for several years on the mailing lists.
>
> Given that alternatives exists, given that the project is
> likely not mature, unmaintained and unsecure, I propose to retire this
> Apache James subproject.
>
> |Voting rules: - This is a majority vote as stated in [2] for procedural
> issues. - The vote starts at Friday 23rd of July 2021, 4pm UTC+7 - The
> vote ends at Friday 30th of July 2021, 4pm UTC+7 [2]
> https://www.apache.org/foundation/voting.html Following this retirement,
> follow up steps are to be taken as described in [3] [3]
> https://www.mail-archive.com/server-dev@james.apache.org/msg70585.html | - 1. Get a formal vote on server-dev mailing list
> - 2. Place a RETIRED_PROJECT file marker in the git
> - 3. Add a note in the project README
> - 4. Retire the ISSUE trackers (Project names HUPA and POSTAGE)
> - 5. Announce it on gene...@james.apache.org and announce@apache
> - 6. Add a notice to the Apache website, if present
> - 7. Remove releases from downloads.apache.org
> - 8. Add notices on the Apache release archives (example
> https://archive.apache.org/dist/ant/antidote/ <https://archive.apache.org/dist/ant/antidote/>)
>
> Best regards,
>
> Benoit Tellier
> ||
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
> For additional commands, e-mail: server-dev-help@james.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org