[DISCUSS] Geronimo 2.0.3 release

["Jay D. McHugh" <ja...@gmail.com>]

The 2.0.x brach got sidelined by an intermittent
ConcurrentModificationException during stress testing.  But, recently
there were a number of security issues found that apply to 2.0.2.

So, I think it's time to start the discussion for a Geronimo 2.0.3
release (It actually already was started).

Server fixes/enhancements are listed on the Release Status page (work in
progress)-
http://cwiki.apache.org/GMOxPMGT/geronimo-203-release-status.html

Details on included security fixes in dependent components are listed on
the Security page -
http://geronimo.apache.org/20x-security-report.html

I have already begun moving issues into 2.0.4 - Does anyone have
additional fixes they would like to include in 2.0.3 before we cut the
branch and start the release process?

If I have moved an issue that you want to work on (And you have time to
work on it right away) move it back onto a 2.0.3 fix and assign it to
yourself.


Jay

Re: [DISCUSS] Geronimo 2.0.3 release

["Jay D. McHugh" <ja...@gmail.com>]

Hey Joe,

Not releasing any more 2.0.x was one of the possible choices that I was
leaning toward too.  The only thing that kept it from being my first
recommendation was that I was sad that so much work on the 2.0 branch
would never get its day in the sun (at least not as 2.0).

But, as far as stumbling blocks to moving up...I don't think there
should be any large ones.  I have been keeping current so I don't
remember what (if anything) I had to do to move up to 2.1.

Actually, that is not entirely true.  There were a number of jar files
that used to be included in Geronimo that were removed.  I have since
had to add them back to the repository whenever I reinstall.

I think that we already handle deployment descriptors for older versions
automatically (at least back to 2.0), so those should not be a problem.

So, I think that if we put together a table of libraries that are no
longer supplied and/or whose versions are not backwards compatible -
that might be enough to handle at least the majority of conversion issues.

But, if we do not release 2.0.3 then I think that we need to get rather
vocal about the security issues and the -urgent- need to upgrade to 2.1+.

Jay

Joe Bohn wrote:
> 
> I apologize for not raising this question on the earlier thread.
> 
> I'm wondering if it is a good idea to release a 2.0.3 at this point in
> time.  We've had several releases of 2.1.x (four) and we'll hopefully
> release 2.2 in the not too distant future.  I'm a little concerned that
> releasing a 2.0.3 now will just encourage people to continue on the
> 2.0.* base rather than taking the plunge and moving up to 2.1.*.  It's
> been a year since we released 2.0.2 and in addition to the security
> fixes there have been a lot of other fixes/enhancements in the 2.1 branch.
> 
> What are the big stumbling blocks that prevent a user from moving from
> 2.0.2 to 2.1.3 to resolve the security concerns?
> 
> Rather than releasing 2.0.3, should we maybe consider a greater focus on
> ensuring there is a smooth migration path from 2.0.2 to 2.1.3?  Once we
> have clearly identified any issues and ensured that we have adequate
> directions we could notify the user community that there will be no
> further 2.0.* releases and encourage them to move to 2.1.3.  It might
> actually be easier for us to release 2.0.3 in the short term, but sooner
> or later users will have to address the migration issues ... so I'm just
> wondering if it might be a better use of our time to address those
> migration issues now.
> 
> Joe
> 
> Jay D. McHugh wrote:
>> The 2.0.x brach got sidelined by an intermittent
>> ConcurrentModificationException during stress testing.  But, recently
>> there were a number of security issues found that apply to 2.0.2.
>>
>> So, I think it's time to start the discussion for a Geronimo 2.0.3
>> release (It actually already was started).
>>
>> Server fixes/enhancements are listed on the Release Status page (work in
>> progress)-
>> http://cwiki.apache.org/GMOxPMGT/geronimo-203-release-status.html
>>
>> Details on included security fixes in dependent components are listed on
>> the Security page -
>> http://geronimo.apache.org/20x-security-report.html
>>
>> I have already begun moving issues into 2.0.4 - Does anyone have
>> additional fixes they would like to include in 2.0.3 before we cut the
>> branch and start the release process?
>>
>> If I have moved an issue that you want to work on (And you have time to
>> work on it right away) move it back onto a 2.0.3 fix and assign it to
>> yourself.
>>
>>
>> Jay
>>
> 

Re: [DISCUSS] Geronimo 2.0.3 release

[Joe Bohn <jo...@earthlink.net>]

I was in the "document the upgrade path" camp prior to this so that 
sounds good to me.  If we take that approach, I agree that we need to 
officially announce the that 2.0.x will no longer be maintained.

Regarding the version libraries/jars that have changed/removed ... I 
think we have most of that documented here for 2.1.*:
http://cwiki.apache.org/GMOxDOC21/what-changed-in-21.html#Whatchangedin2.1-Componentversions

and here for 2.2:
http://cwiki.apache.org/GMOxDOC22/component-versions.html

They probably need to be updated with the latest/greatest info but I 
tried to get it as current as possible a while back.  Hopefully is it 
fairly close except for needing a new column for 2.1.4 and updates to 
2.2 ... but it should be easier than starting from scratch.  I think 
somebody (perhaps Jarek?) had even created some script to help generate 
the content at some point in time.

Joe


Jay D. McHugh wrote:
> Hello all,
> 
> I did some work on trying to get a 2.0.3 release that would:
> a) build - sucess!
> b) pass the TCK - Massive failure (over 5000 tests)
> 
> So, considering that we have a 2.1.x and 2.2.x codestream in progress
> with JEE6 breathing down our necks - I have been officially pushed into
> the 'we should probably just document what it takes to upgrade' group.
> 
> Are there any folks who truly need to stay on 2.0?
> 
> Or would it be reasonable to make a pronouncement that the 2.0.x
> codestream is no longer going to be maintained - even for bug fixes and
> security issues?
> 
> Thoughts/comments?
> 
> (I'll start documenting the libraries/jars that have changed or been
> removed - we will need that regardless)
> 
> Jay
> 
> Joe Bohn wrote:
>> I guess I should resolve this discussion on "if" we should release 2.0.3
>> that I started.
>>
>> Thank you both Jay and Donald for your responses. I'm not completely
>> opposed to a 2.0.3 release.  I was just wondering aloud if it was the
>> best use of our resources and if it conveyed the right message to our
>> users.  I was also wondering a little if it might create more problems
>> for our users than it solves.  You know the drill ... upgrade from one
>> maintenance release to another only to discover yet another issue that
>> then forces you to a new version like 2.1.* because it isn't resolved in
>> the current maintenance stream.  If it weren't for the security issues I
>> would see no value in a 2.0.3 release.  Anyway, I am certainly not
>> planning to stand in the way of a 2.0.3 release.  I'll even do my part
>> to validate the images and help where I can.  However, my gut still
>> tells me that we might creating more problems than we are solving. But
>> since I'm the only one that feels that way I'm not too worried (I've
>> been wrong plenty of times before ;-) ).
>>
>> It sounds like we still need to document what is necessary to move from
>> 2.0.* to 2.1.* in any case.  I guess the first step might be adding the
>> libraries that are no longer included in 2.1.* into the list in the wiki
>> under http://cwiki.apache.org/GMOxDOC21/what-changed-in-21.html.  Does
>> anybody have a complete list of these libraries?  We'll probably still
>> need more specific documentation to make it clear what a user might have
>> to do when moving from 2.0.* to 2.1.*.  Perhaps another page somewhere
>> (similar to those under "Migrating to Apache Geronimo")?
>>
>> Joe
>>
>>
>> Donald Woods wrote:
>>> I think releasing 2.0.3 is in the best interest of the community,
>>> given the security fixes that it contains.  It also gives us a way to
>>> announce to our users that this will be the last 2.0.x release (which
>>> we never really did for 1.1.x) and that they should start moving to
>>> 2.1.x or 2.2 for any new projects.
>>>
>>>
>>> -Donald
>>>
>>>
>>> Joe Bohn wrote:
>>>> I apologize for not raising this question on the earlier thread.
>>>>
>>>> I'm wondering if it is a good idea to release a 2.0.3 at this point
>>>> in time.  We've had several releases of 2.1.x (four) and we'll
>>>> hopefully release 2.2 in the not too distant future.  I'm a little
>>>> concerned that releasing a 2.0.3 now will just encourage people to
>>>> continue on the 2.0.* base rather than taking the plunge and moving
>>>> up to 2.1.*.  It's been a year since we released 2.0.2 and in
>>>> addition to the security fixes there have been a lot of other
>>>> fixes/enhancements in the 2.1 branch.
>>>>
>>>> What are the big stumbling blocks that prevent a user from moving
>>>> from 2.0.2 to 2.1.3 to resolve the security concerns?
>>>>
>>>> Rather than releasing 2.0.3, should we maybe consider a greater focus
>>>> on ensuring there is a smooth migration path from 2.0.2 to 2.1.3? 
>>>> Once we have clearly identified any issues and ensured that we have
>>>> adequate directions we could notify the user community that there
>>>> will be no further 2.0.* releases and encourage them to move to
>>>> 2.1.3.  It might actually be easier for us to release 2.0.3 in the
>>>> short term, but sooner or later users will have to address the
>>>> migration issues ... so I'm just wondering if it might be a better
>>>> use of our time to address those migration issues now.
>>>>
>>>> Joe
>>>>
>>>> Jay D. McHugh wrote:
>>>>> The 2.0.x brach got sidelined by an intermittent
>>>>> ConcurrentModificationException during stress testing.  But, recently
>>>>> there were a number of security issues found that apply to 2.0.2.
>>>>>
>>>>> So, I think it's time to start the discussion for a Geronimo 2.0.3
>>>>> release (It actually already was started).
>>>>>
>>>>> Server fixes/enhancements are listed on the Release Status page
>>>>> (work in
>>>>> progress)-
>>>>> http://cwiki.apache.org/GMOxPMGT/geronimo-203-release-status.html
>>>>>
>>>>> Details on included security fixes in dependent components are
>>>>> listed on
>>>>> the Security page -
>>>>> http://geronimo.apache.org/20x-security-report.html
>>>>>
>>>>> I have already begun moving issues into 2.0.4 - Does anyone have
>>>>> additional fixes they would like to include in 2.0.3 before we cut the
>>>>> branch and start the release process?
>>>>>
>>>>> If I have moved an issue that you want to work on (And you have time to
>>>>> work on it right away) move it back onto a 2.0.3 fix and assign it to
>>>>> yourself.
>>>>>
>>>>>
>>>>> Jay
>>>>>
>>>>
> 

Re: [DISCUSS] Geronimo 2.0.3 release

[Donald Woods <dw...@apache.org>]

Pushing users to 2.1.x for continued maintenance releases sounds fine to me.


-Donald


Jay D. McHugh wrote:
> Hello all,
> 
> I did some work on trying to get a 2.0.3 release that would:
> a) build - sucess!
> b) pass the TCK - Massive failure (over 5000 tests)
> 
> So, considering that we have a 2.1.x and 2.2.x codestream in progress
> with JEE6 breathing down our necks - I have been officially pushed into
> the 'we should probably just document what it takes to upgrade' group.
> 
> Are there any folks who truly need to stay on 2.0?
> 
> Or would it be reasonable to make a pronouncement that the 2.0.x
> codestream is no longer going to be maintained - even for bug fixes and
> security issues?
> 
> Thoughts/comments?
> 
> (I'll start documenting the libraries/jars that have changed or been
> removed - we will need that regardless)
> 
> Jay
> 
> Joe Bohn wrote:
>> I guess I should resolve this discussion on "if" we should release 2.0.3
>> that I started.
>>
>> Thank you both Jay and Donald for your responses. I'm not completely
>> opposed to a 2.0.3 release.  I was just wondering aloud if it was the
>> best use of our resources and if it conveyed the right message to our
>> users.  I was also wondering a little if it might create more problems
>> for our users than it solves.  You know the drill ... upgrade from one
>> maintenance release to another only to discover yet another issue that
>> then forces you to a new version like 2.1.* because it isn't resolved in
>> the current maintenance stream.  If it weren't for the security issues I
>> would see no value in a 2.0.3 release.  Anyway, I am certainly not
>> planning to stand in the way of a 2.0.3 release.  I'll even do my part
>> to validate the images and help where I can.  However, my gut still
>> tells me that we might creating more problems than we are solving. But
>> since I'm the only one that feels that way I'm not too worried (I've
>> been wrong plenty of times before ;-) ).
>>
>> It sounds like we still need to document what is necessary to move from
>> 2.0.* to 2.1.* in any case.  I guess the first step might be adding the
>> libraries that are no longer included in 2.1.* into the list in the wiki
>> under http://cwiki.apache.org/GMOxDOC21/what-changed-in-21.html.  Does
>> anybody have a complete list of these libraries?  We'll probably still
>> need more specific documentation to make it clear what a user might have
>> to do when moving from 2.0.* to 2.1.*.  Perhaps another page somewhere
>> (similar to those under "Migrating to Apache Geronimo")?
>>
>> Joe
>>
>>
>> Donald Woods wrote:
>>> I think releasing 2.0.3 is in the best interest of the community,
>>> given the security fixes that it contains.  It also gives us a way to
>>> announce to our users that this will be the last 2.0.x release (which
>>> we never really did for 1.1.x) and that they should start moving to
>>> 2.1.x or 2.2 for any new projects.
>>>
>>>
>>> -Donald
>>>
>>>
>>> Joe Bohn wrote:
>>>> I apologize for not raising this question on the earlier thread.
>>>>
>>>> I'm wondering if it is a good idea to release a 2.0.3 at this point
>>>> in time.  We've had several releases of 2.1.x (four) and we'll
>>>> hopefully release 2.2 in the not too distant future.  I'm a little
>>>> concerned that releasing a 2.0.3 now will just encourage people to
>>>> continue on the 2.0.* base rather than taking the plunge and moving
>>>> up to 2.1.*.  It's been a year since we released 2.0.2 and in
>>>> addition to the security fixes there have been a lot of other
>>>> fixes/enhancements in the 2.1 branch.
>>>>
>>>> What are the big stumbling blocks that prevent a user from moving
>>>> from 2.0.2 to 2.1.3 to resolve the security concerns?
>>>>
>>>> Rather than releasing 2.0.3, should we maybe consider a greater focus
>>>> on ensuring there is a smooth migration path from 2.0.2 to 2.1.3? 
>>>> Once we have clearly identified any issues and ensured that we have
>>>> adequate directions we could notify the user community that there
>>>> will be no further 2.0.* releases and encourage them to move to
>>>> 2.1.3.  It might actually be easier for us to release 2.0.3 in the
>>>> short term, but sooner or later users will have to address the
>>>> migration issues ... so I'm just wondering if it might be a better
>>>> use of our time to address those migration issues now.
>>>>
>>>> Joe
>>>>
>>>> Jay D. McHugh wrote:
>>>>> The 2.0.x brach got sidelined by an intermittent
>>>>> ConcurrentModificationException during stress testing.  But, recently
>>>>> there were a number of security issues found that apply to 2.0.2.
>>>>>
>>>>> So, I think it's time to start the discussion for a Geronimo 2.0.3
>>>>> release (It actually already was started).
>>>>>
>>>>> Server fixes/enhancements are listed on the Release Status page
>>>>> (work in
>>>>> progress)-
>>>>> http://cwiki.apache.org/GMOxPMGT/geronimo-203-release-status.html
>>>>>
>>>>> Details on included security fixes in dependent components are
>>>>> listed on
>>>>> the Security page -
>>>>> http://geronimo.apache.org/20x-security-report.html
>>>>>
>>>>> I have already begun moving issues into 2.0.4 - Does anyone have
>>>>> additional fixes they would like to include in 2.0.3 before we cut the
>>>>> branch and start the release process?
>>>>>
>>>>> If I have moved an issue that you want to work on (And you have time to
>>>>> work on it right away) move it back onto a 2.0.3 fix and assign it to
>>>>> yourself.
>>>>>
>>>>>
>>>>> Jay
>>>>>
>>>>
> 

Re: [DISCUSS] Geronimo 2.0.3 release

[Kevan Miller <ke...@gmail.com>]

On Feb 17, 2009, at 9:09 AM, Kevan Miller wrote:

>
> On Feb 16, 2009, at 5:50 PM, Jay D. McHugh wrote:
>
>> Hello all,
>>
>> I did some work on trying to get a 2.0.3 release that would:
>> a) build - sucess!
>> b) pass the TCK - Massive failure (over 5000 tests)
>>
>> So, considering that we have a 2.1.x and 2.2.x codestream in progress
>> with JEE6 breathing down our necks - I have been officially pushed  
>> into
>> the 'we should probably just document what it takes to upgrade'  
>> group.
>>
>> Are there any folks who truly need to stay on 2.0?
>>
>> Or would it be reasonable to make a pronouncement that the 2.0.x
>> codestream is no longer going to be maintained - even for bug fixes  
>> and
>> security issues?
>>
>> Thoughts/comments?
>>
>> (I'll start documenting the libraries/jars that have changed or been
>> removed - we will need that regardless)
>
>
> There should be discussion of this on our user list. Could you start  
> a discussion there?
>
> I'm ok with this. Confess that I'm a bit curious about why we'd have  
> tck failures. I don't have a big issue with it, but in general we  
> don't discuss tck specifics (including numbers of tests, etc) on a  
> public list.

Jay,
FYI, I checked back on our automated test results. February 4th is  
when we started seeing test failures on branches/2.0. So the following  
commits are the likely causes of the problems:

http://svn.apache.org/viewvc?view=rev&revision=740608
http://svn.apache.org/viewvc?view=rev&revision=740985

--kevan

Re: [DISCUSS] Geronimo 2.0.3 release

[Kevan Miller <ke...@gmail.com>]

On Feb 16, 2009, at 5:50 PM, Jay D. McHugh wrote:

> Hello all,
>
> I did some work on trying to get a 2.0.3 release that would:
> a) build - sucess!
> b) pass the TCK - Massive failure (over 5000 tests)
>
> So, considering that we have a 2.1.x and 2.2.x codestream in progress
> with JEE6 breathing down our necks - I have been officially pushed  
> into
> the 'we should probably just document what it takes to upgrade' group.
>
> Are there any folks who truly need to stay on 2.0?
>
> Or would it be reasonable to make a pronouncement that the 2.0.x
> codestream is no longer going to be maintained - even for bug fixes  
> and
> security issues?
>
> Thoughts/comments?
>
> (I'll start documenting the libraries/jars that have changed or been
> removed - we will need that regardless)


There should be discussion of this on our user list. Could you start a  
discussion there?

I'm ok with this. Confess that I'm a bit curious about why we'd have  
tck failures. I don't have a big issue with it, but in general we  
don't discuss tck specifics (including numbers of tests, etc) on a  
public list.

--kevan 
  

Re: [DISCUSS] Geronimo 2.0.3 release

["Jay D. McHugh" <ja...@gmail.com>]

Hello all,

I did some work on trying to get a 2.0.3 release that would:
a) build - sucess!
b) pass the TCK - Massive failure (over 5000 tests)

So, considering that we have a 2.1.x and 2.2.x codestream in progress
with JEE6 breathing down our necks - I have been officially pushed into
the 'we should probably just document what it takes to upgrade' group.

Are there any folks who truly need to stay on 2.0?

Or would it be reasonable to make a pronouncement that the 2.0.x
codestream is no longer going to be maintained - even for bug fixes and
security issues?

Thoughts/comments?

(I'll start documenting the libraries/jars that have changed or been
removed - we will need that regardless)

Jay

Joe Bohn wrote:
> 
> I guess I should resolve this discussion on "if" we should release 2.0.3
> that I started.
> 
> Thank you both Jay and Donald for your responses. I'm not completely
> opposed to a 2.0.3 release.  I was just wondering aloud if it was the
> best use of our resources and if it conveyed the right message to our
> users.  I was also wondering a little if it might create more problems
> for our users than it solves.  You know the drill ... upgrade from one
> maintenance release to another only to discover yet another issue that
> then forces you to a new version like 2.1.* because it isn't resolved in
> the current maintenance stream.  If it weren't for the security issues I
> would see no value in a 2.0.3 release.  Anyway, I am certainly not
> planning to stand in the way of a 2.0.3 release.  I'll even do my part
> to validate the images and help where I can.  However, my gut still
> tells me that we might creating more problems than we are solving. But
> since I'm the only one that feels that way I'm not too worried (I've
> been wrong plenty of times before ;-) ).
> 
> It sounds like we still need to document what is necessary to move from
> 2.0.* to 2.1.* in any case.  I guess the first step might be adding the
> libraries that are no longer included in 2.1.* into the list in the wiki
> under http://cwiki.apache.org/GMOxDOC21/what-changed-in-21.html.  Does
> anybody have a complete list of these libraries?  We'll probably still
> need more specific documentation to make it clear what a user might have
> to do when moving from 2.0.* to 2.1.*.  Perhaps another page somewhere
> (similar to those under "Migrating to Apache Geronimo")?
> 
> Joe
> 
> 
> Donald Woods wrote:
>> I think releasing 2.0.3 is in the best interest of the community,
>> given the security fixes that it contains.  It also gives us a way to
>> announce to our users that this will be the last 2.0.x release (which
>> we never really did for 1.1.x) and that they should start moving to
>> 2.1.x or 2.2 for any new projects.
>>
>>
>> -Donald
>>
>>
>> Joe Bohn wrote:
>>>
>>> I apologize for not raising this question on the earlier thread.
>>>
>>> I'm wondering if it is a good idea to release a 2.0.3 at this point
>>> in time.  We've had several releases of 2.1.x (four) and we'll
>>> hopefully release 2.2 in the not too distant future.  I'm a little
>>> concerned that releasing a 2.0.3 now will just encourage people to
>>> continue on the 2.0.* base rather than taking the plunge and moving
>>> up to 2.1.*.  It's been a year since we released 2.0.2 and in
>>> addition to the security fixes there have been a lot of other
>>> fixes/enhancements in the 2.1 branch.
>>>
>>> What are the big stumbling blocks that prevent a user from moving
>>> from 2.0.2 to 2.1.3 to resolve the security concerns?
>>>
>>> Rather than releasing 2.0.3, should we maybe consider a greater focus
>>> on ensuring there is a smooth migration path from 2.0.2 to 2.1.3? 
>>> Once we have clearly identified any issues and ensured that we have
>>> adequate directions we could notify the user community that there
>>> will be no further 2.0.* releases and encourage them to move to
>>> 2.1.3.  It might actually be easier for us to release 2.0.3 in the
>>> short term, but sooner or later users will have to address the
>>> migration issues ... so I'm just wondering if it might be a better
>>> use of our time to address those migration issues now.
>>>
>>> Joe
>>>
>>> Jay D. McHugh wrote:
>>>> The 2.0.x brach got sidelined by an intermittent
>>>> ConcurrentModificationException during stress testing.  But, recently
>>>> there were a number of security issues found that apply to 2.0.2.
>>>>
>>>> So, I think it's time to start the discussion for a Geronimo 2.0.3
>>>> release (It actually already was started).
>>>>
>>>> Server fixes/enhancements are listed on the Release Status page
>>>> (work in
>>>> progress)-
>>>> http://cwiki.apache.org/GMOxPMGT/geronimo-203-release-status.html
>>>>
>>>> Details on included security fixes in dependent components are
>>>> listed on
>>>> the Security page -
>>>> http://geronimo.apache.org/20x-security-report.html
>>>>
>>>> I have already begun moving issues into 2.0.4 - Does anyone have
>>>> additional fixes they would like to include in 2.0.3 before we cut the
>>>> branch and start the release process?
>>>>
>>>> If I have moved an issue that you want to work on (And you have time to
>>>> work on it right away) move it back onto a 2.0.3 fix and assign it to
>>>> yourself.
>>>>
>>>>
>>>> Jay
>>>>
>>>
>>>
>>
> 

Re: [DISCUSS] Geronimo 2.0.3 release

[Joe Bohn <jo...@earthlink.net>]

I guess I should resolve this discussion on "if" we should release 2.0.3 
that I started.

Thank you both Jay and Donald for your responses. I'm not completely 
opposed to a 2.0.3 release.  I was just wondering aloud if it was the 
best use of our resources and if it conveyed the right message to our 
users.  I was also wondering a little if it might create more problems 
for our users than it solves.  You know the drill ... upgrade from one 
maintenance release to another only to discover yet another issue that 
then forces you to a new version like 2.1.* because it isn't resolved in 
the current maintenance stream.  If it weren't for the security issues I 
would see no value in a 2.0.3 release.  Anyway, I am certainly not 
planning to stand in the way of a 2.0.3 release.  I'll even do my part 
to validate the images and help where I can.  However, my gut still 
tells me that we might creating more problems than we are solving. But 
since I'm the only one that feels that way I'm not too worried (I've 
been wrong plenty of times before ;-) ).

It sounds like we still need to document what is necessary to move from 
2.0.* to 2.1.* in any case.  I guess the first step might be adding the 
libraries that are no longer included in 2.1.* into the list in the wiki 
under http://cwiki.apache.org/GMOxDOC21/what-changed-in-21.html.  Does 
anybody have a complete list of these libraries?  We'll probably still 
need more specific documentation to make it clear what a user might have 
to do when moving from 2.0.* to 2.1.*.  Perhaps another page somewhere 
(similar to those under "Migrating to Apache Geronimo")?

Joe


Donald Woods wrote:
> I think releasing 2.0.3 is in the best interest of the community, given 
> the security fixes that it contains.  It also gives us a way to announce 
> to our users that this will be the last 2.0.x release (which we never 
> really did for 1.1.x) and that they should start moving to 2.1.x or 2.2 
> for any new projects.
> 
> 
> -Donald
> 
> 
> Joe Bohn wrote:
>>
>> I apologize for not raising this question on the earlier thread.
>>
>> I'm wondering if it is a good idea to release a 2.0.3 at this point in 
>> time.  We've had several releases of 2.1.x (four) and we'll hopefully 
>> release 2.2 in the not too distant future.  I'm a little concerned 
>> that releasing a 2.0.3 now will just encourage people to continue on 
>> the 2.0.* base rather than taking the plunge and moving up to 2.1.*.  
>> It's been a year since we released 2.0.2 and in addition to the 
>> security fixes there have been a lot of other fixes/enhancements in 
>> the 2.1 branch.
>>
>> What are the big stumbling blocks that prevent a user from moving from 
>> 2.0.2 to 2.1.3 to resolve the security concerns?
>>
>> Rather than releasing 2.0.3, should we maybe consider a greater focus 
>> on ensuring there is a smooth migration path from 2.0.2 to 2.1.3?  
>> Once we have clearly identified any issues and ensured that we have 
>> adequate directions we could notify the user community that there will 
>> be no further 2.0.* releases and encourage them to move to 2.1.3.  It 
>> might actually be easier for us to release 2.0.3 in the short term, 
>> but sooner or later users will have to address the migration issues 
>> ... so I'm just wondering if it might be a better use of our time to 
>> address those migration issues now.
>>
>> Joe
>>
>> Jay D. McHugh wrote:
>>> The 2.0.x brach got sidelined by an intermittent
>>> ConcurrentModificationException during stress testing.  But, recently
>>> there were a number of security issues found that apply to 2.0.2.
>>>
>>> So, I think it's time to start the discussion for a Geronimo 2.0.3
>>> release (It actually already was started).
>>>
>>> Server fixes/enhancements are listed on the Release Status page (work in
>>> progress)-
>>> http://cwiki.apache.org/GMOxPMGT/geronimo-203-release-status.html
>>>
>>> Details on included security fixes in dependent components are listed on
>>> the Security page -
>>> http://geronimo.apache.org/20x-security-report.html
>>>
>>> I have already begun moving issues into 2.0.4 - Does anyone have
>>> additional fixes they would like to include in 2.0.3 before we cut the
>>> branch and start the release process?
>>>
>>> If I have moved an issue that you want to work on (And you have time to
>>> work on it right away) move it back onto a 2.0.3 fix and assign it to
>>> yourself.
>>>
>>>
>>> Jay
>>>
>>
>>
> 

Re: [DISCUSS] Geronimo 2.0.3 release

[Donald Woods <dw...@apache.org>]

I think releasing 2.0.3 is in the best interest of the community, given 
the security fixes that it contains.  It also gives us a way to announce 
to our users that this will be the last 2.0.x release (which we never 
really did for 1.1.x) and that they should start moving to 2.1.x or 2.2 
for any new projects.


-Donald


Joe Bohn wrote:
> 
> I apologize for not raising this question on the earlier thread.
> 
> I'm wondering if it is a good idea to release a 2.0.3 at this point in 
> time.  We've had several releases of 2.1.x (four) and we'll hopefully 
> release 2.2 in the not too distant future.  I'm a little concerned that 
> releasing a 2.0.3 now will just encourage people to continue on the 
> 2.0.* base rather than taking the plunge and moving up to 2.1.*.  It's 
> been a year since we released 2.0.2 and in addition to the security 
> fixes there have been a lot of other fixes/enhancements in the 2.1 branch.
> 
> What are the big stumbling blocks that prevent a user from moving from 
> 2.0.2 to 2.1.3 to resolve the security concerns?
> 
> Rather than releasing 2.0.3, should we maybe consider a greater focus on 
> ensuring there is a smooth migration path from 2.0.2 to 2.1.3?  Once we 
> have clearly identified any issues and ensured that we have adequate 
> directions we could notify the user community that there will be no 
> further 2.0.* releases and encourage them to move to 2.1.3.  It might 
> actually be easier for us to release 2.0.3 in the short term, but sooner 
> or later users will have to address the migration issues ... so I'm just 
> wondering if it might be a better use of our time to address those 
> migration issues now.
> 
> Joe
> 
> Jay D. McHugh wrote:
>> The 2.0.x brach got sidelined by an intermittent
>> ConcurrentModificationException during stress testing.  But, recently
>> there were a number of security issues found that apply to 2.0.2.
>>
>> So, I think it's time to start the discussion for a Geronimo 2.0.3
>> release (It actually already was started).
>>
>> Server fixes/enhancements are listed on the Release Status page (work in
>> progress)-
>> http://cwiki.apache.org/GMOxPMGT/geronimo-203-release-status.html
>>
>> Details on included security fixes in dependent components are listed on
>> the Security page -
>> http://geronimo.apache.org/20x-security-report.html
>>
>> I have already begun moving issues into 2.0.4 - Does anyone have
>> additional fixes they would like to include in 2.0.3 before we cut the
>> branch and start the release process?
>>
>> If I have moved an issue that you want to work on (And you have time to
>> work on it right away) move it back onto a 2.0.3 fix and assign it to
>> yourself.
>>
>>
>> Jay
>>
> 
> 

Re: [DISCUSS] Geronimo 2.0.3 release

[Joe Bohn <jo...@earthlink.net>]

I apologize for not raising this question on the earlier thread.

I'm wondering if it is a good idea to release a 2.0.3 at this point in 
time.  We've had several releases of 2.1.x (four) and we'll hopefully 
release 2.2 in the not too distant future.  I'm a little concerned that 
releasing a 2.0.3 now will just encourage people to continue on the 
2.0.* base rather than taking the plunge and moving up to 2.1.*.  It's 
been a year since we released 2.0.2 and in addition to the security 
fixes there have been a lot of other fixes/enhancements in the 2.1 branch.

What are the big stumbling blocks that prevent a user from moving from 
2.0.2 to 2.1.3 to resolve the security concerns?

Rather than releasing 2.0.3, should we maybe consider a greater focus on 
ensuring there is a smooth migration path from 2.0.2 to 2.1.3?  Once we 
have clearly identified any issues and ensured that we have adequate 
directions we could notify the user community that there will be no 
further 2.0.* releases and encourage them to move to 2.1.3.  It might 
actually be easier for us to release 2.0.3 in the short term, but sooner 
or later users will have to address the migration issues ... so I'm just 
wondering if it might be a better use of our time to address those 
migration issues now.

Joe

Jay D. McHugh wrote:
> The 2.0.x brach got sidelined by an intermittent
> ConcurrentModificationException during stress testing.  But, recently
> there were a number of security issues found that apply to 2.0.2.
> 
> So, I think it's time to start the discussion for a Geronimo 2.0.3
> release (It actually already was started).
> 
> Server fixes/enhancements are listed on the Release Status page (work in
> progress)-
> http://cwiki.apache.org/GMOxPMGT/geronimo-203-release-status.html
> 
> Details on included security fixes in dependent components are listed on
> the Security page -
> http://geronimo.apache.org/20x-security-report.html
> 
> I have already begun moving issues into 2.0.4 - Does anyone have
> additional fixes they would like to include in 2.0.3 before we cut the
> branch and start the release process?
> 
> If I have moved an issue that you want to work on (And you have time to
> work on it right away) move it back onto a 2.0.3 fix and assign it to
> yourself.
> 
> 
> Jay
>