You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by GitBox <gi...@apache.org> on 2021/03/03 04:25:13 UTC
[GitHub] [commons-beanutils] chrismaeda opened a new pull request #80: Rename beanutils2 package to beanutils to be a drop-in replacement for beanutil2 1.9.4
chrismaeda opened a new pull request #80:
URL: https://github.com/apache/commons-beanutils/pull/80
We had to eliminate commons-collections 3.x throughout our stack for a large corporation due to security vulnerabilities.
We used gradle dependency tricks to force this to be used instead of beanutils 1.9.4.
Could I help you release this as beanutils 1.9.5 ???
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-beanutils] garydgregory commented on pull request #80: Rename beanutils2 package to beanutils to be a drop-in replacement for beanutils 1.9.4
Posted by GitBox <gi...@apache.org>.
garydgregory commented on pull request #80:
URL: https://github.com/apache/commons-beanutils/pull/80#issuecomment-789666620
-1 due to binary compatibility.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-beanutils] melloware commented on pull request #80: Rename beanutils2 package to beanutils to be a drop-in replacement for beanutils 1.9.4
Posted by GitBox <gi...@apache.org>.
melloware commented on pull request #80:
URL: https://github.com/apache/commons-beanutils/pull/80#issuecomment-789672352
-1 also would prefer a BeanUtils2 2.0.0 official release in Maven Central instead.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-beanutils] garydgregory edited a comment on pull request #80: Rename beanutils2 package to beanutils to be a drop-in replacement for beanutils 1.9.4
Posted by GitBox <gi...@apache.org>.
garydgregory edited a comment on pull request #80:
URL: https://github.com/apache/commons-beanutils/pull/80#issuecomment-789907176
> > > Yep I have done this before with other libraries and put in Maven Central in my `com.melloware` artifact but was really hoping not to have to do that with an Apache Commons Library. But you are right I think I have no choice...
> >
> >
> > Yep...please only do this when necessary...
>
> So beanutils 1.9.4 is 2 years old and has a small dependency on commons-collections 3, which is red-flagged for security vulnerabilities. A lot of things have dependencies on beanutils; e.g. Grails 4.0.x depends on commons-validator which depends on beanutils.
>
> I'm offering to help do an update of these commons components to fix security issues. But it sounds like the official position I'm getting here is that we should maintain our own forks and wait for version 2?
I would not call it an official position but more of a pragmatic view that we are all volunteering our time here and we all have different priorities. So the release will come when the component is ready and we will want to make sure that it is fully baked. One big issue the 1.x series had is that it surfaces in its API Common Collections types, such that one cannot switch to Collections 4 without breaking binary compatibility, hence one of the drivers for a new major version in a new package with new Maven coordinates.
BeanUtils 2 should not surface Commons Collections types in its APIs, which was one of our goals. BUT, we do not have a way to enforce that in our Maven build ATM, so I would like help on achieving that goal, such that a Maven build would fail if a Commons Collection type shows up in any public or protected type, method or field.
>
> Perhaps I should use the 1.9.4 source as a starting point instead??
That's what I would do.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-beanutils] chrismaeda edited a comment on pull request #80: Rename beanutils2 package to beanutils to be a drop-in replacement for beanutils 1.9.4
Posted by GitBox <gi...@apache.org>.
chrismaeda edited a comment on pull request #80:
URL: https://github.com/apache/commons-beanutils/pull/80#issuecomment-789868132
> > Yep I have done this before with other libraries and put in Maven Central in my `com.melloware` artifact but was really hoping not to have to do that with an Apache Commons Library. But you are right I think I have no choice...
>
> Yep...please only do this when necessary...
So beanutils 1.9.4 is 2 years old and has a small dependency on commons-collections 3, which is red-flagged for security vulnerabilities. A lot of things have dependencies on beanutils; e.g. Grails 4.0.x depends on commons-validator which depends on beanutils.
I'm offering to help do an update of these commons components to fix security issues. But it sounds like the official position I'm getting here is that we should maintain our own forks and wait for version 2?
Perhaps I should use the 1.9.4 source as a starting point instead??
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-beanutils] chrismaeda commented on pull request #80: Rename beanutils2 package to beanutils to be a drop-in replacement for beanutils 1.9.4
Posted by GitBox <gi...@apache.org>.
chrismaeda commented on pull request #80:
URL: https://github.com/apache/commons-beanutils/pull/80#issuecomment-789945687
> > > > Yep I have done this before with other libraries and put in Maven Central in my `com.melloware` artifact but was really hoping not to have to do that with an Apache Commons Library. But you are right I think I have no choice...
> > >
> > >
> > > Yep...please only do this when necessary...
> >
> >
> > So beanutils 1.9.4 is 2 years old and has a small dependency on commons-collections 3, which is red-flagged for security vulnerabilities. A lot of things have dependencies on beanutils; e.g. Grails 4.0.x depends on commons-validator which depends on beanutils.
> > I'm offering to help do an update of these commons components to fix security issues. But it sounds like the official position I'm getting here is that we should maintain our own forks and wait for version 2?
>
> I would not call it an official position but more of a pragmatic view that we are all volunteering our time here and we all have different priorities. So the release will come when the component is ready and we will want to make sure that it is fully baked. One big issue the 1.x series had is that it surfaces in its API Common Collections types, such that one cannot switch to Collections 4 without breaking binary compatibility, hence one of the drivers for a new major version in a new package with new Maven coordinates.
>
> BeanUtils 2 should not surface Commons Collections types in its APIs, which was one of our goals. BUT, we do not have a way to enforce that in our Maven build ATM, so I would like help on achieving that goal, such that a Maven build would fail if a Commons Collection type shows up in any public or protected type, method or field.
>
> > Perhaps I should use the 1.9.4 source as a starting point instead??
>
> That's what I would do.
Understood. I see more clearly that this PR does not make sense for the master branch. I'll attempt to duplicate my changes in the 1.X branch and submit a new PR against that.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-beanutils] garydgregory commented on pull request #80: Rename beanutils2 package to beanutils to be a drop-in replacement for beanutils 1.9.4
Posted by GitBox <gi...@apache.org>.
garydgregory commented on pull request #80:
URL: https://github.com/apache/commons-beanutils/pull/80#issuecomment-791019813
Closing, -1 above, see discussion.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
Re: [GitHub] [commons-beanutils] XenoAmess commented on pull request
#80: Rename beanutils2 package to beanutils to be a drop-in replacement for
beanutils 1.9.4
Posted by Gary Gregory <ga...@gmail.com>.
Change the GID and AID would be best for your own release to avoid ANY
confusion.
Gary
On Wed, Mar 3, 2021, 10:28 GitBox <gi...@apache.org> wrote:
>
> XenoAmess commented on pull request #80:
> URL:
> https://github.com/apache/commons-beanutils/pull/80#issuecomment-789798150
>
>
> I suggest you fork and release on your host...
>
> Just changing group ID will be fine...
>
> After all this is apache2 license, right...
>
> And ossrh is free..
>
>
> ----------------------------------------------------------------
> This is an automated message from the Apache Git Service.
> To respond to the message, please log on to GitHub and use the
> URL above to go to the specific comment.
>
> For queries about this service, please contact Infrastructure at:
> users@infra.apache.org
>
>
>
[GitHub] [commons-beanutils] XenoAmess commented on pull request #80: Rename beanutils2 package to beanutils to be a drop-in replacement for beanutils 1.9.4
Posted by GitBox <gi...@apache.org>.
XenoAmess commented on pull request #80:
URL: https://github.com/apache/commons-beanutils/pull/80#issuecomment-789798150
I suggest you fork and release on your host...
Just changing group ID will be fine...
After all this is apache2 license, right...
And ossrh is free..
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-beanutils] XenoAmess commented on pull request #80: Rename beanutils2 package to beanutils to be a drop-in replacement for beanutils 1.9.4
Posted by GitBox <gi...@apache.org>.
XenoAmess commented on pull request #80:
URL: https://github.com/apache/commons-beanutils/pull/80#issuecomment-789851331
> Yep I have done this before with other libraries and put in Maven Central in my `com.melloware` artifact but was really hoping not to have to do that with an Apache Commons Library. But you are right I think I have no choice...
Yep...please only do this when necessary...
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-beanutils] melloware commented on pull request #80: Rename beanutils2 package to beanutils to be a drop-in replacement for beanutils 1.9.4
Posted by GitBox <gi...@apache.org>.
melloware commented on pull request #80:
URL: https://github.com/apache/commons-beanutils/pull/80#issuecomment-791370692
```xml
<dependency>
<groupId>com.melloware</groupId>
<artifactId>commons-beanutils2</artifactId>
<version>2.0.0</version>
</dependency>
```
Is in Maven Central if anyone needs it.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-beanutils] garydgregory commented on pull request #80: Rename beanutils2 package to beanutils to be a drop-in replacement for beanutils 1.9.4
Posted by GitBox <gi...@apache.org>.
garydgregory commented on pull request #80:
URL: https://github.com/apache/commons-beanutils/pull/80#issuecomment-789907176
> > > Yep I have done this before with other libraries and put in Maven Central in my `com.melloware` artifact but was really hoping not to have to do that with an Apache Commons Library. But you are right I think I have no choice...
> >
> >
> > Yep...please only do this when necessary...
>
> So beanutils 1.9.4 is 2 years old and has a small dependency on commons-collections 3, which is red-flagged for security vulnerabilities. A lot of things have dependencies on beanutils; e.g. Grails 4.0.x depends on commons-validator which depends on beanutils.
>
> I'm offering to help do an update of these commons components to fix security issues. But it sounds like the official position I'm getting here is that we should maintain our own forks and wait for version 2?
I would not call it an official position but more of a pragmatic view that we are all volunteering our time here and we all have different priorities. So the release will come when the component is ready and we will want to make sure that it is fully baked. One big issue the 1.x series had is that it surfaces in its API Common Collections types, such that one cannot switch to Collections 4 without breaking binary compatibility, hence one of the drivers for a new major version in a new package with new Maven coordinates.
>
> Perhaps I should use the 1.9.4 source as a starting point instead??
That's what I would do.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-beanutils] chrismaeda commented on pull request #80: Rename beanutils2 package to beanutils to be a drop-in replacement for beanutils 1.9.4
Posted by GitBox <gi...@apache.org>.
chrismaeda commented on pull request #80:
URL: https://github.com/apache/commons-beanutils/pull/80#issuecomment-789868132
> > Yep I have done this before with other libraries and put in Maven Central in my `com.melloware` artifact but was really hoping not to have to do that with an Apache Commons Library. But you are right I think I have no choice...
>
> Yep...please only do this when necessary...
So beanutils 1.9.4 is 2 years old and has a small dependency on commons-collections 3, which is red-flagged for security vulnerabilities. A lot of things have dependencies on beanutils; e.g. Grails 4.0.x depends on commons-validator which depends on beanutils.
I'm offering to help do an update of these commons components to fix security issues. But it sounds like the official position I'm getting here is that we should maintain our own forks and wait for version 2?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-beanutils] garydgregory closed pull request #80: Rename beanutils2 package to beanutils to be a drop-in replacement for beanutils 1.9.4
Posted by GitBox <gi...@apache.org>.
garydgregory closed pull request #80:
URL: https://github.com/apache/commons-beanutils/pull/80
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [commons-beanutils] melloware commented on pull request #80: Rename beanutils2 package to beanutils to be a drop-in replacement for beanutils 1.9.4
Posted by GitBox <gi...@apache.org>.
melloware commented on pull request #80:
URL: https://github.com/apache/commons-beanutils/pull/80#issuecomment-789820136
Yep I have done this before with other libraries and put in Maven Central in my `com.melloware` artifact but was really hoping not to have to do that with an Apache Commons Library. But you are right I think I have no choice...
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org