You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@turbine.apache.org by gk...@apache.org on 2021/12/14 11:38:55 UTC
[turbine-parent] branch master updated (b267ebb -> 6ff3eaf)
This is an automated email from the ASF dual-hosted git repository.
gk pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/turbine-parent.git.
from b267ebb Security patch CVE-2021-44228, updte log4j2 to 2.15.0
new 2369804 Pull skin and fluido tp parent, cleanup child site.xml, and update 5.1 release
new 6ff3eaf Update parent for release, set dependency scan for profile apache-release only
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
pom.xml | 8 ++++++--
src/changes/changes.xml | 11 ++++++++++-
src/site/site.xml | 5 +++++
3 files changed, 21 insertions(+), 3 deletions(-)
[turbine-parent] 01/02: Pull skin and fluido tp parent, cleanup child site.xml, and update 5.1 release
Posted by gk...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
gk pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/turbine-parent.git
commit 2369804e2d340801a977598dfe73e928a68e8265
Author: Georg Kallidis <gk...@apache.org>
AuthorDate: Tue Dec 14 11:34:44 2021 +0100
Pull skin and fluido tp parent, cleanup child site.xml, and update 5.1 release
---
src/site/site.xml | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/site/site.xml b/src/site/site.xml
index ee3fd4c..7b7fabb 100644
--- a/src/site/site.xml
+++ b/src/site/site.xml
@@ -58,4 +58,9 @@
</gitHub>
</fluidoSkin>
</custom>
+ <skin>
+ <groupId>org.apache.maven.skins</groupId>
+ <artifactId>maven-fluido-skin</artifactId>
+ <version>1.9</version>
+ </skin>
</project>
Re: Re: [turbine-parent] 02/02: Update parent for release, set dependency scan for profile apache-release only
Posted by Georg Kallidis <ge...@cedis.fu-berlin.de>.
> Avalon components which have their own log framework. I
yes, this is true. Though you could also provide a custom adapter, which I
did in Fulcrum Yaafi Log4j2logger (right where Avalon comes into play, and
while Avalon Excalibur provides some adapter implementations itself).
I thought at some point an implementation of this kind is helpful, as
Avalon logger framework is not developed anymore, so I decided to provide
an helper class, which nowadays users may find useful, hopefully.
> dependencyManagement in Turbine Parent POM?
This is always a very good idea, instead of use inherited properties, we
should follow this IMO ..
Best regards, Georg
Von: Thomas Vandahl <tv...@apache.org>
An: Turbine Developers List <de...@turbine.apache.org>
Datum: 15.12.2021 11:12
Betreff: Re: [turbine-parent] 02/02: Update parent for release, set
dependency scan for profile apache-release only
Hi Georg,
> Am 15.12.2021 um 09:05 schrieb Georg Kallidis
<ge...@cedis.fu-berlin.de>:
>
> The fast fix for everyone is just to replace the log4j libs, we are in
> each module at version above 2.14 (> 2.12, which is Java 7 and has a
> separate fix), that means it the new ones are binary compatible IMO.
Actually, Fulcrum components are Avalon components which have their own
log framework. I already tried to fix this a couple of times but the
alternative log frameworks keep sneaking in. In a perfect world, Avalon
components should not have a dependency on any logging framework
implementation at all.
> Might be there are better ideas or suggestions or I am missing some
> important information?
dependencyManagement in Turbine Parent POM?
Bye, Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@turbine.apache.org
For additional commands, e-mail: dev-help@turbine.apache.org
Re: [turbine-parent] 02/02: Update parent for release, set dependency scan for profile apache-release only
Posted by Thomas Vandahl <tv...@apache.org>.
Hi Georg,
> Am 15.12.2021 um 09:05 schrieb Georg Kallidis <ge...@cedis.fu-berlin.de>:
>
> The fast fix for everyone is just to replace the log4j libs, we are in
> each module at version above 2.14 (> 2.12, which is Java 7 and has a
> separate fix), that means it the new ones are binary compatible IMO.
Actually, Fulcrum components are Avalon components which have their own log framework. I already tried to fix this a couple of times but the alternative log frameworks keep sneaking in. In a perfect world, Avalon components should not have a dependency on any logging framework implementation at all.
> Might be there are better ideas or suggestions or I am missing some
> important information?
dependencyManagement in Turbine Parent POM?
Bye, Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@turbine.apache.org
For additional commands, e-mail: dev-help@turbine.apache.org
Re: Re: [turbine-parent] 02/02: Update parent for release, set dependency scan for profile apache-release only
Posted by Georg Kallidis <ge...@cedis.fu-berlin.de>.
Hi Jeffery,
I started yesterday to release Turbine Parent 10, but only half the way. I
would rollback and update to log4j 2.16.0.
Yes, it's a bit a hassle, each Fulcrum has the same parent, but that's it.
If unversioned "joint"-modules, "indirections" exist nobody would know,
which version currently is build..
The fast fix for everyone is just to replace the log4j libs, we are in
each module at version above 2.14 (> 2.12, which is Java 7 and has a
separate fix), that means it the new ones are binary compatible IMO.
The "fix"-Releases take some time, but we proceed as fast as could be
done: First Turbine parent -> most Fulcrum SNAPSHOTs then will be
"releasable, then Turbine Core (5.1.1), Turbine Archetype. The question is
if Torque 5.1 (or 5.0.1?) will get a release in between, that is before
Turbine Core. I would suggest and hope for it (part of Turbine PMc is also
in DB Torque PMC). Then finally the remainder components could be
released, but this will take some time. Might be we announce on the site,
how to fix this? If parent POM v10 is compatible with all components, this
would be the first choice IMO, how to recommend, what to do (after just
hard replace the libs)...
Might be there are better ideas or suggestions or I am missing some
important information?
Best regards, Georg
Von: Jeffery Painter <je...@jivecast.com>
An: dev@turbine.apache.org
Datum: 14.12.2021 22:09
Betreff: Re: [turbine-parent] 02/02: Update parent for release, set
dependency scan for profile apache-release only
Hi Georg,
I am sure you saw they have already released log4j 2.16.0 - should we
wait and update to this before doing another vote? Also - kind of
confusing now how to update each fulcrum sub-module (each pom references
the parent individually) - not sure if there is an easier way so that
they are all referencing a single turbine-parent ?
And of course -we still rely on torque-5.0 (release) which is stuck at
log4j 2.14.x - I updated the pom.xml there, but I am heading out on
vacation in a day or two and unfortunately won't have internet until I
come back in January :-)
-
Jeff
On 12/14/21 6:38 AM, gk@apache.org wrote:
> This is an automated email from the ASF dual-hosted git repository.
>
> gk pushed a commit to branch master
> in repository https://gitbox.apache.org/repos/asf/turbine-parent.git
>
> commit 6ff3eaff7796e17ada95bd0618d2ea0076ef3bf1
> Author: Georg Kallidis <gk...@apache.org>
> AuthorDate: Tue Dec 14 11:36:49 2021 +0100
>
> Update parent for release, set dependency scan for profile
apache-release only
> ---
> pom.xml | 8 ++++++--
> src/changes/changes.xml | 11 ++++++++++-
> 2 files changed, 16 insertions(+), 3 deletions(-)
>
> diff --git a/pom.xml b/pom.xml
> index a3e6ec9..fe9ea6c 100644
> --- a/pom.xml
> +++ b/pom.xml
> @@ -243,11 +243,12 @@
> <jvm>${turbine.surefire.java}</jvm>
> </configuration>
> </plugin>
> -
> <plugin> <!-- Thanks to Apache Commons -->
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-scm-publish-plugin</artifactId>
> <configuration>
> + <!-- mono-module doesn't require site:stage -->
> + <!--content>${project.build.directory}/staging</content-->
> <content>${project.reporting.outputDirectory}</content>
> <pubScmUrl>scm:git:${turbine.scmPubUrl}</pubScmUrl>
>
<checkoutDirectory>${turbine.scmPubCheckoutDirectory}</checkoutDirectory>
> @@ -258,7 +259,7 @@
> <executions>
> <execution>
> <id>scm-publish</id>
> - <phase>site-deploy</phase><!-- deploy site with
maven-scm-publish-plugin -->
> + <phase>site-deploy</phase><!-- deploy site with mvn
scm-publish:publish-scm -->
> <goals>
> <goal>publish-scm</goal>
> </goals>
> @@ -396,6 +397,9 @@
> to better suit the requirements of Apache Turbine. (Thanks to
Apache Commons) -->
> <profile>
> <id>apache-release</id>
> + <properties>
> + <dependency.check.skip>true</dependency.check.skip>
> + </properties>
> <build>
> <plugins>
> <plugin>
> diff --git a/src/changes/changes.xml b/src/changes/changes.xml
> index 51fa1cb..a23ed59 100644
> --- a/src/changes/changes.xml
> +++ b/src/changes/changes.xml
> @@ -25,8 +25,17 @@
>
> <body>
> <release version="10" date="in version control">
> + <action dev="gk" type="update" date="2021-12-13">
> + - activate dependency check/scan in profile apache-release
only.
> + </action>
> + <action dev="gk" type="update" date="2021-12-13">
> + - site with github banner
> + </action>
> + <action dev="gk" type="fix" date="2021-12-11">
> + - Security patch CVE-2021-44228, update log4j2 to 2.15.0
> + </action>
> <action dev="gk" type="update" date="2021-12-08">
> - - update apache pom v24, removed maven3 profile, disabled
dependency check/scan by default,
> + - update apache pom v24, removed maven3 profile, disable
dependency check/scan by default.
> - updated site header
> </action>
> <action dev="gk" type="update" date="2021-11-04">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@turbine.apache.org
For additional commands, e-mail: dev-help@turbine.apache.org
Re: [turbine-parent] 02/02: Update parent for release, set dependency scan for profile apache-release only
Posted by Jeffery Painter <je...@jivecast.com>.
Hi Georg,
I am sure you saw they have already released log4j 2.16.0 - should we
wait and update to this before doing another vote? Also - kind of
confusing now how to update each fulcrum sub-module (each pom references
the parent individually) - not sure if there is an easier way so that
they are all referencing a single turbine-parent ?
And of course -we still rely on torque-5.0 (release) which is stuck at
log4j 2.14.x - I updated the pom.xml there, but I am heading out on
vacation in a day or two and unfortunately won't have internet until I
come back in January :-)
-
Jeff
On 12/14/21 6:38 AM, gk@apache.org wrote:
> This is an automated email from the ASF dual-hosted git repository.
>
> gk pushed a commit to branch master
> in repository https://gitbox.apache.org/repos/asf/turbine-parent.git
>
> commit 6ff3eaff7796e17ada95bd0618d2ea0076ef3bf1
> Author: Georg Kallidis <gk...@apache.org>
> AuthorDate: Tue Dec 14 11:36:49 2021 +0100
>
> Update parent for release, set dependency scan for profile apache-release only
> ---
> pom.xml | 8 ++++++--
> src/changes/changes.xml | 11 ++++++++++-
> 2 files changed, 16 insertions(+), 3 deletions(-)
>
> diff --git a/pom.xml b/pom.xml
> index a3e6ec9..fe9ea6c 100644
> --- a/pom.xml
> +++ b/pom.xml
> @@ -243,11 +243,12 @@
> <jvm>${turbine.surefire.java}</jvm>
> </configuration>
> </plugin>
> -
> <plugin> <!-- Thanks to Apache Commons -->
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-scm-publish-plugin</artifactId>
> <configuration>
> + <!-- mono-module doesn't require site:stage -->
> + <!--content>${project.build.directory}/staging</content-->
> <content>${project.reporting.outputDirectory}</content>
> <pubScmUrl>scm:git:${turbine.scmPubUrl}</pubScmUrl>
> <checkoutDirectory>${turbine.scmPubCheckoutDirectory}</checkoutDirectory>
> @@ -258,7 +259,7 @@
> <executions>
> <execution>
> <id>scm-publish</id>
> - <phase>site-deploy</phase><!-- deploy site with maven-scm-publish-plugin -->
> + <phase>site-deploy</phase><!-- deploy site with mvn scm-publish:publish-scm -->
> <goals>
> <goal>publish-scm</goal>
> </goals>
> @@ -396,6 +397,9 @@
> to better suit the requirements of Apache Turbine. (Thanks to Apache Commons) -->
> <profile>
> <id>apache-release</id>
> + <properties>
> + <dependency.check.skip>true</dependency.check.skip>
> + </properties>
> <build>
> <plugins>
> <plugin>
> diff --git a/src/changes/changes.xml b/src/changes/changes.xml
> index 51fa1cb..a23ed59 100644
> --- a/src/changes/changes.xml
> +++ b/src/changes/changes.xml
> @@ -25,8 +25,17 @@
>
> <body>
> <release version="10" date="in version control">
> + <action dev="gk" type="update" date="2021-12-13">
> + - activate dependency check/scan in profile apache-release only.
> + </action>
> + <action dev="gk" type="update" date="2021-12-13">
> + - site with github banner
> + </action>
> + <action dev="gk" type="fix" date="2021-12-11">
> + - Security patch CVE-2021-44228, update log4j2 to 2.15.0
> + </action>
> <action dev="gk" type="update" date="2021-12-08">
> - - update apache pom v24, removed maven3 profile, disabled dependency check/scan by default,
> + - update apache pom v24, removed maven3 profile, disable dependency check/scan by default.
> - updated site header
> </action>
> <action dev="gk" type="update" date="2021-11-04">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@turbine.apache.org
For additional commands, e-mail: dev-help@turbine.apache.org
[turbine-parent] 02/02: Update parent for release, set dependency scan for profile apache-release only
Posted by gk...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
gk pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/turbine-parent.git
commit 6ff3eaff7796e17ada95bd0618d2ea0076ef3bf1
Author: Georg Kallidis <gk...@apache.org>
AuthorDate: Tue Dec 14 11:36:49 2021 +0100
Update parent for release, set dependency scan for profile apache-release only
---
pom.xml | 8 ++++++--
src/changes/changes.xml | 11 ++++++++++-
2 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/pom.xml b/pom.xml
index a3e6ec9..fe9ea6c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -243,11 +243,12 @@
<jvm>${turbine.surefire.java}</jvm>
</configuration>
</plugin>
-
<plugin> <!-- Thanks to Apache Commons -->
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-scm-publish-plugin</artifactId>
<configuration>
+ <!-- mono-module doesn't require site:stage -->
+ <!--content>${project.build.directory}/staging</content-->
<content>${project.reporting.outputDirectory}</content>
<pubScmUrl>scm:git:${turbine.scmPubUrl}</pubScmUrl>
<checkoutDirectory>${turbine.scmPubCheckoutDirectory}</checkoutDirectory>
@@ -258,7 +259,7 @@
<executions>
<execution>
<id>scm-publish</id>
- <phase>site-deploy</phase><!-- deploy site with maven-scm-publish-plugin -->
+ <phase>site-deploy</phase><!-- deploy site with mvn scm-publish:publish-scm -->
<goals>
<goal>publish-scm</goal>
</goals>
@@ -396,6 +397,9 @@
to better suit the requirements of Apache Turbine. (Thanks to Apache Commons) -->
<profile>
<id>apache-release</id>
+ <properties>
+ <dependency.check.skip>true</dependency.check.skip>
+ </properties>
<build>
<plugins>
<plugin>
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 51fa1cb..a23ed59 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -25,8 +25,17 @@
<body>
<release version="10" date="in version control">
+ <action dev="gk" type="update" date="2021-12-13">
+ - activate dependency check/scan in profile apache-release only.
+ </action>
+ <action dev="gk" type="update" date="2021-12-13">
+ - site with github banner
+ </action>
+ <action dev="gk" type="fix" date="2021-12-11">
+ - Security patch CVE-2021-44228, update log4j2 to 2.15.0
+ </action>
<action dev="gk" type="update" date="2021-12-08">
- - update apache pom v24, removed maven3 profile, disabled dependency check/scan by default,
+ - update apache pom v24, removed maven3 profile, disable dependency check/scan by default.
- updated site header
</action>
<action dev="gk" type="update" date="2021-11-04">