Hi all, I had some time this Sunday afternoon and hat a look at the httpclient 3.1 -> 4.5.13 migration. It seems that this is not trivial and would require quite a bit of time and especially testing. As I'm no longer using Flex of Royale, I don't want to port something that I can't test.
However, as the problem with httpclient seems to be solely related to the proxy module of BlazeDS (and I've never used that before), perhaps the Project could consider taking the proxy module out and releasing the rest. But that's just a suggestion from my side. Chris -----Original Message----- From: Christofer Dutz <christofer.d...@c-ware.de> Sent: Freitag, 17. Juni 2022 12:25 To: dev@flex.apache.org Subject: RE: Project retiring and board discussion Hi Harbs, you first need someone willing to migrate from commons-httpclient:commons-httpclient to org.apache.httpcomponents:httpclient. Chris -----Original Message----- From: Harbs <harbs.li...@gmail.com> Sent: Freitag, 17. Juni 2022 12:07 To: dev <dev@flex.apache.org> Subject: Re: Project retiring and board discussion Thanks Chris! We need a volunteer to do the work to create a release for this. I’ve never used BlazeDS, so I don’t feel comfortable doing it. Any takers? Thanks, Harbs > On Jun 17, 2022, at 12:44 PM, Christofer Dutz <christofer.d...@c-ware.de> > wrote: > > Hi all, > > I have created a branch: "security-updates" ... here I updated most of the > libraries to get rid of vulnerable artifacts. > All of the tomcat modules, I had to comment out as there's no invulnerable > tomcat version up to 7. > I also commented out the JMS related stuff as there's no active-mq version > without vulnerabilities. > And especially I commented out the spring-boot-starter, as it relies on the > spring-flex-core library which is discontinued on the spring side and greatly > out of date. Also did I try updating to the latest Spring version, it seems > there was not a single pre 6.0 version that wasn't reporting a lot of CVEs. > > One thing that needs changing before releasing a new version of BlazeDS, > would be to update from: > commons-httpclient: commons-httpclient to > org.apache.httpcomponents:httpclient ... however this was not just a small > update of the dependencies. Here the code would require some refactoring. > > I updated the build to the latest Apache parent pom, updated the plugins, had > to update the compiler to Java 1.8 as base-line version as 1.6 I can no > longer build. > > I added the rat-plugin as some files were missing Apache headers, I added the > owasp plugin to scan for vulnerabilities and to fail the build if something > above a score of 4.0 is found. > > Given my history with Flex and Roayle, I don't feel the desire to put any > more effort into this. You should now be on a good track to being able to > release a new version of BlazeDS. I don't care if this is in Apache Flex or > in Apache Royale. > > > Chris > > > -----Original Message----- > From: Rich Bowen <rbo...@apache.org> > Sent: Mittwoch, 15. Juni 2022 20:10 > To: dev@flex.apache.org > Subject: Project retiring and board discussion > > I wanted to follow up on today's discussion on the board of directors call, > but first I have read a little bit of your mailing list archive, and that has > changed what I was going to say. > > Over the past year, the project has reported, in almost every board report, > that the project is inactive and planning to retire. But then I read the last > few months of email to this list, and it appears that the actual project > community has no such desire. Mostly I want to commend you for having that > conversation and putting the user community first. > > To be clear, there is no obligation to produce releases in order to continue > to operate a user-centric project. If you have users that rely on you, and > you have an active community (where "active" is defined as 3+ PMC members > able to respond in the case of a CVE, and folks who are available to answer > user questions) then you still have an "active" project. > > That said, it's worth noting Chris Dutz's comment on your board report, > regarding the BlazeDS sub-project and its Log4J dependencies. He suggests > possibly investigating passing that sub-project over to Royale, if there are > not sufficient people here to address that concern. > > Anyways, please do reach out if you have any questions. But know that > "active" has many different possible definitions, and that projects are not > obligated to meet every bar in order to be serving their user community. > > --Rich, for the Board of Directors.
