Backwards incompatible opentelemetry-semconv in 4.0.5

[Peter Palaga]

Hi,

as you may know I am the maintainer of Quarkus CXF 
.


When trying to upgrade CXF from 4.0.4 to 4.0.5 in our 3.8 LTS branch, I 
found out that it won't work because of missing class 
io.opentelemetry.semconv.HttpAttributes.


It is caused by this upgrade of opentelemetry-semconv from 1.23.1-alpha 
to 1.24.0-alpha  between CXF 
4.0.4 and 4.0.5, where opentelemetry-semconv 1.24.0-alpha renamed 
SemanticAttributes to HttpAttributes.


CXF was adapted to that change around here 
 
but Quarkus 3.8 was not and it keeps using opentelemetry-semconv 
1.21.0-alpha in their 3.8 LTS branch. I believe their approach is 
correct for an LTS branch.


At the same time, there is no point in overriding any opentelemetry 
dependency in favor of CXF on Quarkus CXF side, because (1) it could 
break user applications and (2) Quarkus CXF relies on Quarkus 
Opentelemetry configuration for GraalVM native image which tends to be 
quite sensitive to changes of class names.


It is perhaps not realistic to revert the opentelemetry-semconv upgrades 
for CXF 4.0.6, but could we please be more careful about such breaking 
changes in maintenance branches in the future?


Thanks,

-- Peter

Re: [PR] Bump org.awaitility:awaitility from 4.2.0 to 4.2.2 [cxf]

[via GitHub]

reta merged PR #1997:
URL: https://github.com/apache/cxf/pull/1997


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@cxf.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] [CXF-9045 Update client and server to accept host and protocol] [cxf]

[via GitHub]

reta merged PR #1995:
URL: https://github.com/apache/cxf/pull/1995


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@cxf.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] Bump org.jboss.ws.cxf:jbossws-cxf-client from 7.1.0.Final to 7.2.0.Final [cxf]

[via GitHub]

reta merged PR #1996:
URL: https://github.com/apache/cxf/pull/1996


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@cxf.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: Backwards incompatible opentelemetry-semconv in 4.0.5

[Andriy Redko]

Hi Peter,

That is unexpected, sorry about that. The minor updates are generally 
considered safe but dependency on *-alpha 
artifacts is definitely in conflict here (both for CXF or/and Quarkus). May be 
the best option for CXF and Quarkus
would be to wait for semconv to become stable and only than rely on such 
conventions. Thanks for bringing this up.

Best Regards,
Andriy Redko 

> Hi,

> as you may know I am the maintainer of Quarkus CXF 
> .

> When trying to upgrade CXF from 4.0.4 to 4.0.5 in our 3.8 LTS branch, I found 
> out that it won't work because of missing class 
> io.opentelemetry.semconv.HttpAttributes.

> It is caused by this upgrade of opentelemetry-semconv from 1.23.1-alpha to 
> 1.24.0-alpha  between CXF 4.0.4 and 
> 4.0.5, where opentelemetry-semconv 1.24.0-alpha renamed SemanticAttributes to 
> HttpAttributes.

> CXF was adapted to that change around here 
> 
>  but Quarkus 3.8 was not and it keeps using opentelemetry-semconv 
> 1.21.0-alpha in their 3.8 LTS branch. I believe their approach is correct for 
> an LTS branch.

> At the same time, there is no point in overriding any opentelemetry 
> dependency in favor of CXF on Quarkus CXF side, because (1) it could break 
> user applications and (2) Quarkus CXF relies on Quarkus Opentelemetry 
> configuration for GraalVM native image which tends to be quite sensitive to 
> changes of class names.

> It is perhaps not realistic to revert the opentelemetry-semconv upgrades for 
> CXF 4.0.6, but could we please be more careful about such breaking changes in 
> maintenance branches in the future?

> Thanks,

> -- Peter

Re: Backwards incompatible opentelemetry-semconv in 4.0.5

[Peter Palaga]

Thanks for the prompt reply, Andriy.

After having a closer look at the changes in opentelemetry-semconv post 
1.24.0-alpha, I found that the removed classes were introduced back in 
this commit 
 
so it should actually be safe for Quarkus to upgrade to 
opentelemetry-semconv 1.25.0-alpha or 1.26.0-alpha. I am waiting for 
their answer.


-- Peter

On 08/08/2024 21:29, Andriy Redko wrote:

Hi Peter,

That is unexpected, sorry about that. The minor updates are generally 
considered safe but dependency on *-alpha
artifacts is definitely in conflict here (both for CXF or/and Quarkus). May be 
the best option for CXF and Quarkus
would be to wait for semconv to become stable and only than rely on such 
conventions. Thanks for bringing this up.

Best Regards,
 Andriy Redko


Hi,
as you may know I am the maintainer of Quarkus 
CXF.
When trying to upgrade CXF from 4.0.4 to 4.0.5 in our 3.8 LTS branch, I found 
out that it won't work because of missing class 
io.opentelemetry.semconv.HttpAttributes.
It is caused by this upgrade of opentelemetry-semconv from 1.23.1-alpha to 
1.24.0-alpha  between CXF 4.0.4 and 
4.0.5, where opentelemetry-semconv 1.24.0-alpha renamed SemanticAttributes to 
HttpAttributes.
CXF was adapted to that change around 
here
  but Quarkus 3.8 was not and it keeps using opentelemetry-semconv 1.21.0-alpha in 
their 3.8 LTS branch. I believe their approach is correct for an LTS branch.
At the same time, there is no point in overriding any opentelemetry dependency 
in favor of CXF on Quarkus CXF side, because (1) it could break user 
applications and (2) Quarkus CXF relies on Quarkus Opentelemetry configuration 
for GraalVM native image which tends to be quite sensitive to changes of class 
names.
It is perhaps not realistic to revert the opentelemetry-semconv upgrades for 
CXF 4.0.6, but could we please be more careful about such breaking changes in 
maintenance branches in the future?
Thanks,
-- Peter

Re: Backwards incompatible opentelemetry-semconv in 4.0.5

[Andriy Redko]

Thanks a lot Peter, that's great news, looking forward towards the (possible) 
release!
 
Best Regards,
    Andriy Redko 

> Thanks for the prompt reply, Andriy.

> After having a closer look at the changes in opentelemetry-semconv post 
> 1.24.0-alpha, I found that the removed classes were introduced back in this 
> commit so it should actually be safe for Quarkus to upgrade to 
> opentelemetry-semconv 1.25.0-alpha or 1.26.0-alpha. I am waiting for their 
> answer. 

> -- Peter

> On 08/08/2024 21:29, Andriy Redko wrote:
>> Hi Peter,

>> That is unexpected, sorry about that. The minor updates are generally 
>> considered safe but dependency on *-alpha 
>> artifacts is definitely in conflict here (both for CXF or/and Quarkus). May 
>> be the best option for CXF and Quarkus
>> would be to wait for semconv to become stable and only than rely on such 
>> conventions. Thanks for bringing this up.

>> Best Regards,
>> Andriy Redko 


>>> Hi,

>>> as you may know I am the maintainer of Quarkus CXF 
>>> .

>>> When trying to upgrade CXF from 4.0.4 to 4.0.5 in our 3.8 LTS branch, I 
>>> found out that it won't work because of missing class 
>>> io.opentelemetry.semconv.HttpAttributes.

>>> It is caused by this upgrade of opentelemetry-semconv from 1.23.1-alpha to 
>>> 1.24.0-alpha  between CXF 4.0.4 
>>> and 4.0.5, where opentelemetry-semconv 1.24.0-alpha renamed 
>>> SemanticAttributes to HttpAttributes.

>>> CXF was adapted to that change around here 
>>> 
>>>  but Quarkus 3.8 was not and it keeps using opentelemetry-semconv 
>>> 1.21.0-alpha in their 3.8 LTS branch. I believe their approach is correct 
>>> for an LTS branch.

>>> At the same time, there is no point in overriding any opentelemetry 
>>> dependency in favor of CXF on Quarkus CXF side, because (1) it could break 
>>> user applications and (2) Quarkus CXF relies on Quarkus Opentelemetry 
>>> configuration for GraalVM native image which tends to be quite sensitive to 
>>> changes of class names.

>>> It is perhaps not realistic to revert the opentelemetry-semconv upgrades 
>>> for CXF 4.0.6, but could we please be more careful about such breaking 
>>> changes in maintenance branches in the future?

>>> Thanks,

>>> -- Peter

[PR] Bump cxf.slf4j.version from 2.0.14 to 2.0.15 [cxf]

[via GitHub]

dependabot[bot] opened a new pull request, #1998:
URL: https://github.com/apache/cxf/pull/1998

   Bumps `cxf.slf4j.version` from 2.0.14 to 2.0.15.
   Updates `org.slf4j:slf4j-jdk14` from 2.0.14 to 2.0.15
   
   Updates `org.slf4j:jcl-over-slf4j` from 2.0.14 to 2.0.15
   
   Updates `org.slf4j:slf4j-api` from 2.0.14 to 2.0.15
   
   Updates `org.slf4j:slf4j-log4j12` from 2.0.14 to 2.0.15
   
   Updates `org.slf4j:slf4j-nop` from 2.0.14 to 2.0.15
   
   Updates `org.slf4j:jul-to-slf4j` from 2.0.14 to 2.0.15
   
   
   Dependabot will resolve any conflicts with this PR as long as you don't 
alter it yourself. You can also trigger a rebase manually by commenting 
`@dependabot rebase`.
   
   [//]: # (dependabot-automerge-start)
   [//]: # (dependabot-automerge-end)
   
   ---
   
   
   Dependabot commands and options
   
   
   You can trigger Dependabot actions by commenting on this PR:
   - `@dependabot rebase` will rebase this PR
   - `@dependabot recreate` will recreate this PR, overwriting any edits that 
have been made to it
   - `@dependabot merge` will merge this PR after your CI passes on it
   - `@dependabot squash and merge` will squash and merge this PR after your CI 
passes on it
   - `@dependabot cancel merge` will cancel a previously requested merge and 
block automerging
   - `@dependabot reopen` will reopen this PR if it is closed
   - `@dependabot close` will close this PR and stop Dependabot recreating it. 
You can achieve the same result by closing it manually
   - `@dependabot show  ignore conditions` will show all of 
the ignore conditions of the specified dependency
   - `@dependabot ignore this major version` will close this PR and stop 
Dependabot creating any more for this major version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this minor version` will close this PR and stop 
Dependabot creating any more for this minor version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this dependency` will close this PR and stop 
Dependabot creating any more for this dependency (unless you reopen the PR or 
upgrade to it yourself)
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@cxf.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[PR] Bump commons-codec:commons-codec from 1.17.0 to 1.17.1 [cxf]

[via GitHub]

dependabot[bot] opened a new pull request, #1999:
URL: https://github.com/apache/cxf/pull/1999

   Bumps [commons-codec:commons-codec](https://github.com/apache/commons-codec) 
from 1.17.0 to 1.17.1.
   
   Changelog
   Sourced from https://github.com/apache/commons-codec/blob/master/RELEASE-NOTES.txt";>commons-codec:commons-codec's
 changelog.
   
   Apache Commons Codec 1.17.1 RELEASE NOTES
   The Apache Commons Codec component contains encoders and decoders for
   various formats such as Base16, Base32, Base64, digest, and Hexadecimal. In 
addition to these
   widely used encoders and decoders, the codec package also maintains a
   collection of phonetic encoding utilities.
   Feature and fix release. Requires a minimum of Java 8.
   Fixed Bugs
   
   
   Md5Crypt now throws IllegalArgumentException on an 
invalid prefix. Thanks to Gary Gregory.
   
   
   
   Changes
   
   
   Bump org.apache.commons:commons-parent from 69 to 71 
[#286](https://github.com/apache/commons-codec/issues/286). Thanks to Gary 
Gregory.
   
   
   
   Bump org.codehaus.mojo:animal-sniffer-maven-plugin from 
1.23 to 1.24 [#293](https://github.com/apache/commons-codec/issues/293). Thanks 
to Dependabot.
   
   
   
   Bump org.codehaus.mojo:taglist-maven-plugin from 3.0.0 to 
3.1.0 [#292](https://github.com/apache/commons-codec/issues/292). Thanks to 
Dependabot.
   
   
   
   For complete information on Apache Commons Codec, including instructions 
on how to submit bug reports,
   patches, or suggestions for improvement, see the Apache Commons Codec 
website:
   https://commons.apache.org/proper/commons-codec/";>https://commons.apache.org/proper/commons-codec/
   Download page: https://commons.apache.org/proper/commons-codec/download_codec.cgi";>https://commons.apache.org/proper/commons-codec/download_codec.cgi
   
   
   
   
   Commits
   
   https://github.com/apache/commons-codec/commit/965109705c5236b05011e1c45f47d991abfa521e";>9651097
 Prepare for the next release candidate
   https://github.com/apache/commons-codec/commit/0d99b46fa1a8a61cf869ff4cc9b9e2402129f199";>0d99b46
 Merge branch 'master' of https://gitbox.apache.org/repos/asf/commons-codec";>https://gitbox.apache.org/repos/asf/commons-codec
   https://github.com/apache/commons-codec/commit/0c63e18b8a5e5b9b0195a632d136c85c1452b34f";>0c63e18
 Prepare for the next release candidate
   https://github.com/apache/commons-codec/commit/be06260d90edd8ad43879eb2862dac765e807cc0";>be06260
 Bump actions/upload-artifact from 4.3.3 to 4.3.4 (https://redirect.github.com/apache/commons-codec/issues/295";>#295)
   https://github.com/apache/commons-codec/commit/09ef422871b8d202d4dca1ff67d91f32723d3862";>09ef422
 Bump github/codeql-action from 3.25.11 to 3.25.12 (https://redirect.github.com/apache/commons-codec/issues/294";>#294)
   https://github.com/apache/commons-codec/commit/86ef922a57d6c2632dc84c41cb04798fe489431c";>86ef922
 Merge branch 'master' of https://gitbox.apache.org/repos/asf/commons-codec.git";>https://gitbox.apache.org/repos/asf/commons-codec.git
   https://github.com/apache/commons-codec/commit/974cf873936633d7bb7e060b1caf119e60b60e98";>974cf87
 Remove redundant keywords
   https://github.com/apache/commons-codec/commit/0c82238e5b9a914fdd862df3f6ab0085f533b5e8";>0c82238
 Remove redundant keywords
   https://github.com/apache/commons-codec/commit/1e6544e4f1d269c0edf8b702f60d6dc866b3affa";>1e6544e
 Remove redundant keywords
   https://github.com/apache/commons-codec/commit/8dcf9d1f745c88beedf54e63c7a5d683725ebdea";>8dcf9d1
 Remove redundant keywords
   Additional commits viewable in https://github.com/apache/commons-codec/compare/rel/commons-codec-1.17.0...rel/commons-codec-1.17.1";>compare
 view
   
   
   
   
   
   [![Dependabot compatibility 
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=commons-codec:commons-codec&package-manager=maven&previous-version=1.17.0&new-version=1.17.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
   
   Dependabot will resolve any conflicts with this PR as long as you don't 
alter it yourself. You can also trigger a rebase manually by commenting 
`@dependabot rebase`.
   
   [//]: # (dependabot-automerge-start)
   [//]: # (dependabot-automerge-end)
   
   ---
   
   
   Dependabot commands and options
   
   
   You can trigger Dependabot actions by commenting on this PR:
   - `@dependabot rebase` will rebase this PR
   - `@dependabot recreate` will recreate this PR, overwriting any edits that 
have been made to it
   - `@dependabot merge` will merge this PR after your CI passes on it
   - `@dependabot squash and merge` will squash and merge this PR after your CI 
passes on it
   - `@dependabot cancel merge` will cancel a previously requested merge and 
block automerging
   - `@dependabot reopen` will reopen this PR if it is closed
   - `@dependabot close` will close this

[PR] Bump org.apache.commons:commons-text from 1.10.0 to 1.12.0 [cxf]

[via GitHub]

dependabot[bot] opened a new pull request, #2000:
URL: https://github.com/apache/cxf/pull/2000

   Bumps org.apache.commons:commons-text from 1.10.0 to 1.12.0.
   
   
   [![Dependabot compatibility 
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.apache.commons:commons-text&package-manager=maven&previous-version=1.10.0&new-version=1.12.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
   
   Dependabot will resolve any conflicts with this PR as long as you don't 
alter it yourself. You can also trigger a rebase manually by commenting 
`@dependabot rebase`.
   
   [//]: # (dependabot-automerge-start)
   [//]: # (dependabot-automerge-end)
   
   ---
   
   
   Dependabot commands and options
   
   
   You can trigger Dependabot actions by commenting on this PR:
   - `@dependabot rebase` will rebase this PR
   - `@dependabot recreate` will recreate this PR, overwriting any edits that 
have been made to it
   - `@dependabot merge` will merge this PR after your CI passes on it
   - `@dependabot squash and merge` will squash and merge this PR after your CI 
passes on it
   - `@dependabot cancel merge` will cancel a previously requested merge and 
block automerging
   - `@dependabot reopen` will reopen this PR if it is closed
   - `@dependabot close` will close this PR and stop Dependabot recreating it. 
You can achieve the same result by closing it manually
   - `@dependabot show  ignore conditions` will show all of 
the ignore conditions of the specified dependency
   - `@dependabot ignore this major version` will close this PR and stop 
Dependabot creating any more for this major version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this minor version` will close this PR and stop 
Dependabot creating any more for this minor version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this dependency` will close this PR and stop 
Dependabot creating any more for this dependency (unless you reopen the PR or 
upgrade to it yourself)
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@cxf.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org