Stewardship SIG Report (September 2019)
The month of September was a bit more quiet regarding the activity of the Stewardship SIG, though we again managed to push some important changes and updates, both to reduce the number of packages we possibly need to maintain, and to bring the whole stack into better shape and more up-to-date again.
We removed some unused functionality from our packages, which let us trim the dependency tree some more. Notably, by dropping the direct dependency of Maven on logback
, our packages no longer require Groovy or Gradle, not even transitively.
The support for Markdown in the doxia
maven modules was also removed in preparation for version updates, which would introduce not-yet-packaged dependencies for the Markdown support anyway.
The unused support for memoryfilesystem
was removed from assertj-core
to further reduce the number of packages we need to maintain.
package | version | release | changes |
---|---|---|---|
maven | 3.5.4 | 12.fc32, 12.fc31 | remove dependency on logback |
maven-doxia-sitetools | 1.7.5 | 6.fc32 | disable markdown support |
maven-doxia | 1.7 | 12.fc32 | disable itext support |
assertj-core | 3.8.0 | 6.fc32 | drop memoryfilesystem dependency |
We also worked on getting updates for Jackson out fast, since some security vulnerabilities for jackson-databind
were recently published (CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439). These have all been fixed with the 2.9.9.3 release of jackson-databind
, which required updating its sister projects to 2.9.9 as well.
package | version | release | changes |
---|---|---|---|
jackson-bom | 2.9.9 | 1.fc32, 1.fc31, 1.fc30, 1.fc29 | 2.9.8 → 2.9.9 |
jackson-annotations | 2.9.9 | 1.fc32, 1.fc31, 1.fc30, 1.fc29 | 2.9.8 → 2.9.9 |
jackson-core | 2.9.9 | 1.fc32, 1.fc31, 1.fc30, 1.fc29 | 2.9.8 → 2.9.9 |
jackson-databind | 2.9.9.3 | 1.fc32, 1.fc31, 1.fc30, 1.fc29 | 2.9.8 → 2.9.9.3 |
We also managed to finally update some packages related to maven-invoker
to their latest versions, which required a coordinated update to maven-invoker
, maven-invoker-plugin
, and a patch to port xmvn
to these new versions.
package | version | release | changes |
---|---|---|---|
maven-invoker | 3.0.1 | 1.fc32 | 2.2 → 3.0.1 |
maven-invoker-plugin | 3.2.0 | 1.fc32 | 1.10 → 3.2.0 |
xmvn | 3.0.0 | 27.fc32 | port to maven-invoker 3.0.1 |
Recently, the old Felix OSGi implementation was retired from fedora, in favor of OSGi Core 7.0.0, and all packages using the old Felix implementation needed to migrate. With some help from Mat Booth I pushed the necessary changes to all our packages (and some others as well, not listed below).
package | version | release | changes |
---|---|---|---|
apache-commons-compress | 1.18 | 7.fc32 | migrate to osgi-core |
snappy-java | 1.1.2.4 | 13.fc32 | migrate to osgi-core |
xbean | 4.14 | 2.fc32 | migrate to osgi-core |
woodstox-core | 6.0.1 | 2.fc32 | 5.2.1 → 6.0.1 and migrate to OSGi 7 |
Last, we were able to update both maven-doxia
and maven-doxia-sitetools
to their latest versions. As mentioned above, this meant disabling the (unused) support for Markdown, since the library that's used for Markdown support was changed from pegdown
(which was packaged for fedora) to flexmark
, which isn't available in fedora.
package | version | release | changes |
---|---|---|---|
maven-doxia | 1.9 | 1.fc32 | 1.7 → 1.9 |
maven-doxia-sitetools | 1.9.1 | 1.fc32 | 1.7.5 → 1.9.1 |