Stewardship SIG Report (October 2019)
It's a bit late, but here's the complete run-down of what the Stewardship SIG accomplished during the month of October.
To start off the month, we pushed some updates for the Jackson stack to fix security issues that are present in versions earlier than 2.10.
| package | version | release | changes |
|---|---|---|---|
| jackson-parent | 2.10 | 1.fc32, 1.fc31, 1.fc30 | 2.9.1.2 → 2.10 |
| jackson-bom | 2.10.0 | 1.fc32, 1.fc31, 1.fc30 | 2.9.9 → 2.10.0 |
| jackson-annotations | 2.10.0 | 1.fc32, 1.fc31, 1.fc30 | 2.9.9 → 2.10.0 |
| jackson-core | 2.10.0 | 1.fc32, 1.fc31, 1.fc30 | 2.9.9 → 2.10.0 |
| jackson-databind | 2.10.0 | 1.fc32, 1.fc31, 1.fc30 | 2.9.9.3 → 2.10.0 |
I created a new package for univocity-output-tester, the absence of which was previously the reason for the disabled test suite in the univocity-parsers package. In the next update for it, the test suite will be enabled.
| package | version | release | changes |
|---|---|---|---|
| univocity-output-tester | 2.1 | 1.fc32 | Initial packaging |
Next, I moved on to fixing some FTBFS issues. paranamer started to fail to build a while ago due to it not depending on ant directly, but relying on it transitively - that transitive dependency got removed at some point, so it just had to be added in directly.
I also moved both netty3, grizzly and grizzly-npn away from the retired felix OSGi implementation, since everything should use OSGi 7.0.0 from osgi-core now.
| package | version | release | changes |
|---|---|---|---|
| paranamer | 2.8 | 10.fc32, 10.fc31 | fix FTBFS issue on fedora 31+ |
| netty3 | 3.10.6 | 8.fc32 | migrate away from felix OSGi |
| grizzly-npn | 1.2 | 11.fc32 | migrate away from felix OSGi |
| grizzly | 2.3.24 | 9.fc32 | migrate away from felix OSGi |
Next, I pushed minor updates for two of our packages (aalto-xml and commons-beanutils) to rawhide:
| package | version | release | changes |
|---|---|---|---|
| aalto-xml | 1.2.2 | 1.fc32 | 1.0.0 → 1.2.2 |
| apache-commons-beanutils | 1.9.4 | 1.fc32 | 1.9.3 → 1.9.4 |
After we updated commons-compress to the latest version in rawhide, we got a report about a security issue in versions prior to 1.19, so we pushed that change for the stable fedora releases as well.
| package | version | release | changes |
|---|---|---|---|
| apache-commons-compress | 1.19 | 1.fc32, 1.fc31, 1.fc30 | 1.18 → 1.19 |
I went on to work on the unretirement of some packages that are still required for the DogTag-PKI stack (via resteasy). The three packages in question went through package re-review since they had been retired for a few months already.
| package | version | release | changes |
|---|---|---|---|
| jboss-transaction-1.1-api | 1.0.1 | 19.fc32, 19.fc31 | package unretirement |
| jandex | 2.1.1 | 1.fc32, 1.fc31 | package unretirement |
| maven-osgi | 0.2.0 | 18.fc32, 18.fc31 | package unretirement |
Next, I fixed new FTBFS issues for three of our packages by dropping unnecessary dependencies on the maven-release-plugin and buildnumber-maven-plugin, since both of these packages recently became non-installable in rawhide due to broken dependencies.
| package | version | release | changes |
|---|---|---|---|
| hibernate-jpa-2.0-api | 1.0.1 | 25.fc32 | fix FTBFS issue on rawhide |
| picketbox-xacml | 2.0.8 | 8.fc32 | fix FTBFS issue on rawhide |
| mimepull | 1.9.6 | 10.fc32 | fix FTBFS issue on rawhide |
And then came a long list of almost-alphabetical package updates for rawhide. Guess in which order I worked through the list of outdated packages 😉️
| package | version | release | changes |
|---|---|---|---|
| apache-commons-daemon | 1.2.2 | 1.fc32 | 1.2.0 → 1.2.2 |
| apache-commons-vfs | 2.4.1 | 1.fc32 | 2.1 → 2.4.1 |
| bcel | 6.4.1 | 1.fc32 | 6.3.1 → 6.4.1 |
| compress-lzf | 1.0.4 | 1.fc32 | 1.0.3 → 1.0.4 |
| fasterxml-oss-parent | 38 | 1.fc32 | 34 → 38 |
| fusesource-pom | 1.12 | 1.fc32 | 1.11 → 1.12 |
| hawtjni | 1.17 | 1.fc32 | 1.16 → 1.17 |
| jansi-native | 1.8 | 1.fc32 | 1.7 → 1.8 |
| jboss-el-3.0-api | 1.0.13 | 1.fc32 | 1.0.5 → 1.0.13 |
| jboss-interceptors-1.2-api | 1.0.1 | 1.fc32 | 1.0.0 → 1.0.1 |
| jboss-jsp-2.3-api | 1.0.3 | 1.fc32 | 1.0.1 → 1.0.3 |
| jboss-logging | 3.4.1 | 1.fc32 | 3.3.0 → 3.4.1 |
| jboss-servlet-3.1-api | 1.0.2 | 1.fc32 | 1.0.0 → 1.0.2 |
| jettison | 1.4.0 | 1.fc32 | 1.3.7 → 1.4.0 |
| jboss-transaction-1.2-api | 1.1.1 | 1.fc32 | 1.0.1 → 1.1.1 |
| junit5 | 5.5.2 | 1.fc32 | 5.4.2 → 5.5.2 |
We also decided to drop FOP support in maven-doxia since it isn't used by any fedora package and only introduced a dependency on FOP, which is currently broken in fedora and might get removed completely soon.
| package | version | release | changes |
|---|---|---|---|
| maven-doxia-sitetools | 1.9 | 2.fc32 | disabled FOP support |
| maven-doxia | 1.9 | 3.fc32 | disabled FOP support |
Here, the list of almost-alphabetical package updates for rawhide continues.
| package | version | release | changes |
|---|---|---|---|
| plexus-interactivity | 1.0 | 1.fc32 | 1.0~alpha6 → 1.0 |
| plexus-languages | 1.0.3 | 1.fc32 | 0.9.10 → 1.0.3 |
| maven-compiler-plugin | 3.8.1 | 3.fc32 | port to plexus-languages 1.0 |
| plexus-resources | 1.1.0 | 1.fc32 | 1.0~alpha7 → 1.1.0 |
| plexus-utils | 3.2.1 | 1.fc32 | 3.2.0 → 3.2.1 |
| shrinkwrap | 1.2.6 | 1.fc32 | 1.2.3 → 1.2.6 |
| sonatype-plugins-parent | 9 | 1.fc32 | 8 → 9 |
| stax2-api | 4.2 | 1.fc32 | 4.0.0 → 4.2 |
| univocity-parsers | [2.8.3][univocity-parsers-2.8.3] | 1.fc32 | 2.5.5 → 2.8.3 |
| weld-parent | 39 | 1.fc32 | 34 → 39 |
We also worked on some small improvements for snakeyaml -- first, I backported an upstream patch to fix a broken test, and second, I replaced its usage of the base64coder package with directly calling the Base64 implementation that has been present in OpenJDK since Java 8.
| package | version | release | changes |
|---|---|---|---|
| snakeyaml | 1.25 | 2.fc32 | backport upstream fix for a broken test |
| snakeyaml | 1.25 | 3.fc32 | replace base64coder with Base64 from JDK8 |
Last, here's the list of package updates that didn't I didn't quite manage to prepare in alphabetical order (😆️), or where reviewing my Pull Request took a bit longer. This list includes the noteworthy update of Maven to the 3.6 branch.
| package | version | release | changes |
|---|---|---|---|
| maven-enforcer | 3.0.0~M2 | 1.fc32 | 1.4.1 → 3.0.0~M2 |
| woodstox-core | 6.0.2 | 1.fc32 | 6.0.1 → 6.0.2 |
| xalan-j2 | 2.7.2 | 1.fc32 | 2.7.1 → 2.7.2 |
| freemarker | 2.3.29 | 1.fc32 | 2.3.28 → 2.3.29 |
| plexus-pom | 5.1 | 1.fc32 | 5.0 → 5.1 |
| xsom | 20140514 | 1.fc32 | 20110809 → 20140514 |
| maven | 3.6.1 | 1.fc32 | 3.5.4 → 3.6.1 |
| glassfish-dtd-parser | 1.4 | 1.fc32 | 1.2.0 → 1.4 |
| glassfish-annotation-api | 1.3.2 | 1.fc32 | 1.2 → 1.3.2 |
Squeezing in one last update before the end of October, we managed to get glassfish-hk2 building again by dropping some of the functionality that's not actually being used in fedora.
| package | version | release | changes |
|---|---|---|---|
| glassfish-hk2 | 2.5.0 | 5.fc32, 5.fc31 | disable unused functionality to fix builds |