Stewardship SIG Report (October 2019)

It's a bit late, but here's the complete run-down of what the Stewardship SIG accomplished during the month of October.

To start off the month, we pushed some updates for the Jackson stack to fix security issues that are present in versions earlier than 2.10.

package version release changes
jackson-parent 2.10 1.fc32, 1.fc31, 1.fc30 2.9.1.2 → 2.10
jackson-bom 2.10.0 1.fc32, 1.fc31, 1.fc30 2.9.9 → 2.10.0
jackson-annotations 2.10.0 1.fc32, 1.fc31, 1.fc30 2.9.9 → 2.10.0
jackson-core 2.10.0 1.fc32, 1.fc31, 1.fc30 2.9.9 → 2.10.0
jackson-databind 2.10.0 1.fc32, 1.fc31, 1.fc30 2.9.9.3 → 2.10.0

I created a new package for univocity-output-tester, the absence of which was previously the reason for the disabled test suite in the univocity-parsers package. In the next update for it, the test suite will be enabled.

package version release changes
univocity-output-tester 2.1 1.fc32 Initial packaging

Next, I moved on to fixing some FTBFS issues. paranamer started to fail to build a while ago due to it not depending on ant directly, but relying on it transitively - that transitive dependency got removed at some point, so it just had to be added in directly.

I also moved both netty3, grizzly and grizzly-npn away from the retired felix OSGi implementation, since everything should use OSGi 7.0.0 from osgi-core now.

package version release changes
paranamer 2.8 10.fc32, 10.fc31 fix FTBFS issue on fedora 31+
netty3 3.10.6 8.fc32 migrate away from felix OSGi
grizzly-npn 1.2 11.fc32 migrate away from felix OSGi
grizzly 2.3.24 9.fc32 migrate away from felix OSGi

Next, I pushed minor updates for two of our packages (aalto-xml and commons-beanutils) to rawhide:

package version release changes
aalto-xml 1.2.2 1.fc32 1.0.0 → 1.2.2
apache-commons-beanutils 1.9.4 1.fc32 1.9.3 → 1.9.4

After we updated commons-compress to the latest version in rawhide, we got a report about a security issue in versions prior to 1.19, so we pushed that change for the stable fedora releases as well.

package version release changes
apache-commons-compress 1.19 1.fc32, 1.fc31, 1.fc30 1.18 → 1.19

I went on to work on the unretirement of some packages that are still required for the DogTag-PKI stack (via resteasy). The three packages in question went through package re-review since they had been retired for a few months already.

package version release changes
jboss-transaction-1.1-api 1.0.1 19.fc32, 19.fc31 package unretirement
jandex 2.1.1 1.fc32, 1.fc31 package unretirement
maven-osgi 0.2.0 18.fc32, 18.fc31 package unretirement

Next, I fixed new FTBFS issues for three of our packages by dropping unnecessary dependencies on the maven-release-plugin and buildnumber-maven-plugin, since both of these packages recently became non-installable in rawhide due to broken dependencies.

package version release changes
hibernate-jpa-2.0-api 1.0.1 25.fc32 fix FTBFS issue on rawhide
picketbox-xacml 2.0.8 8.fc32 fix FTBFS issue on rawhide
mimepull 1.9.6 10.fc32 fix FTBFS issue on rawhide

And then came a long list of almost-alphabetical package updates for rawhide. Guess in which order I worked through the list of outdated packages 😉️

package version release changes
apache-commons-daemon 1.2.2 1.fc32 1.2.0 → 1.2.2
apache-commons-vfs 2.4.1 1.fc32 2.1 → 2.4.1
bcel 6.4.1 1.fc32 6.3.1 → 6.4.1
compress-lzf 1.0.4 1.fc32 1.0.3 → 1.0.4
fasterxml-oss-parent 38 1.fc32 34 → 38
fusesource-pom 1.12 1.fc32 1.11 → 1.12
hawtjni 1.17 1.fc32 1.16 → 1.17
jansi-native 1.8 1.fc32 1.7 → 1.8
jboss-el-3.0-api 1.0.13 1.fc32 1.0.5 → 1.0.13
jboss-interceptors-1.2-api 1.0.1 1.fc32 1.0.0 → 1.0.1
jboss-jsp-2.3-api 1.0.3 1.fc32 1.0.1 → 1.0.3
jboss-logging 3.4.1 1.fc32 3.3.0 → 3.4.1
jboss-servlet-3.1-api 1.0.2 1.fc32 1.0.0 → 1.0.2
jettison 1.4.0 1.fc32 1.3.7 → 1.4.0
jboss-transaction-1.2-api 1.1.1 1.fc32 1.0.1 → 1.1.1
junit5 5.5.2 1.fc32 5.4.2 → 5.5.2

We also decided to drop FOP support in maven-doxia since it isn't used by any fedora package and only introduced a dependency on FOP, which is currently broken in fedora and might get removed completely soon.

package version release changes
maven-doxia-sitetools 1.9 2.fc32 disabled FOP support
maven-doxia 1.9 3.fc32 disabled FOP support

Here, the list of almost-alphabetical package updates for rawhide continues.

package version release changes
plexus-interactivity 1.0 1.fc32 1.0~alpha6 → 1.0
plexus-languages 1.0.3 1.fc32 0.9.10 → 1.0.3
maven-compiler-plugin 3.8.1 3.fc32 port to plexus-languages 1.0
plexus-resources 1.1.0 1.fc32 1.0~alpha7 → 1.1.0
plexus-utils 3.2.1 1.fc32 3.2.0 → 3.2.1
shrinkwrap 1.2.6 1.fc32 1.2.3 → 1.2.6
sonatype-plugins-parent 9 1.fc32 8 → 9
stax2-api 4.2 1.fc32 4.0.0 → 4.2
univocity-parsers [2.8.3][univocity-parsers-2.8.3] 1.fc32 2.5.5 → 2.8.3
weld-parent 39 1.fc32 34 → 39

We also worked on some small improvements for snakeyaml -- first, I backported an upstream patch to fix a broken test, and second, I replaced its usage of the base64coder package with directly calling the Base64 implementation that has been present in OpenJDK since Java 8.

package version release changes
snakeyaml 1.25 2.fc32 backport upstream fix for a broken test
snakeyaml 1.25 3.fc32 replace base64coder with Base64 from JDK8

Last, here's the list of package updates that didn't I didn't quite manage to prepare in alphabetical order (😆️), or where reviewing my Pull Request took a bit longer. This list includes the noteworthy update of Maven to the 3.6 branch.

package version release changes
maven-enforcer 3.0.0~M2 1.fc32 1.4.1 → 3.0.0~M2
woodstox-core 6.0.2 1.fc32 6.0.1 → 6.0.2
xalan-j2 2.7.2 1.fc32 2.7.1 → 2.7.2
freemarker 2.3.29 1.fc32 2.3.28 → 2.3.29
plexus-pom 5.1 1.fc32 5.0 → 5.1
xsom 20140514 1.fc32 20110809 → 20140514
maven 3.6.1 1.fc32 3.5.4 → 3.6.1
glassfish-dtd-parser 1.4 1.fc32 1.2.0 → 1.4
glassfish-annotation-api 1.3.2 1.fc32 1.2 → 1.3.2

Squeezing in one last update before the end of October, we managed to get glassfish-hk2 building again by dropping some of the functionality that's not actually being used in fedora.

package version release changes
glassfish-hk2 2.5.0 5.fc32, 5.fc31 disable unused functionality to fix builds