Stewardship SIG Report (October 2019)
It's a bit late, but here's the complete run-down of what the Stewardship SIG accomplished during the month of October.
To start off the month, we pushed some updates for the Jackson stack to fix security issues that are present in versions earlier than 2.10.
package | version | release | changes |
---|---|---|---|
jackson-parent | 2.10 | 1.fc32, 1.fc31, 1.fc30 | 2.9.1.2 → 2.10 |
jackson-bom | 2.10.0 | 1.fc32, 1.fc31, 1.fc30 | 2.9.9 → 2.10.0 |
jackson-annotations | 2.10.0 | 1.fc32, 1.fc31, 1.fc30 | 2.9.9 → 2.10.0 |
jackson-core | 2.10.0 | 1.fc32, 1.fc31, 1.fc30 | 2.9.9 → 2.10.0 |
jackson-databind | 2.10.0 | 1.fc32, 1.fc31, 1.fc30 | 2.9.9.3 → 2.10.0 |
I created a new package for univocity-output-tester
, the absence of which was previously the reason for the disabled test suite in the univocity-parsers
package. In the next update for it, the test suite will be enabled.
package | version | release | changes |
---|---|---|---|
univocity-output-tester | 2.1 | 1.fc32 | Initial packaging |
Next, I moved on to fixing some FTBFS issues. paranamer
started to fail to build a while ago due to it not depending on ant
directly, but relying on it transitively - that transitive dependency got removed at some point, so it just had to be added in directly.
I also moved both netty3
, grizzly
and grizzly-npn
away from the retired felix OSGi implementation, since everything should use OSGi 7.0.0 from osgi-core
now.
package | version | release | changes |
---|---|---|---|
paranamer | 2.8 | 10.fc32, 10.fc31 | fix FTBFS issue on fedora 31+ |
netty3 | 3.10.6 | 8.fc32 | migrate away from felix OSGi |
grizzly-npn | 1.2 | 11.fc32 | migrate away from felix OSGi |
grizzly | 2.3.24 | 9.fc32 | migrate away from felix OSGi |
Next, I pushed minor updates for two of our packages (aalto-xml
and commons-beanutils
) to rawhide:
package | version | release | changes |
---|---|---|---|
aalto-xml | 1.2.2 | 1.fc32 | 1.0.0 → 1.2.2 |
apache-commons-beanutils | 1.9.4 | 1.fc32 | 1.9.3 → 1.9.4 |
After we updated commons-compress
to the latest version in rawhide, we got a report about a security issue in versions prior to 1.19, so we pushed that change for the stable fedora releases as well.
package | version | release | changes |
---|---|---|---|
apache-commons-compress | 1.19 | 1.fc32, 1.fc31, 1.fc30 | 1.18 → 1.19 |
I went on to work on the unretirement of some packages that are still required for the DogTag-PKI stack (via resteasy
). The three packages in question went through package re-review since they had been retired for a few months already.
package | version | release | changes |
---|---|---|---|
jboss-transaction-1.1-api | 1.0.1 | 19.fc32, 19.fc31 | package unretirement |
jandex | 2.1.1 | 1.fc32, 1.fc31 | package unretirement |
maven-osgi | 0.2.0 | 18.fc32, 18.fc31 | package unretirement |
Next, I fixed new FTBFS issues for three of our packages by dropping unnecessary dependencies on the maven-release-plugin
and buildnumber-maven-plugin
, since both of these packages recently became non-installable in rawhide due to broken dependencies.
package | version | release | changes |
---|---|---|---|
hibernate-jpa-2.0-api | 1.0.1 | 25.fc32 | fix FTBFS issue on rawhide |
picketbox-xacml | 2.0.8 | 8.fc32 | fix FTBFS issue on rawhide |
mimepull | 1.9.6 | 10.fc32 | fix FTBFS issue on rawhide |
And then came a long list of almost-alphabetical package updates for rawhide. Guess in which order I worked through the list of outdated packages 😉️
package | version | release | changes |
---|---|---|---|
apache-commons-daemon | 1.2.2 | 1.fc32 | 1.2.0 → 1.2.2 |
apache-commons-vfs | 2.4.1 | 1.fc32 | 2.1 → 2.4.1 |
bcel | 6.4.1 | 1.fc32 | 6.3.1 → 6.4.1 |
compress-lzf | 1.0.4 | 1.fc32 | 1.0.3 → 1.0.4 |
fasterxml-oss-parent | 38 | 1.fc32 | 34 → 38 |
fusesource-pom | 1.12 | 1.fc32 | 1.11 → 1.12 |
hawtjni | 1.17 | 1.fc32 | 1.16 → 1.17 |
jansi-native | 1.8 | 1.fc32 | 1.7 → 1.8 |
jboss-el-3.0-api | 1.0.13 | 1.fc32 | 1.0.5 → 1.0.13 |
jboss-interceptors-1.2-api | 1.0.1 | 1.fc32 | 1.0.0 → 1.0.1 |
jboss-jsp-2.3-api | 1.0.3 | 1.fc32 | 1.0.1 → 1.0.3 |
jboss-logging | 3.4.1 | 1.fc32 | 3.3.0 → 3.4.1 |
jboss-servlet-3.1-api | 1.0.2 | 1.fc32 | 1.0.0 → 1.0.2 |
jettison | 1.4.0 | 1.fc32 | 1.3.7 → 1.4.0 |
jboss-transaction-1.2-api | 1.1.1 | 1.fc32 | 1.0.1 → 1.1.1 |
junit5 | 5.5.2 | 1.fc32 | 5.4.2 → 5.5.2 |
We also decided to drop FOP support in maven-doxia
since it isn't used by any fedora package and only introduced a dependency on FOP, which is currently broken in fedora and might get removed completely soon.
package | version | release | changes |
---|---|---|---|
maven-doxia-sitetools | 1.9 | 2.fc32 | disabled FOP support |
maven-doxia | 1.9 | 3.fc32 | disabled FOP support |
Here, the list of almost-alphabetical package updates for rawhide continues.
package | version | release | changes |
---|---|---|---|
plexus-interactivity | 1.0 | 1.fc32 | 1.0~alpha6 → 1.0 |
plexus-languages | 1.0.3 | 1.fc32 | 0.9.10 → 1.0.3 |
maven-compiler-plugin | 3.8.1 | 3.fc32 | port to plexus-languages 1.0 |
plexus-resources | 1.1.0 | 1.fc32 | 1.0~alpha7 → 1.1.0 |
plexus-utils | 3.2.1 | 1.fc32 | 3.2.0 → 3.2.1 |
shrinkwrap | 1.2.6 | 1.fc32 | 1.2.3 → 1.2.6 |
sonatype-plugins-parent | 9 | 1.fc32 | 8 → 9 |
stax2-api | 4.2 | 1.fc32 | 4.0.0 → 4.2 |
univocity-parsers | [2.8.3][univocity-parsers-2.8.3] | 1.fc32 | 2.5.5 → 2.8.3 |
weld-parent | 39 | 1.fc32 | 34 → 39 |
We also worked on some small improvements for snakeyaml
-- first, I backported an upstream patch to fix a broken test, and second, I replaced its usage of the base64coder
package with directly calling the Base64 implementation that has been present in OpenJDK since Java 8.
package | version | release | changes |
---|---|---|---|
snakeyaml | 1.25 | 2.fc32 | backport upstream fix for a broken test |
snakeyaml | 1.25 | 3.fc32 | replace base64coder with Base64 from JDK8 |
Last, here's the list of package updates that didn't I didn't quite manage to prepare in alphabetical order (😆️), or where reviewing my Pull Request took a bit longer. This list includes the noteworthy update of Maven to the 3.6 branch.
package | version | release | changes |
---|---|---|---|
maven-enforcer | 3.0.0~M2 | 1.fc32 | 1.4.1 → 3.0.0~M2 |
woodstox-core | 6.0.2 | 1.fc32 | 6.0.1 → 6.0.2 |
xalan-j2 | 2.7.2 | 1.fc32 | 2.7.1 → 2.7.2 |
freemarker | 2.3.29 | 1.fc32 | 2.3.28 → 2.3.29 |
plexus-pom | 5.1 | 1.fc32 | 5.0 → 5.1 |
xsom | 20140514 | 1.fc32 | 20110809 → 20140514 |
maven | 3.6.1 | 1.fc32 | 3.5.4 → 3.6.1 |
glassfish-dtd-parser | 1.4 | 1.fc32 | 1.2.0 → 1.4 |
glassfish-annotation-api | 1.3.2 | 1.fc32 | 1.2 → 1.3.2 |
Squeezing in one last update before the end of October, we managed to get glassfish-hk2
building again by dropping some of the functionality that's not actually being used in fedora.
package | version | release | changes |
---|---|---|---|
glassfish-hk2 | 2.5.0 | 5.fc32, 5.fc31 | disable unused functionality to fix builds |