By Fabio Valentini in archive — 02 Jan 2020

Stewardship SIG Report (November 2019)

There's a lot of changes that we pushed in November, and there's little time to talk about them, so here's a list of all the updates we submitted to fedora in November.

Note that with all these updates, we managed to reduce the number of outdated packages to about 25% of maintained package set, and we hope to improve further upon this.

various version updates:

package	version	release	changes
glassfish-jax-rs-api	2.1.6	1.fc32	2.1.5 → 2.1.6
apache-commons-beanutils	1.9.4	1.fc31, 1.fc30	1.9.3 → 1.9.4

a small packaging fix for maven:

package	version	release	changes
maven	3.6.1, 3.5.4	1.fc32, 1.fc31, 1.fc30	fixed postun scriptlet

inter-dependent version updates for plexus packages:

package	version	release	changes
plexus-utils	3.3.0	1.fc32	3.2.1 → 3.3.0
plexus-build-api	0.0.7	24.fc32	port to plexus-utils 3.3.0
plexus-io	3.2.0	1.fc32	3.1.1 → 3.2.0
plexus-containers	2.1.0	1.fc32	2.0.0 → 2.1.0

miscellaneous version updates:

package	version	release	changes
log4j	2.12.1	1.fc32	2.11.1 → 2.12.1
jsoup	1.12.1	1.fc32	1.11.3 → 1.12.1
jvnet-parent	5	1.fc32	4 → 5
glassfish-jsp-api	2.3.3	1.fc32	2.3.2~b01 → 2.3.3
sisu-mojos	0.3.4	1.fc32	0.3.3 → 0.3.4

updating XMvn to the latest release, and adapting other packages:

package	version	release	changes
xmvn	3.1.0	1.fc32	3.0.0 → 3.1.0
apache-commons-jexl	2.1.1	24.fc32	fix build with xmvn 3.1.0
apache-commons-collections	3.2.2	14.fc32	fix build with xmvn 3.1.0
apache-commons-lang	2.6	26.fc32	fix build with xmvn 3.1.0
xstream	1.4.11	4.fc32	fix build with xmvn 3.1.0
plexus-build-api	0.0.7	25.fc32	fix build with xmvn 3.1.0
apache-commons-collections	3.2.2	15.fc32	fix build with xmvn 3.1.0

various small fixes and improvements:

package	version	release	changes
jackson-jaxrs-providers	2.10.0	2.fc32	minimize build dependencies
xsom	20140514	2.fc32	fix regeneration of sources
munge-maven-plugin	1.0	15.fc32	drop unnecessary dependency on parent POM

another few version updates, including updates for the jackson stack that fixed some security issues:

package	version	release	changes
google-gson	2.8.6	1.fc32	2.8.2 → 2.8.6
jackson-bom	2.10.1	1.fc32	2.10.0 → 2.10.1
jackson-annotations	2.10.1	1.fc32	2.10.0 → 2.10.1
jackson-core	2.10.1	1.fc32	2.10.0 → 2.10.1
jackson-databind	2.10.1	1.fc32	2.10.0 → 2.10.1
jackson-modules-base	2.10.1	1.fc32	2.10.0 → 2.10.1
jackson-jaxrs-providers	2.10.1	1.fc32	2.10.0 → 2.10.1
xbean	4.15	1.fc32	4.14 → 4.15

inter-dependent updates for various plexus packages and maven plugins:

package	version	release	changes
plexus-archiver	4.2.1	1.fc32	4.1.0 → 4.2.1
maven-archiver	3.5.0	1.fc32	3.4.0 → 3.5.0
maven-jar-plugin	3.2.0	1.fc32	3.1.2 → 3.2.0
maven-source-plugin	3.2.0	1.fc32	3.1.0 → 3.2.0
maven-artifact-transfer	0.11.0	1.fc32	0.9.0 → 0.11.0
maven-javadoc-plugin	3.1.1	1.fc32	3.0.1 → 3.1.1
maven-invoker-plugin	3.2.1	1.fc32	3.2.0 → 3.2.1
maven-dependency-plugin	3.1.1	4.fc32	port to maven-artifact-transfer 0.11.0
maven-shade-plugin	3.2.1	2.fc32	port to maven-artifact-transfer 0.11.0
maven-enforcer	3.0.0~M2	1.fc32	port to maven-artifact-transfer 0.11.0
maven-resolver	1.4.1	1.fc32	1.3.3 → 1.4.1
maven-assembly-plugin	3.2.0	1.fc32	3.1.1 → 3.2.0
maven-javadoc-plugin	3.1.1	2.fc32	non-bootstrap build with JavaDocs

removing some unnecessary dependencies from our packages:

package	version	release	changes
jmock	2.8.2	9.fc32	drop unnecessary dependency on parent POM
paranamer	2.8	11.fc32	drop unnecessary dependency on parent POM
google-gson	2.8.6	2.fc32	drop unnecessary dependency on parent POM
apache-ivy	2.4.0	19.fc32	remove unnecessary dependencies on parent POMs
netty	4.1.13	13.fc32	remove unnecessary dependency on parent POM
relaxngDatatype	2011.1	11.fc32	remove unnecessary dependency on parent POM
lzma-java	1.3	8.fc32	remove unnecessary dependency on parent POM
os-maven-plugin	1.2.3	13.fc32	remove unnecessary dependency on parent POM
qdox	2.0~M9	7.fc32	remove unnecessary dependency on parent POM
sisu-mojos	0.3.4	2.fc32	remove unnecessary dependency on parent POM
replacer	1.6	12.fc32	remove unnecessary dependency on parent POM
maven	3.6.1	3.fc32	require correct version of guava
plexus-build-api	0.0.7	26.fc32	remove unnecessary dependency on parent POM

and another two version updates:

package	version	release	changes
glassfish-fastinfoset	1.2.15	1.fc32	1.2.13 → 1.2.15
beust-jcommander	1.78	1.fc32	1.71 → 1.78