Stewardship SIG Report (September 2019)
The month of September was a bit more quiet regarding the activity of the Stewardship SIG, though we again managed to push some important changes and updates, both to reduce the number of packages we possibly need to maintain, and to bring the whole stack into better shape and more up-to-date again.
We removed some unused functionality from our packages, which let us trim the
dependency tree some more. Notably, by dropping the direct dependency of
logback, our packages no longer require Groovy or Gradle, not
The support for Markdown in the
doxia maven modules was also removed in
preparation for version updates, which would introduce not-yet-packaged
dependencies for the Markdown support anyway.
The unused support for
memoryfilesystem was removed from
further reduce the number of packages we need to maintain.
|maven||3.5.4||12.fc32, 12.fc31||remove dependency on logback|
|maven-doxia-sitetools||1.7.5||6.fc32||disable markdown support|
|maven-doxia||1.7||12.fc32||disable itext support|
|assertj-core||3.8.0||6.fc32||drop memoryfilesystem dependency|
We also worked on getting updates for Jackson out fast, since some security
jackson-databind were recently published
(CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
CVE-2019-14439). These have all been fixed with the 22.214.171.124 release of
jackson-databind, which required updating its sister projects to 2.9.9 as
|jackson-bom||2.9.9||1.fc32, 1.fc31, 1.fc30, 1.fc29||2.9.8 → 2.9.9|
|jackson-annotations||2.9.9||1.fc32, 1.fc31, 1.fc30, 1.fc29||2.9.8 → 2.9.9|
|jackson-core||2.9.9||1.fc32, 1.fc31, 1.fc30, 1.fc29||2.9.8 → 2.9.9|
|jackson-databind||126.96.36.199||1.fc32, 1.fc31, 1.fc30, 1.fc29||2.9.8 → 188.8.131.52|
We also managed to finally update some packages related to
their latest versions, which required a coordinated update to
maven-invoker-plugin, and a patch to port
xmvn to these new versions.
|maven-invoker||3.0.1||1.fc32||2.2 → 3.0.1|
|maven-invoker-plugin||3.2.0||1.fc32||1.10 → 3.2.0|
|xmvn||3.0.0||27.fc32||port to maven-invoker 3.0.1|
Recently, the old Felix OSGi implementation was retired from fedora, in favor of OSGi Core 7.0.0, and all packages using the old Felix implementation needed to migrate. With some help from Mat Booth I pushed the necessary changes to all our packages (and some others as well, not listed below).
|apache-commons-compress||1.18||7.fc32||migrate to osgi-core|
|snappy-java||184.108.40.206||13.fc32||migrate to osgi-core|
|xbean||4.14||2.fc32||migrate to osgi-core|
|woodstox-core||6.0.1||2.fc32||5.2.1 → 6.0.1 and migrate to OSGi 7|
Last, we were able to update both
their latest versions. As mentioned above, this meant disabling the (unused)
support for Markdown, since the library that’s used for Markdown support was
pegdown (which was packaged for fedora) to
isn’t available in fedora.
|maven-doxia||1.9||1.fc32||1.7 → 1.9|
|maven-doxia-sitetools||1.9.1||1.fc32||1.7.5 → 1.9.1|