The month of September was a bit more quiet regarding the activity of the Stewardship SIG, though we again managed to push some important changes and updates, both to reduce the number of packages we possibly need to maintain, and to bring the whole stack into better shape and more up-to-date again.

We removed some unused functionality from our packages, which let us trim the dependency tree some more. Notably, by dropping the direct dependency of Maven on logback, our packages no longer require Groovy or Gradle, not even transitively.

The support for Markdown in the doxia maven modules was also removed in preparation for version updates, which would introduce not-yet-packaged dependencies for the Markdown support anyway.

The unused support for memoryfilesystem was removed from assertj-core to further reduce the number of packages we need to maintain.

package version release changes
maven 3.5.4 12.fc32, 12.fc31 remove dependency on logback
maven-doxia-sitetools 1.7.5 6.fc32 disable markdown support
maven-doxia 1.7 12.fc32 disable itext support
assertj-core 3.8.0 6.fc32 drop memoryfilesystem dependency

We also worked on getting updates for Jackson out fast, since some security vulnerabilities for jackson-databind were recently published (CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439). These have all been fixed with the release of jackson-databind, which required updating its sister projects to 2.9.9 as well.

package version release changes
jackson-bom 2.9.9 1.fc32, 1.fc31, 1.fc30, 1.fc29 2.9.8 → 2.9.9
jackson-annotations 2.9.9 1.fc32, 1.fc31, 1.fc30, 1.fc29 2.9.8 → 2.9.9
jackson-core 2.9.9 1.fc32, 1.fc31, 1.fc30, 1.fc29 2.9.8 → 2.9.9
jackson-databind 1.fc32, 1.fc31, 1.fc30, 1.fc29 2.9.8 →

We also managed to finally update some packages related to maven-invoker to their latest versions, which required a coordinated update to maven-invoker, maven-invoker-plugin, and a patch to port xmvn to these new versions.

package version release changes
maven-invoker 3.0.1 1.fc32 2.2 → 3.0.1
maven-invoker-plugin 3.2.0 1.fc32 1.10 → 3.2.0
xmvn 3.0.0 27.fc32 port to maven-invoker 3.0.1

Recently, the old Felix OSGi implementation was retired from fedora, in favor of OSGi Core 7.0.0, and all packages using the old Felix implementation needed to migrate. With some help from Mat Booth I pushed the necessary changes to all our packages (and some others as well, not listed below).

package version release changes
apache-commons-compress 1.18 7.fc32 migrate to osgi-core
snappy-java 13.fc32 migrate to osgi-core
xbean 4.14 2.fc32 migrate to osgi-core
woodstox-core 6.0.1 2.fc32 5.2.1 → 6.0.1 and migrate to OSGi 7

Last, we were able to update both maven-doxia and maven-doxia-sitetools to their latest versions. As mentioned above, this meant disabling the (unused) support for Markdown, since the library that’s used for Markdown support was changed from pegdown (which was packaged for fedora) to flexmark, which isn’t available in fedora.

package version release changes
maven-doxia 1.9 1.fc32 1.7 → 1.9
maven-doxia-sitetools 1.9.1 1.fc32 1.7.5 → 1.9.1