Stewardship SIG Report (September 2019)
The month of September was a bit more quiet regarding the activity of the Stewardship SIG, though we again managed to push some important changes and updates, both to reduce the number of packages we possibly need to maintain, and to bring the whole stack into better shape and more up-to-date again.
We removed some unused functionality from our packages, which let us trim the
dependency tree some more. Notably, by dropping the direct dependency of
Maven on logback, our packages no longer require Groovy or Gradle, not
even transitively.
The support for Markdown in the doxia maven modules was also removed in
preparation for version updates, which would introduce not-yet-packaged
dependencies for the Markdown support anyway.
The unused support for memoryfilesystem was removed from assertj-core to
further reduce the number of packages we need to maintain.
| package | version | release | changes |
|---|---|---|---|
| maven | 3.5.4 | 12.fc32, 12.fc31 | remove dependency on logback |
| maven-doxia-sitetools | 1.7.5 | 6.fc32 | disable markdown support |
| maven-doxia | 1.7 | 12.fc32 | disable itext support |
| assertj-core | 3.8.0 | 6.fc32 | drop memoryfilesystem dependency |
We also worked on getting updates for Jackson out fast, since some security
vulnerabilities for jackson-databind were recently published
(CVE-2019-12086, CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
CVE-2019-14439). These have all been fixed with the 2.9.9.3 release of
jackson-databind, which required updating its sister projects to 2.9.9 as
well.
| package | version | release | changes |
|---|---|---|---|
| jackson-bom | 2.9.9 | 1.fc32, 1.fc31, 1.fc30, 1.fc29 | 2.9.8 → 2.9.9 |
| jackson-annotations | 2.9.9 | 1.fc32, 1.fc31, 1.fc30, 1.fc29 | 2.9.8 → 2.9.9 |
| jackson-core | 2.9.9 | 1.fc32, 1.fc31, 1.fc30, 1.fc29 | 2.9.8 → 2.9.9 |
| jackson-databind | 2.9.9.3 | 1.fc32, 1.fc31, 1.fc30, 1.fc29 | 2.9.8 → 2.9.9.3 |
We also managed to finally update some packages related to maven-invoker to
their latest versions, which required a coordinated update to maven-invoker,
maven-invoker-plugin, and a patch to port xmvn to these new versions.
| package | version | release | changes |
|---|---|---|---|
| maven-invoker | 3.0.1 | 1.fc32 | 2.2 → 3.0.1 |
| maven-invoker-plugin | 3.2.0 | 1.fc32 | 1.10 → 3.2.0 |
| xmvn | 3.0.0 | 27.fc32 | port to maven-invoker 3.0.1 |
Recently, the old Felix OSGi implementation was retired from fedora, in favor of OSGi Core 7.0.0, and all packages using the old Felix implementation needed to migrate. With some help from Mat Booth I pushed the necessary changes to all our packages (and some others as well, not listed below).
| package | version | release | changes |
|---|---|---|---|
| apache-commons-compress | 1.18 | 7.fc32 | migrate to osgi-core |
| snappy-java | 1.1.2.4 | 13.fc32 | migrate to osgi-core |
| xbean | 4.14 | 2.fc32 | migrate to osgi-core |
| woodstox-core | 6.0.1 | 2.fc32 | 5.2.1 → 6.0.1 and migrate to OSGi 7 |
Last, we were able to update both maven-doxia and maven-doxia-sitetools to
their latest versions. As mentioned above, this meant disabling the (unused)
support for Markdown, since the library that’s used for Markdown support was
changed from pegdown (which was packaged for fedora) to flexmark, which
isn’t available in fedora.
| package | version | release | changes |
|---|---|---|---|
| maven-doxia | 1.9 | 1.fc32 | 1.7 → 1.9 |
| maven-doxia-sitetools | 1.9.1 | 1.fc32 | 1.7.5 → 1.9.1 |