[wildfly-dev] Removal of commons-cli, commons-lang and commons-lang3 modules

Fernando Nasser fnasser at redhat.com
Wed Apr 3 10:36:26 EDT 2019


On 2019-04-03 4:43 a.m., Darran Lofthouse wrote:
> +1 the tool is a shaded jar so should not need to depend on another
> module.
>
> We may want to look at shading again but that would be a different topic.


Indeed. 

Who monitors/detects the shaded code does not contain a CVE and fix it
if it does?

Are the people who "shaded" it responsible for supporting/maintaining
that code?


>
> On Tue, Apr 2, 2019 at 10:13 PM James Perkins <jperkins at redhat.com
> <mailto:jperkins at redhat.com>> wrote:
>
>     I believe the org.wildfly.security:wildfly-elytron-tool does use
>     org.apache.commons.lang3. However IIRC it's now shaded in so
>     likely not an issue. That could be why it was originally there.
>
>     On Tue, Apr 2, 2019 at 12:34 PM Brian Stansberry
>     <brian.stansberry at redhat.com <mailto:brian.stansberry at redhat.com>>
>     wrote:
>
>         Currently WildFly includes 3 JBoss Modules modules that are
>         not used in our runtime. I would like to remove these in
>         WildFly 17:
>
>         org.apache.commons.cli
>         org.apache.commons.lang[1]
>         org.apache.commons.lang3
>
>         All three have the "jboss.api" = "private" property set in
>         their module.xml, meaning they are marked for internal use
>         only and we are free to remove them. End user applications
>         should not have referenced these modules, and if they do we
>         log a WARN on boot advising not to do that.
>
>         However, other projects that extend WildFly (i.e. write their
>         own subsystems) may be using these modules, so I wanted to
>         notify any such folks that these will likely be going away and
>         you'll need to provide these yourselves.ed.
>
>         Best regards,
>         Brian
>
>         [1] This one is referenced in a commented out module.xml
>         section related to My Faces 1.1 support. I've checked with
>         Farah Juma and that is no longer relevant and the comment can
>         be removed.
>
>         _______________________________________________
>         wildfly-dev mailing list
>         wildfly-dev at lists.jboss.org <mailto:wildfly-dev at lists.jboss.org>
>         https://lists.jboss.org/mailman/listinfo/wildfly-dev
>
>
>
>     -- 
>     James R. Perkins
>     JBoss by Red Hat
>     _______________________________________________
>     wildfly-dev mailing list
>     wildfly-dev at lists.jboss.org <mailto:wildfly-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/wildfly-dev
>
>
> _______________________________________________
> wildfly-dev mailing list
> wildfly-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/wildfly-dev


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/wildfly-dev/attachments/20190403/e6fc1c40/attachment.html 


More information about the wildfly-dev mailing list