[wildfly-dev] Removal of commons-cli, commons-lang and commons-lang3 modules
Fernando Nasser
fnasser at redhat.com
Wed Apr 3 11:03:43 EDT 2019
On 2019-04-03 10:51 a.m., Darran Lofthouse wrote:
> Certainly a topic for the future.
It is more like a "Back to the Future" case ;-)
We discuss this, get rid of all shaded code, then we gradually forget
and the cycle starts again.
>
> On Wed, Apr 3, 2019 at 3:36 PM Fernando Nasser <fnasser at redhat.com
> <mailto:fnasser at redhat.com>> wrote:
>
> On 2019-04-03 4:43 a.m., Darran Lofthouse wrote:
>> +1 the tool is a shaded jar so should not need to depend on
>> another module.
>>
>> We may want to look at shading again but that would be a
>> different topic.
>
>
> Indeed.
>
> Who monitors/detects the shaded code does not contain a CVE and
> fix it if it does?
>
> Are the people who "shaded" it responsible for
> supporting/maintaining that code?
>
>
>>
>> On Tue, Apr 2, 2019 at 10:13 PM James Perkins
>> <jperkins at redhat.com <mailto:jperkins at redhat.com>> wrote:
>>
>> I believe the org.wildfly.security:wildfly-elytron-tool does
>> use org.apache.commons.lang3. However IIRC it's now shaded in
>> so likely not an issue. That could be why it was originally
>> there.
>>
>> On Tue, Apr 2, 2019 at 12:34 PM Brian Stansberry
>> <brian.stansberry at redhat.com
>> <mailto:brian.stansberry at redhat.com>> wrote:
>>
>> Currently WildFly includes 3 JBoss Modules modules that
>> are not used in our runtime. I would like to remove these
>> in WildFly 17:
>>
>> org.apache.commons.cli
>> org.apache.commons.lang[1]
>> org.apache.commons.lang3
>>
>> All three have the "jboss.api" = "private" property set
>> in their module.xml, meaning they are marked for internal
>> use only and we are free to remove them. End user
>> applications should not have referenced these modules,
>> and if they do we log a WARN on boot advising not to do that.
>>
>> However, other projects that extend WildFly (i.e. write
>> their own subsystems) may be using these modules, so I
>> wanted to notify any such folks that these will likely be
>> going away and you'll need to provide these yourselves.ed.
>>
>> Best regards,
>> Brian
>>
>> [1] This one is referenced in a commented out module.xml
>> section related to My Faces 1.1 support. I've checked
>> with Farah Juma and that is no longer relevant and the
>> comment can be removed.
>>
>> _______________________________________________
>> wildfly-dev mailing list
>> wildfly-dev at lists.jboss.org
>> <mailto:wildfly-dev at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/wildfly-dev
>>
>>
>>
>> --
>> James R. Perkins
>> JBoss by Red Hat
>> _______________________________________________
>> wildfly-dev mailing list
>> wildfly-dev at lists.jboss.org <mailto:wildfly-dev at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/wildfly-dev
>>
>>
>> _______________________________________________
>> wildfly-dev mailing list
>> wildfly-dev at lists.jboss.org <mailto:wildfly-dev at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/wildfly-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/wildfly-dev/attachments/20190403/49bd2338/attachment-0001.html
More information about the wildfly-dev
mailing list