Hi Everyone,
Regarding the README and the "Special note regarding Spring Boot
3...", I think it's about time to shit or get off the pot. The issue
has been discussed enough. You are now into diminishing returns.
Here's how I would handle it. I follow the three C's: Complaint,
Cause, Correction.
* The Complaint is: ESAPI 2.5.x is not compatible with Spring Boot 3,
Spring 6, Tomcat 10, the latest version of Jetty, etc.
* The Cause is: Package namespaces changed, and ESAPI 2.5.x uses the
old namespaces. ESAPI does not want to drop support for existing
installations.
* The Correction is: Run the conversion script to fix the namespace
and class references.
I would then provide a Unix shell script that uses sed and awk to fix
the namespace and class references. Or you could provide a patch as a
diff, but it is less robust since the source code is going to slowly
change over time.
Once you give users a path forward, you won't have to worry about,
"Therefore PLEASE STOP sending us emails and/or creating GitHub issues
regarding this!" Until you give users the Correction, it is going to
fill up your mailing list and bug tracker.
[...]
One alternative is to deliver an uber jar for the Jakarta version of ESAPI, what would include all the direct and transitive dependencies and not just the ESAPI byte code. That's what the Maven 'shade' plugin (org.apache.maven.plugins:maven-shade-plugin) is supposed to do. But it seems to me, if that is the solution every ones, then it's better for the client applications using ESAPI to do that themselves so they can have control over what version dependencies gets backed in (since excluding some dependencies and telling Maven to use different problem really doesn't work with uber jars. That's one of the major problems with them.
On Jun 19, 2023, at 18:03, Kevin W. Wall <kevin....@gmail.com> wrote:
--
You received this message because you are subscribed to the Google Groups "ESAPI Project Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to esapi-project-u...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/esapi-project-users/CAOPE6Pg_A3WcBaFr1a8ur74YOFhVOhCRx5yigcooD3H6QaC%2B4g%40mail.gmail.com.