Confidence in a 2.0.0 release?
508 views
Skip to first unread message
Michael Zamani
May 22, 2019, 11:14:45 AM5/22/19
to dropwizard-dev
I'm curious if you all have a rough idea of how close we are to being comfortable creating a 2.0.0 release, and if there's anything we can do at Apple to help build confidence, if there's a need for that?
I'm not sure if there's already discussion around this, or a rough timeline you all already have in mind, but if we can help by upgrading some of our apps and looking for issues (at least in our non-prod environments), I can maybe dedicate some resources to doing that.
Nicholas Babcock
Jun 7, 2019, 3:50:52 PM6/7/19
to dropwizard-dev
I agree that I'd rather see a 2.0.0 release sooner rather than later. Sounds like others have completed migrations to 2.0rc and there have been no red flags.
joschen / artem, is there anything else that needs to be done?
Jochen Schalanda
Jun 11, 2019, 1:46:23 PM6/11/19
to dropwiz...@googlegroups.com
Hi,
I'd love to address the 4 remaining issues/PRs in the 2.0.0 milestone (https://github.com/dropwizard/dropwizard/milestone/18) and change the documentation to ReadTheDocs (https://dropwizard.readthedocs.io/en/latest/) before a GA release.
For the issues in the 2.0.0 milestone, every help is appreciated. ;-)
Regarding the new documentation, we'll need some help from the fine folks of Rent the Runway who sponsor the domain dropwizard.io for us and would need to change the CNAME RR for that domain.
Cheers,
Jochen
Michael Zamani
Jun 13, 2019, 7:33:34 PM6/13/19
to dropwizard-dev
Happy to help usher along https://github.com/dropwizard/dropwizard/pull/2795 and maybe I can find some time this weekend to take a crack at https://github.com/dropwizard/dropwizard/issues/2736 if nobody beats me to it.
Regarding the new documentation, we'll need some help from the fine folks of Rent the Runway who sponsor the domain dropwizard.io for us and would need to change the CNAME RR for that domain.
Do you guys have a means of reaching out to them?
Jochen Schalanda
Jun 16, 2019, 5:42:45 AM6/16/19
to dropwiz...@googlegroups.com
Hi everyone,
We're now down to only 1 open issue in the 2.0.0 milestone: "Update conscrypt documentation #2736"
Thanks for the help!
I would publish Dropwizard 2.0.0-rc3 as the (hopefully) last release candidate and if there are no regressions, we're ready to go.
Do you guys have a means of reaching out to them?
Yes, we're already in contact with the responsible people at Rent the Runway. :-)
Cheers,
Jochen
--
You received this message because you are subscribed to the Google Groups "dropwizard-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dropwizard-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dropwizard-dev/e9ad011f-a9ba-4afb-8fb3-b76d5ffcf57d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Natan Abolafya
Jun 17, 2019, 10:49:41 AM6/17/19
to dropwizard-dev
Hi,
Running owasp dependency-check on dropwizard 2.0.0-rc3 reports this (among some liquibase ones for jquery and bootstrap but that has been around forever so we ignore it):
logback-throttling-appender-1.0.1.jar (pkg:maven/io.dropwizard.logback/logback-throt...@1.0.1, cpe:2.3:a:logback:logback:1.0.1:*:*:*:*:*:*:*) : CVE-2017-5929
Is that something to be worried about?
Natan
To unsubscribe from this group and stop receiving emails from it, send an email to dropwiz...@googlegroups.com.
Jochen Schalanda
Jun 18, 2019, 6:07:01 PM6/18/19
to dropwiz...@googlegroups.com
Hi,
logback-throttling-appender-1.0.1.jar (pkg:maven/io.dropwizard.logback/logback-throt...@1.0.1, cpe:2.3:a:logback:logback:1.0.1:*:*:*:*:*:*:*) : CVE-2017-5929Is that something to be worried about?
That's a false positive. That project only exists since 2019.
I think the OWASP dependency plugin at this point causes more problems than it solves, so maybe we'll remove it again. What does the rest of the developers think?
Cheers,
Jochen
Matt Nelson
Jun 18, 2019, 7:16:16 PM6/18/19
to dropwizard-dev
I think it depends if it is OWASP causing problems or the NVD source. In this case the regex on the source is too open.
Alternatively, with dropwizard using dependbot, even if a new CVE is reported, the project is likely already on the latest, so there is nothing to be done but wait for the upstream resolution.
Nicholas Babcock
Aug 2, 2019, 11:49:21 AM8/2/19
to dropwizard-dev
The 2.0.0 milestone is reading 100% complete, so let's either look to wrap this up or assign more issues to the milestone :)
To unsubscribe from this group and stop receiving emails from it, send an email to dropwiz...@googlegroups.com.
Stephen Souness
Aug 5, 2019, 9:15:17 AM8/5/19
to dropwizard-dev
I'd be keen to see a 2.0.0 release, as I see that the 1.3 branch has a release that addresses a CVE.
I have a small handful of services in production handling a fair volume of traffic on 2.0.0-rc4 and haven't encountered any upgrade related issues.
--
Stephen
Michael Zamani
Aug 5, 2019, 12:20:54 PM8/5/19
to dropwizard-dev
+1. Also eager to see a 2.0.0 release. It's one of the dependencies preventing us from getting fully JDK 11 compatibility in some of our apps (due to the Hibernate and Jersey deps).
Sadique Ali Koothumadan
Aug 23, 2019, 12:27:03 AM8/23/19
to dropwizard-dev
My team is also waiting for a 2.0.0 release so that we can migrate to JDK 11. Is there anything else holding up the release?
Thank you for all the work that went in to 2.0.0.
- Sadique Ali
Stephen Souness
Sep 30, 2019, 3:25:29 PM9/30/19
to dropwizard-dev
Hi all.
I'm no longer actively working on projects involving Dropwizard, but am interested in seeing a 2.0.0 release.
Are there any technical blockers for this, or is it more a matter of appropriate people having the time?
--
Stephen
Jochen Schalanda
Sep 30, 2019, 4:14:20 PM9/30/19
to dropwiz...@googlegroups.com
Hi Stephen,
right now we're waiting on the Jackson 2.10.0 release but we're blocked with this until the checksum issue with the artifacts has been resolved, see https://github.com/dropwizard/dropwizard/pull/2944 for details.
After that we're pretty much good go.
If you want to help bring Dropwizard 2.0.0 out the door, feel free to contribute to any issue in the 2.0.0 milestone: https://github.com/dropwizard/dropwizard/milestone/18 :-)
Best regards,
Jochen
To unsubscribe from this group and stop receiving emails from it, send an email to dropwizard-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dropwizard-dev/c7a8a3dc-0adb-4208-98c2-ff743d599a28%40googlegroups.com.
Ryan Kennedy
Oct 1, 2019, 2:43:29 PM10/1/19
to dropwiz...@googlegroups.com
On Mon, Sep 30, 2019 at 1:14 PM Jochen Schalanda <joc...@schalanda.name> wrote:
right now we're waiting on the Jackson 2.10.0 release but we're blocked with this until the checksum issue with the artifacts has been resolved, see https://github.com/dropwizard/dropwizard/pull/2944 for details.
It looks like the underlying issue with Sonatype has been resolved:
Ryan
Reply all
Reply to author
Forward
0 new messages