Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.java > #12789

Re: Status of axis in debian

From Pierre Gruet <pgt@debian.org>
Newsgroups linux.debian.maint.java
Subject Re: Status of axis in debian
Date 2024-07-14 15:20 +0200
Message-ID <J07iV-23kU-1@gated-at.bofh.it> (permalink)
References <IYG1r-18Vq-7@gated-at.bofh.it> <IYG1r-18Vq-5@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Hi all,

Le 10/07/2024 à 15:52, Santiago Ruano Rincón a écrit :
> (Resending to the correct address list; sorry for the noise)
> 
> El 10/07/24 a las 10:41, Santiago Ruano Rincón escribió:
>> Dear Java packaging team,
>>
>> (Please CC: me when replying, I am not subscribed to the list)
>>
>> According to the apache advisory of CVE-2023-51441, axis 1.x has been
>> EOL'ed upstream:
>>
>> https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd
>>
>> According to the comment by grid on #debian-security, I understand it is
>> on life support upstream, and there have been fixes for CVEs the last
>> years, including at least one not-unimportant. However, from the above
>> mentioned advisory, upstream recommends to migrate to a "different SOAP
>> engine, such as Apache Axis 2/Java."
>>
>> On sid, this is the current list of build dependencies of libaxis-java:
>>
>> jalview
>> jets3t
>> jglobus
>> starjava-datanode
>> starjava-dpac
>> starjava-topcat
>> starjava-ttools
>> starjava-vo
>> starjava-votable
>> uimaj
>>
>> So my mail is just to start any discussion to see if it would be
>> appropriate to file bugs on the reverse dependencies, to ask the
>> maintainers if they could study how feasible is to migrate to another
>> SOAP engine.
>>
>> Any thoughts?

Thanks for raising this issue. My first feeling is filing these bug 
reports is sensible, unconditionally.

But also I wonder if we have some reasonable alternative to suggest in 
these bug reports:
- axis2 is unpackaged (could be) and its latest release is 2 years (+ 1 
day) old;
- saaj and jaxws: I can't say if they can provide an alternative to what 
axis does. Perhaps some people there have an opinion?
- Apache CXF, unpackaged as of now but seems to be actively maintained?
- something else?

Do others in the team have some ideas?

>>
>> Cheers,
>>
>>   -- Santiago
> 
> 

Best,

-- 
Pierre

Back to linux.debian.maint.java | Previous | NextPrevious in thread | Find similar

Thread

Status of axis in debian Santiago Ruano Rincón <santiagorr@riseup.net> - 2024-07-10 16:00 +0200
  Re: Status of axis in debian Pierre Gruet <pgt@debian.org> - 2024-07-14 15:20 +0200

csiph-web