Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.java > #12789

Re: Status of axis in debian

Path csiph.com!weretis.net!feeder8.news.weretis.net!fu-berlin.de!bofh.it!news.nic.it!robomod
From Pierre Gruet <pgt@debian.org>
Newsgroups linux.debian.maint.java
Subject Re: Status of axis in debian
Date Sun, 14 Jul 2024 15:20:01 +0200
Message-ID <J07iV-23kU-1@gated-at.bofh.it> (permalink)
References <IYG1r-18Vq-7@gated-at.bofh.it> <IYG1r-18Vq-5@gated-at.bofh.it>
X-Original-To debian-java@lists.debian.org
X-Mailbox-Line From debian-java-request@lists.debian.org Sun Jul 14 13:13:02 2024
Old-Return-Path <pgt@debian.org>
X-Amavis-Spam-Status No, score=-11.88 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, FOURLA=0.1, FVGT_m_MULTI_ODD=0.02, LDO_WHITELIST=-5, PGPSIGNATURE=-5, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
X-Policyd-Weight NOT_IN_SBL_XBL_SPAMHAUS=-1.5 CL_IP_EQ_HELO_IP=-2 (check from: .debian. - helo: .smtp6-g21.free. - helo-domain: .free.) FROM/MX_MATCHES_NOT_HELO(DOMAIN)=0; rate: -3.5
MIME-Version 1.0
User-Agent Mozilla Thunderbird
Content-Language fr-FR
Autocrypt addr=pgt@debian.org; keydata= xsFNBF4xnGMBEADRfhEoSKO4o2yYTaJZwnfgSxlsljKjMRiF3b50ZhasJjkg27X4GBNYteNr TmVZBMNR2EzutcVBd8G6RJSJDzE+3J+kfd7jz+TVMb0YEp8MV9DZq4wg8uJijmh5z9N3r70S UXyLI3HdKcl3JumyfFjD4sdZ64+j8sZy544ECxYfSNqPojl+20scEw5DOQbc2s58QbwuRcpB vDYEFEZa5h8vevoLvOjon4KjubY2ZPloVatPCgW5OmKP2au/usI3f9tgNRcXvaBz9NVwkd6J qPlJovSJ4pDsLCOv02zOiR+OiwYFrxo5iKTVcnKA8YvBhJtjFwT/RTZiOopLe81WnEMq2IqU 5skdUBmdHQvKVFYybKztj6m3EgE/DVR4zyyJQmuTeJOQeoF6rnHG5DPP3Odk6yHF1nWIVsSh QSAnN/k+LBFLKrn1q2MU37puH7Z9CGAlkQ+e7o7DNiULG8JYqaACrgNogNtjphEmfNpmLXib mFcx8M6RAs5k1E7Okh+UEKtoqxUesNd5g6EBO6X/YbLBwKBo41EiGB+bmvSNCgqJO7SERRH5 R62wpxntdVYgjQumFZTYqn6p4749dpul/5qXZAS3VmCd8DJ1IWZMfIOscTO3ln1Awcwoba2p YGpLAXDwvg1r67wZ2mxc+QhavC7RXNG5Vyqf7uReQYKJZTsfJQARAQABzR1QaWVycmUgR3J1 ZXQgPHBndEBkZWJpYW4ub3JnPsLBlAQTAQoAPgIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIX gBYhBMY9u+8hQnziSdvZawYSEpRGR6QRBQJlQ9uqBQkLS01BAAoJEAYSEpRGR6QRRAoP/0cd a2I/JqWAF+iMPW5+p3rALqoIw9WtIc8WLugY344Cz5WRiti0j9cxeON37HaXvQUyf2LVKFzM haX5n1DzXwillCdGm/XePxY0+bNqFAjli2oslfKHO4T1RLGnHnGjROhStWDRhWgSk+7UCHZU 6g0yrWjLUWwVVjhXItDWjGXJrQQb5nuwITvQ3/l8DD7VrEFXhA+cKeWVhI3Z9ciZIy9WFACf j95efDg6rYIklskg6/Z7M7O0Ft3IT823micLYwOQohStPmh+8EmSBMdhSOFKuRZg+GwvY4W3 oxbGl+XOOvrgJW5KP5Vwi1v2zEvWtO9syzzJNEG9WXv66HXFqbV4OcbnEnEuFwpQNPj3SSmO k/xAv+YW8X5KGDXfjoGfa8dlik7KiX8kNIgla6qAyMDZ6yDXw8wyFpBE/V5t1zIoLK6ot6Py /49jlCRmxiGladDav2Tqc9CbYeiF/DitkVl278u3lJ0IllCCGTDZa8s3syLPVcTYbVTj6kbZ T/MNyr54lqXbttbtMvROr6v5XkNYEN7AnkLUXku00POrGd7Smx5nBdDN1vzFJ/mfQXI9SZVZ yPfWNNm7Wate0s2n5zfH+TqTWRKG1fIstpsFi4TW0r784JnrxnIuj2HB5h0iOozc68S2VwAY hqMYjh/VvM5EuDZoSNrxd0MzC/P7oi+FzsFNBF4xnGMBEAC3bpU2vhBynAgRyEEfvZ/Q1bCj vOfb3XUtwilQ+dMjfJreIY+Vl6FIKKixZuxUtHlqMx+Qt5trna9qhSOtol4nPcB20jwwX0+y qkprHpL5746ZC/pQgq4iL64F13LkaBJbvgiP3mI4P+hjOGjEKjhzsFgzcisKDuX5Y5Nbs2yz s8eeP5vHB/rLQdFiRjMkuhM4EWOxWxAbreF9NYFdisCJG//48JlP1tNgQGrpsYQOq80IJzCf RHIAy08FRgcTEnOUXGdJnG4hgH+neob3PEfaWUgNAYbe9klB63Dk/8QsT6HOC1Fr7+M+8ahX x+Ia2WNwwzbOzavikNTHp1DMA4m8H65LcqGsPGtMKrXPNW65oocPNNtP/AaFboTFSe1F7OiH MeSffDgNdHOZ+PGj37pksvo2iZQQDngJsydmEFWSieTiGC0JfPP/4pAavTmZgbrsGunB6hyu X7mUlxUJ1+t+GpZsaEmR3rJ6T6XmTOpccHRnMk6V+LyWEHaDJv/jsi4sWSlRvJStaXiNvPMu 9vK3ipcOK7iuf53hqKvTBMVKoPxoDvxgVhbxNAZ6GakctERw0hpwZ4jY2Ag2UUvfkMYRj4kQ EzhFmBPGVTRKCzD3kCt5Ez8PUyfQP2KfFyirQ1fQYPY1ravZ7V3QrmovxJaIGq5/o+oCzJeE R/AhWnQegwARAQABwsF8BBgBCgAmAhsMFiEExj277yFCfOJJ29lrBhISlEZHpBEFAmVD28MF CQtLTWAACgkQBhISlEZHpBFgMA/7BfE4gr8tyYrv7Ckguw/RPsQZyrlRdSZB2rH4NKSo+G+4 R4Eh3/bLlQkp0QW4a28u0akp3OubBCHT2KbIYcBP9A33MWmr4oCjaVs71NrogBdi0Po8bLmC msoeWbZHwcHdGzHwT1Hlgkt6vdY0nj6yeydKWa4WknfIlY/CyHLd83xjCQW6xTetM56JOCIQ O9TLKfw2bNN88P9hqCcoNqE8MsZN+UQFK04s+un73h5D0m/URc37tWlmo5YWfzPcXtf+0Li3 i6JwXB1fv6Z4QjhdkZZr6y/JktRfQ9tuSz6BxCLHrqrnt0twY6tzqheqKvYtj+lk+sw2aih/ +G74xTkIhaQlOm1iWf2ASgpVxT+Go8VMifZKulj8TdqjMi9Ug9v4AvQbO3sFW8fQ9ePOb0jF x4AVJB/09RdgEN2tn1O2OYKeKTAT3x6iqdX4AP+kLFS94Gf1SZY8u+IojFrx2uSRhZDiiMBQ iBZb5cC5VdQTH1SURuVptOGUGJd8g9+uoM7W1euQZW7Hg8TKALyP2YEAEghXq4NuD8mjToT+ 2RmGl0pcrv14ARuxBodICHy5HW1NXXPNMr9T0U283vIYwwk93TBFtCEHY055u+9N4SjLWfNY 6TVcBRqX4CmbmfbyLjToQcWXN2K6xj0bZWEZ8bjLlVPA0XFRWrwfSlcRqkJMJPA=
Content-Type multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------E360jnBMr8SO002IXsfB70MY"
X-Mailing-List <debian-java@lists.debian.org> archive/latest/23484
List-ID <debian-java.lists.debian.org>
List-URL <https://lists.debian.org/debian-java/>
List-Archive https://lists.debian.org/msgid-search/424e8265-defc-4bd8-aa41-0a8bcb426fde@debian.org
Approved robomod@news.nic.it
Lines 79
Organization linux.* mail to news gateway
Sender robomod@news.nic.it
X-Original-Cc Santiago Ruano Rincón <santiagorr@riseup.net>
X-Original-Date Sun, 14 Jul 2024 15:12:37 +0200
X-Original-Message-ID <424e8265-defc-4bd8-aa41-0a8bcb426fde@debian.org>
X-Original-References <Zo6PfdEgCFKDBJFY@voleno> <Zo6SEn5B8qyz4Max@voleno>
Xref csiph.com linux.debian.maint.java:12789

Show key headers only | View raw

[Multipart message — attachments visible in raw view] - view raw

Hi all,

Le 10/07/2024 à 15:52, Santiago Ruano Rincón a écrit :
> (Resending to the correct address list; sorry for the noise)
> 
> El 10/07/24 a las 10:41, Santiago Ruano Rincón escribió:
>> Dear Java packaging team,
>>
>> (Please CC: me when replying, I am not subscribed to the list)
>>
>> According to the apache advisory of CVE-2023-51441, axis 1.x has been
>> EOL'ed upstream:
>>
>> https://lists.apache.org/thread/8nrm5thop8f82pglx4o0jg8wmvy6d9yd
>>
>> According to the comment by grid on #debian-security, I understand it is
>> on life support upstream, and there have been fixes for CVEs the last
>> years, including at least one not-unimportant. However, from the above
>> mentioned advisory, upstream recommends to migrate to a "different SOAP
>> engine, such as Apache Axis 2/Java."
>>
>> On sid, this is the current list of build dependencies of libaxis-java:
>>
>> jalview
>> jets3t
>> jglobus
>> starjava-datanode
>> starjava-dpac
>> starjava-topcat
>> starjava-ttools
>> starjava-vo
>> starjava-votable
>> uimaj
>>
>> So my mail is just to start any discussion to see if it would be
>> appropriate to file bugs on the reverse dependencies, to ask the
>> maintainers if they could study how feasible is to migrate to another
>> SOAP engine.
>>
>> Any thoughts?

Thanks for raising this issue. My first feeling is filing these bug 
reports is sensible, unconditionally.

But also I wonder if we have some reasonable alternative to suggest in 
these bug reports:
- axis2 is unpackaged (could be) and its latest release is 2 years (+ 1 
day) old;
- saaj and jaxws: I can't say if they can provide an alternative to what 
axis does. Perhaps some people there have an opinion?
- Apache CXF, unpackaged as of now but seems to be actively maintained?
- something else?

Do others in the team have some ideas?

>>
>> Cheers,
>>
>>   -- Santiago
> 
> 

Best,

-- 
Pierre

Back to linux.debian.maint.java | Previous | NextPrevious in thread | Find similar

Thread

Status of axis in debian Santiago Ruano Rincón <santiagorr@riseup.net> - 2024-07-10 16:00 +0200
  Re: Status of axis in debian Pierre Gruet <pgt@debian.org> - 2024-07-14 15:20 +0200

csiph-web