ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jaikiran Pai <jai.forums2...@gmail.com>
Subject Re: Ivy - No more support for commons-httpclient 2.x in runtime classpath?
Date Tue, 25 Jul 2017 09:37:16 GMT
This turned out to be a relatively smaller task than what I had 
previously thought it would be. That's mainly thanks to the way this 
whole interaction with the library, in Ivy, has been designed and kept 
isolated from majority of the code.

So as of late yesterday, the master branch now uses 4.5.3 of 
HttpComponents HttpClient library. Relevant documentation has been 
updated to reflect the same. Additional tests have been added to 
test/verify the semantics and also verify some of the issues that were 
reported in Ivy due to our usage of the older commons-httpclient.

An upstream master build on Jenkins after these commits has gone fine 
too. I'm waiting for at least another round of Jenkins job to finish 
(for unrelated reasons our jobs haven't triggered given unavailability 
of some Jenkins agents/nodes), before I request some of our users on 
ivy-user mailing list to give the latest snapshot a try to see if there 
are any unforeseen regressions.

-Jaikiran
On 25/07/17 12:37 AM, Nicolas Lalevée wrote:
>> Le 24 juil. 2017 à 08:19, Jaikiran Pai <jai.forums2013@gmail.com> a écrit
:
>>
>> That's a a big enough reason to move to HttpComponents Client 4.x version! I'll have
that done in this release of Ivy then.
> +1
>
> Nicolas
>
>> -Jaikiran
>>
>>
>> On 24/07/17 11:43 AM, Stefan Bodewig wrote:
>>> On 2017-07-24, Jaikiran Pai wrote:
>>>
>>>> Ivy currently uses commons-httpclient for dealing with HTTP
>>>> repositories. This is an internal implementation detail of Ivy. The
>>>> way it's implemented, it allows the user to use a version of their
>>>> choice, of this library, by placing them in the runtime classpath
>>>> (similar to some other libraries we use). The implementation
>>>> internally checks for the presence of 2.x as well as 3.x version of
>>>> library to decide which version to use at _runtime_ .
>>> Let me point out that even 3.x has long reached end of life. It's
>>> successor fixed CVE-2012-5783[1] with 4.2.3 but there hasn't been any
>>> 3.x release that has fixed it AFAIK.
>>>
>>> Stefan
>>>
>>> [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5783
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
>>> For additional commands, e-mail: dev-help@ant.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
>> For additional commands, e-mail: dev-help@ant.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
> For additional commands, e-mail: dev-help@ant.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org


Mime
View raw message