[BUILD-1015] Fork apache commons-beanutils internally in order to release it ourselves Created: 01/Feb/23  Updated: 09/Mar/23  Resolved: 16/Feb/23

Status: Closed
Project: Build
Component/s: None
Affects Version/s: None
Fix Version/s: BOM 6.2.30

Type: Task Priority: Neutral
Reporter: Daniel Alonso Assignee: Daniel Alonso
Resolution: Done Votes: 0
Labels: None
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: Not Specified Time Spent: Not Specified
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Attachments: PNG File image-2023-02-03-07-10-06-414.png    
Issue Links:
dependency
relation
is related to BUILD-1021 Keep our commons-beanutils fork in sy... Selected
Sub-Tasks:
Key
Summary
Type
Status
Assignee
BUILD-1016 Implementation Sub-task Completed Daniel Alonso  
BUILD-1017 Review Sub-task Completed Daniel Alonso  
Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Epic Link: get rid of commons-beanutils1
Sprint: Nucleus 30
Story Points: 3
Team: Nucleus
Work Started:

 Description   

Context

 

Derived from https://jira.magnolia-cms.com/browse/BUILD-970 we contacted with the current apache commons-beanutils owner, in order to ask him about his current roadmap and some expectations about a potential 2.0 version (commons-collection 3.2 free)

https://markmail.org/message/jri4cplfgscc55aa#query:+page:1+mid:a2yv4nxm3lahorgl+state:results

 

Unfortunately, there is no planned 2.0.0 version in short term.

At the end of this slack conversation

https://magnolia-cms.slack.com/archives/CDF2T239Q/p1674112499760959

A fork-and-release-on-our-own is suggested

Expected result

 

Side notes

After speaking with some pals from foundation team:

 

 <version>2.0.0-magnolia-SNAPSHOT</version>
 <name>${project.groupId}:${project.artifactId}</name> 
<distributionManagement>
    <repository>
        <id>thirdparty</id>
        <url>
                https://nexus.magnolia-cms.com/content/repositories/thirdparty
            </url>
    </repository>
    <snapshotRepository>
        <id>thirdparty.snapshots</id>
        <url>
                https://nexus.magnolia-cms.com/content/repositories/thirdparty.snapshots
            </url>
        <uniqueVersion>true</uniqueVersion>
    </snapshotRepository>
</distributionManagement>
<scm>
    <connection>scm:git:ssh://git.magnolia-cms.com/internal/commons-beanutils.git</connection>
    <developerConnection>scm:git:ssh://git.magnolia-cms.com/internal/commons-beanutils.git</developerConnection>
    <url>https://git.magnolia-cms.com/projects/INTERNAL/repos/commons-beanutils</url>
    <tag>commons-beanutils-2.0.0-magnolia</tag>
</scm>
 

also, with an explanatory description about why we are doing this fork:

<description>Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
    Magnolia's fork of beanutils2 master (see https://github.com/apache/commons-beanutils): Magnolia will release this and keep it until official Apache Commons BeanUtils 2.0 is released.
    The main reason for doing this is that version 2.0 finally gets rid of vulnerable commons-collections dependencies but still no ETA for release, although it seems to be close.
 </description> 
  • a Jenkinsfile with a content like this:
magnoliaDefaultPipeline() 

 


Generated at Sun Feb 11 23:47:21 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.