Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

can we please publish commons-csv:1.5.1-marklogic to jcenter or mavenCentral #99

Open
peetkes opened this issue Apr 18, 2019 · 4 comments

Comments

@peetkes
Copy link

peetkes commented Apr 18, 2019

Can we please publish commons-csv:1.5.1-marklogic to jcenter or mavenCentral as it is now unreachable due to issues with http://developer.marklogic.com/maven2/ and/or https://developer.marklogic.com/maven2/

@yunzvanessa yunzvanessa self-assigned this May 20, 2019
@yunzvanessa yunzvanessa added this to the 10.0.2 milestone May 20, 2019
@yunzvanessa yunzvanessa modified the milestones: 10.0.2, 10.0.3 Aug 23, 2019
@yunzvanessa yunzvanessa modified the milestones: 10.0.3, 11.0.1 Sep 18, 2019
@markschiffner
Copy link

markschiffner commented Nov 29, 2022

bump - Can we get this resolved so that tools/projects that can't access developer.marklogic.com by policy can still retrieve the artifact from maven central. Is it possible that later versions of commons-csv have resolved the issues that required custom additions?

@yunzvanessa
Copy link

Hi Mark,

Since it is getting close to the 11.0.0 release date, we will not have enough time to work with the legal department. The new commons-csv-1.5.2 will still be published to the DMC maven, which is public. After it's published, if you still see this issue please feel free to raise it.

Thanks,
Vanessa

@markschiffner
Copy link

Thanks Vanessa, I understand the timing issue.

In talking with Matt, I know that some customers are not allowed to connect to development.marklogic.com. We also noticed that numerous other companies have tweaked the commons-csv using various techniques including one offs in maven central. If the tweaks are fixed in later versions of apache's jar file, then mlcp can depend on the core jar. If they are not, we are suggesting that either:

  1. The customizations MarkLogic is making are published to maven central and that we insure that updates from later versions are incorporated - there are vulnerabilities addressed is subsequent versions.
    a) apache commons csv is at 1.9.0. Our custom jar is at 1.5.2, that version number does not make in clear if vulnerabilities that apache addressed in 1.6, 1.7, 1.8, and 1.9 have been incorporated into our custom jar.
    b) When we deliver mlcp with the custom dependency and our customer does a scan, they will potentially find any vulnerabilities not addressed.
  2. The updates are a pull request to apache to core so that they are helpful to all users - this assumes the updates would be useful to the broader community.
    image

@yunzvanessa
Copy link

Thanks for the background Mark, I'll file a task for 11.1.0 to track the publishing task and also the vulnerabilities.

Vanessa

@abika5 abika5 modified the milestones: 11.1.0, 11.2.0 Jan 3, 2024
@abika5 abika5 modified the milestones: 11.3.0, 11.4.0 Jun 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants