Thanks for bringing this "no maintenance,
no new Orbit" issue to my attention.
While the Planning Council does not
like to "make" people do extra work they would not normally do,
I believe it was the intent of one of our requirements  that the latest
Orbit be consumed every update release -- if there has been a new Orbit
"released". Most often there is not a new Orbit release, since
we in Orbit do that only for significant issues. This time, it was only
for the 'commons.collections' security bug, and a bad bug in Ant 1.9.4
that drove us to provide Ant 1.9.6. .
While I will not say you *have* to update
and provide a new build, I would encourage you to, as well as anyone else
who uses "commons.collections" since we don't want to "spread
around" a package that has known security flaw in it.
As far as I know, in most cases of installing
and updating people will get the correct, fixed version of that bundle,
but am not positive that is always true so I hate for it to be the available
from any of our "most recent repositories" (Simultaneous Release
or not) -- after all, the b3 aggegator is including it for some reason
-- so someone must say they require it?
But I am also not the "security
policeman" that will say that bundle must be expunged from all current
downloads. (If I recall, the security issue only applied to specialized
cases ... but, if you were running in that case, it was a bad security
bug possibly leading to a malicious person "executing arbitrary commands".
I have opened bug 487285 to investigate
or discuss this issue further.  And, I will put this on future
Planning Council agendas to see if we can word that requirement  better
so that all projects know better what is expected of them.
Ed Willink <ed@xxxxxxxxxxxxx> To:
02/04/2016 01:12 AM Subject:
Ready for Mars.2 ? Sent by:
On 03/02/2016 22:29, David M Williams wrote: - Every contribution file has changed
since Mars.1. Also good. (i.e. no projects are just sleeping and forgot
to update :)
You might want to review your query. qvtd.b3aggrcon was
last changed by me on 26 June, and by you on 14 July.
We are certainly not sleeping, and did not forget to update. Just working
very hard to support the functionality required for graduation to 1.0.0. And ... worst of all, IMHO, some "old"
third party jars are still being used, which implies to me someone is not
using the latest version of Orbit (R20151221205849). But if a project has no maintenance to contribute, I thought
no rebuild/contribution was required and so of course an old Orbit would
be in use. (I don't think that QVTd imposes tight bounds on Orbit contributions.)