search

marklogic / marklogic-contentpump

MarkLogic Contentpump (mlcp)
http://developer.marklogic.com/products/mlcp
Apache License 2.0
33 stars 25 forks source link

can we please publish commons-csv:1.5.1-marklogic to jcenter or mavenCentral #99

Open peetkes opened 5 years ago

peetkes commented 5 years ago

Can we please publish commons-csv:1.5.1-marklogic to jcenter or mavenCentral as it is now unreachable due to issues with http://developer.marklogic.com/maven2/ and/or https://developer.marklogic.com/maven2/

markschiffner commented 1 year ago

bump - Can we get this resolved so that tools/projects that can't access developer.marklogic.com by policy can still retrieve the artifact from maven central. Is it possible that later versions of commons-csv have resolved the issues that required custom additions?

yunzvanessa commented 1 year ago

Hi Mark,

Since it is getting close to the 11.0.0 release date, we will not have enough time to work with the legal department. The new commons-csv-1.5.2 will still be published to the DMC maven, which is public. After it's published, if you still see this issue please feel free to raise it.

Thanks, Vanessa

markschiffner commented 1 year ago

Thanks Vanessa, I understand the timing issue.

In talking with Matt, I know that some customers are not allowed to connect to development.marklogic.com. We also noticed that numerous other companies have tweaked the commons-csv using various techniques including one offs in maven central. If the tweaks are fixed in later versions of apache's jar file, then mlcp can depend on the core jar. If they are not, we are suggesting that either: 1) The customizations MarkLogic is making are published to maven central and that we insure that updates from later versions are incorporated - there are vulnerabilities addressed is subsequent versions. a) apache commons csv is at 1.9.0. Our custom jar is at 1.5.2, that version number does not make in clear if vulnerabilities that apache addressed in 1.6, 1.7, 1.8, and 1.9 have been incorporated into our custom jar.
b) When we deliver mlcp with the custom dependency and our customer does a scan, they will potentially find any vulnerabilities not addressed. 2) The updates are a pull request to apache to core so that they are helpful to all users - this assumes the updates would be useful to the broader community. image

yunzvanessa commented 1 year ago

Thanks for the background Mark, I'll file a task for 11.1.0 to track the publishing task and also the vulnerabilities.

Vanessa