[prev in list] [next in list] [prev in thread] [next in thread] 

List:       activemq-dev
Subject:    Re: Remove Jackson from ActiveMQ classic
From:       Jean-Louis Monteiro <jlmonteiro () tomitribe ! com>
Date:       2023-05-19 17:33:33
Message-ID: CAPkio3EdWarGjCAP8yoozBO3a2-_4wLP=R1roBmH=q06SofGhw () mail ! gmail ! com
[Download RAW message or body]


I've rebased the pr. I have 1 failure I'm looking at

Le ven. 19 mai 2023, 15:16, Christopher Shannon <
christopher.l.shannon@gmail.com> a écrit :

> I think we should just go with JSON-P since that's what Artemis is using
> and it seems like everyone agrees that will at least work for people who
> want to switch out the implementation.
>
> On Wed, May 17, 2023 at 5:36 AM Jean-Louis Monteiro <
> jlmonteiro@tomitribe.com> wrote:
>
> > The issue is that CVEs are frequent on Jackson and we can't always
> release
> > ActiveMQ quickly with just a Jackson version update.
> > It's also a pain on other Apache projects such as Apache TomEE for
> example.
> > If Jackson upgrades ActiveMQ upgrades, TomEE also needs to upgrade.
> >
> > I understand that relying on a JSON Mapper is easier and opens some
> doors.
> > How long have we been using Jackson in the WebConsole and how much have
> we
> > added over the last years?
> >
> > Our usage is pretty simple though, so if we can save our users the pain
> of
> > updating I think it's positive for the project and our user experience.
> >
> > If it's ready, let's rebase the PR and merge it so at least we can pick
> up
> > another provider.
> >
> > Thanks for all the follow up
> >
> > --
> > Jean-Louis Monteiro
> > http://twitter.com/jlouismonteiro
> > http://www.tomitribe.com
> >
> >
> > On Wed, May 17, 2023 at 5:57 AM Jean-Baptiste Onofré <jb@nanthrax.net>
> > wrote:
> >
> > > FYI, Romain provided a PR to use Apache Johnson while ago:
> > > https://github.com/apache/activemq/pull/308
> > >
> > > The PR is fine (I already tested when submitted), it just needs a
> rebase.
> > > If we agree, I can move forward on this one.
> > >
> > > Regards
> > > JB
> > >
> > > On Wed, May 17, 2023 at 4:04 AM Justin Bertram <jbertram@apache.org>
> > > wrote:
> > > >
> > > > For what it's worth, Artemis uses JSON-P [1] since it's a standard,
> > > simple
> > > > API. We use Apache Johnzon for the implementation. It does everything
> > we
> > > > need given our relatively basic use-cases.
> > > >
> > > > Additionally, we wrap the API so that all the broker code can use the
> > > > wrapper and the wrapper can be modified to work in Java EE or Jakarta
> > EE
> > > > environments.
> > > >
> > > >
> > > > Justin
> > > >
> > > > [1]
> > > >
> > >
> >
> https://javaee.github.io/javaee-spec/javadocs/javax/json/package-summary.html
> > > >
> > > > On Tue, May 16, 2023 at 6:02 PM Christopher Shannon <
> > > > christopher.l.shannon@gmail.com> wrote:
> > > >
> > > > > Yes, this keeps coming up and as JB said I don't see a problem with
> > > > > Jackson, it can be updated for CVEs and works very well and is
> quite
> > > > > feature rich in case we need it.
> > > > >
> > > > > If we are going to do any JSON serialization I don't want to
> > re-invent
> > > the
> > > > > wheel and create our own serializer, so we should at least use an
> > > existing
> > > > > library, even if we make it pluggable like JSON-B.
> > > > >
> > > > > There's alternatives too like Gson if we wanted something
> > > > > smaller/lightweight.
> > > > >
> > > > > On Tue, May 16, 2023 at 3:11 PM Jean-Baptiste Onofré <
> > jb@nanthrax.net>
> > > > > wrote:
> > > > >
> > > > > > Hi,
> > > > > >
> > > > > > We discussed this already in the past. IMHO, we can replace
> jackson
> > > by
> > > > > > just sax (no need to use JSON-B regarding our usage).
> > > > > >
> > > > > > That sasid, I don't see any huge issue with Jackson: it works
> fine
> > > and
> > > > > > we keep the versions up to date to fix CVE.
> > > > > >
> > > > > > The only interesting move would be to use SAX parsing directly
> > > instead
> > > > > > of a mapper.
> > > > > >
> > > > > > Regards
> > > > > > JB
> > > > > >
> > > > > > On Tue, May 16, 2023 at 12:17 PM Jean-Louis Monteiro
> > > > > > <jlmonteiro@tomitribe.com> wrote:
> > > > > > >
> > > > > > > Hi all,
> > > > > > >
> > > > > > > Jackson seems to be frequently affected by CVEs and it's
> really a
> > > pain
> > > > > > for
> > > > > > > users.
> > > > > > >
> > > > > > > Looks like Jackson is only used in the WebConsole to
> read/write a
> > > few
> > > > > > > attributes. I'm sure we can get rid of it and either use a
> > > standard API
> > > > > > so
> > > > > > > one can plugin any implementation, or just write down a utility
> > > class
> > > > > to
> > > > > > > parse the small attribute we have to.
> > > > > > >
> > > > > > > thoughts?
> > > > > > >
> > > > > > > I'm happy to do a PR to remove it if that's the consensus.
> > > > > > >
> > > > > > > --
> > > > > > > Jean-Louis Monteiro
> > > > > > > http://twitter.com/jlouismonteiro
> > > > > > > http://www.tomitribe.com
> > > > > >
> > > > >
> > >
> >
>


[prev in list] [next in list] [prev in thread] [next in thread]