Plan for 2.0.0-M9 release.

[sbernard31]

A 2.0.0-M9 released is required by @adamsero.
Ideally for the end of the week. (#1313 (comment))

Current modification are :

140f8b893: Remove Unused local variable and add checkstyle rule about that.
2fdf9f17f: #1304 Refactored timestamps to use BigDecimal and Instant
d4939f091: Updates demo frontend dependencies
84a055bba: Upgrade jackson depndencies (2.13.3 => 2.13.4)
e6af61d53: Upgrade maven plugins dependencies
f5accbcf1: Integration of Californium 3.7.0
ecc113c43: #1305 : Added toString, hashCode and equals to ObserveCompositeRequest
d3cf1a2aa: Timestamps in seconds instead of milliseconds in ManualDataSender
b14a7406f: #1301: Fix relative timestamp issue of SenML decoder.
a9e1741a3: #1298: fix issue about EC Key Pair with java 15 or higher
eb6f51c35: Add "write checks" permissions for test reports github action
f0d72633d: Update SECURITY.md to add CVE-2022-2576 issue.
009aab986: no checkstyle or java import check if code doesn't compile
d31212d36: No github action on Draft PR.
fbc9f75f7: add requireUpperBoundDeps rules to maven-enforcer-plugin.
c0a73763d: Revapi should not alway check API on v1.0.0 but on the last released.

@adamsero :

• is there something more we need to add ?
• do you (or orange) need time to test current master in your product to be sure it's fine to you ?

One more details, I see a dependabot bot altert about current Jackson library, I think we are not concerned as we don't use UNWRAP_SINGLE_VALUE_ARRAYS setting but maybe better to upgrade anyway. The "problem" : there is only a rc1 version available with the fix. So I don't know if we should wait, or ? (See : FasterXML/jackson-databind#3590 (comment))

[adamsero]

• is there something more we need to add ?

I think we're good to go

• do you (or orange) need time to test current master in your product to be sure it's fine to you ?

The thing is we need the release to test it in production 🙂

About the library, if it's not anything serious or critical, I'd say we can wait for 2.14.0 and bump it in the next release but for now if we could pull off M9 by the end of the week it would be fantastic.

Thanks again for being helpful with the quick release 🙏

[sbernard31]

The thing is we need the release to test it in production.

Maybe you have unit / integration tests that you could run with master ?
Or maybe a pre-prod environment ?

About the library, if it's not anything serious or critical, I'd say we can wait for 2.14.0 and bump it in the next release but for now if we could pull off M9 by the end of the week it would be fantastic.

Concretely, I think we are not impacted but in security if you are wrong with that this could have strong consequences.
And also I think that most people who integrate Leshan will see security alert about new jackson dependencies CVE.
So, I would be more comfortable in either go with 2.14.0-rc1 now or wait for 2.14.0.

we could pull off M9 by the end of the week it would be fantastic.

Could you precise a bit more ? I mean if this is available tomorrow in the end of the day, is it OK ?
Or you need to integrate it tomorrow ?

[adamsero]

So, I would be more comfortable in either go with 2.14.0-rc1 now or wait for 2.14.0.

Ok, so can we go for 2.14.0-rc1 then?

I mean if this is available tomorrow in the end of the day, is it OK ?

It's OK

[sbernard31]

Ok, so can we go for 2.14.0-rc1 then?

Yep, I will wait a little bit, just in case we succeed to get an answer from jackson dev.
If we don't get answer in time, I will just go for 2.14.0-rc1.

[sbernard31]

oh just see that Jackson release is expected for around mid-October in the best case scenario. (FasterXML/jackson-databind#3590 (comment))
So don't need to wait for it.

[sbernard31]

The 2.0.0-M9 is currently available in "staged repository" using :

<repositories>
  <repository>
    <id>staged-releases</id>
    <url>https://oss.sonatype.org/content/repositories/orgeclipseleshan-1072</url>
  </repository>
</repositories>

<dependencies>
  <dependency>
    <groupId>org.eclipse.leshan</groupId>
    <artifactId>leshan-bsserver-demo</artifactId>
    <version>2.0.0-M9</version>
  </dependency>
</dependencies>

If you want you can test it. At this stage if we found issue, we can abort the release, fix it and retry a new one later.
Tomorrow morning, if I haven't bad news from you, I will finalize the release.

[sbernard31]

Reading several answers from cowtowncoder at FasterXML/jackson-databind#3590 (comment).
I will finally decide to not ship 2.14.0-rc1 and keep to 2.13.4. So users will be alert by security tools (at least I hope) and will choose to update or not.
As 2.14.0-rc1 is backward compatibly, anybody should be able to upgrade to 2.14.0-rc1, if they feel it is better.

[sbernard31]

@adamsero the 2.0.0-M9 should be available but not yet visible at https://search.maven.org.

[adamsero]

Than you very much 🙏

[sbernard31]

@adamsero about

The thing is we need the release to test it in production slightly_smiling_face

I think that maybe you should discuss about a way to test pre-release of Leshan.
This could help you to ensure (or at least limit the risk) that the release will fit your needs.
And this could help to deliver better Leshan release.

As I said maybe by running integration tests and/or deploying in pre-prod environment ?

Let me know about that. 🙏

[sbernard31]

Now 2.0.0-M9 is officially out : https://github.com/eclipse/leshan/releases/tag/leshan-2.0.0-M9, I guess we can close this issue ?

[sbernard31]

I think we can close this one.