Project Health ?
Closed this issue · 5 comments
First, I'd like to thank everyone who has worked on JDOM. Its a great library and I've always found it reliable and easy to use. I have one larger project that's been using it for a many years. I'm asking about the future of this project from a strategic perspective. The reasons that I'm asking is that are:
- The last release for this project was in Feb 2015
- There have only been about 8 pull requests merged since the last release
- I attempted to Join the jdom-interest mailing list a week ago in order to ask this question and have not received a response
- The last real posting to the jdom-interest mailing list was the 2.0.6 release notes (admittedly everyone uses stackoverflow now though)
- Java now ships with XML libraries that support DOM/SAX/STAX parsing
Is this project considered "done" and just in a maintenance mode?
Should other long term projects look to migrate to Java libraries as Java continues to evolve (Java 9) and XML based security issues arise?
Hi,
As one of the two original creators of JDOM, I'm still paying attention here, but yes I view JDOM as done. XML just isn't changing.
Rolf Lear took over the heavy lifting starting with JDOM 2.0. For a long time he was very fast to respond to people's questions/issues. Now though he's been radio silent for the last couple years. I worry about him. I tried emailing him to check on him but couldn't get a response. If anyone can help find him, I'd appreciate it. He used to work at IBM. We collaborated but I never even had his phone number!
If we can't find him, there's an opening for someone who wants to do the little tweaks JDOM could still use like issue #174 regarding leveraging Java 9 features.
I'll check what's up with the jdom-interest mailing list.
Regarding the question whether you should use JDOM in preference to the DOM implementation in the JDK, its obviously up to you: that hasn't changed in years either. JDOM2 and XOM are my preferred tree models for Java; both are much more modern APIs, much more "Java-like", and much more attuned to current thinking about how XML should be modelled, than the DOM which, frankly, is just awful. But the newer models haven't succeeded in displacing DOM and a lot of people think that they should use DOM despite its dreadfulness because (a) it's in the JDK and (b) it's a W3C specification. It's your choice. JDOM isn't going to go away and it doesn't need to be changed. It's actually possible to finish a piece of software and declare it finished; the fact that it's stable should be seen as a positive not as a negative.
I agree that XML isn't changing much, but have to disagree with @michaelhkay here. I don't believe a software project is ever done because the environment is always changing.
For example in 2015?, this paper was released: https://www.usenix.org/system/files/conference/woot16/woot16-paper-spath.pdf listing JDOM containing 15 vulnerabilities. Have these been addressed? Is this the independent security assessment in #128 from 2014?
The authors of the paper make an inexcusable mistake by describing JDOM as a XML parser. It is a service built on top of an XML parser.
(Publishing the paper without a date is pretty inexcusable too.)