[VOTE] Release Apache Commons Codec 1.12 based on RC2

classic Classic list List threaded Threaded
27 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Apache Commons Codec 1.12 based on RC2

Gilles Sadowski-2
Le ven. 8 févr. 2019 à 11:24, Bruno P. Kinoshita <[hidden email]> a écrit :
>
> Ah, good point. If you prefer to use the gitbox interface, it's available here too.
>
> https://gitbox.apache.org/repos/asf?p=commons-codec.git;a=blob;f=src/main/java/org/apache/commons/codec/digest/B64.java;h=4396eccbb80211643403419b22715b033015e452;hb=1884dc028bce8094e8ddd7a9fc192a107a64527a#l77

I see the new method there but not in any of the obvious places:
 * branch "1_12"
 * branch "trunk"
 * branch "master"

>
> The branch from which the tag was created, I think, is in other repository, and will be pushed/merged during the next steps of the release.

Which repository?

Regards,
Gilles

>
> Cheers
> Bruno
>
>
>
>
> On Friday, 8 February 2019, 10:30:07 pm NZDT, Gilles Sadowski <[hidden email]> wrote:
>
>
>
>
>
> Hi.
>
> Le ven. 8 févr. 2019 à 10:13, Bruno P. Kinoshita <[hidden email]> a écrit :
> >
> >  Hi Gilles,
> > Sorry, forgot to mention I was talking about the code in the tag for the release.
>
> The link which I provided is also supposed to be the
> code-to-be-released (branch "1_12").
> Incriminated code does not appear there.
>
> Gilles
>
> >
> > The random is created here
> >
> > https://github.com/apache/commons-codec/blob/1884dc028bce8094e8ddd7a9fc192a107a64527a/src/main/java/org/apache/commons/codec/digest/B64.java#L77
> > And used here
> > https://github.com/apache/commons-codec/blob/commons-codec-1.12-RC2/src/main/java/org/apache/commons/codec/digest/Sha2Crypt.java#L113
> > This last one is called from one of the unit tests within that Sha512Test class that was mentioned in the previous e-mails.
> > I simplified the code while debugging in Eclipse, but probably omitted too much of it. Sorry.
> > CheersBruno
> >
> >    On Friday, 8 February 2019, 9:58:47 pm NZDT, Gilles Sadowski <[hidden email]> wrote:
> >
> >  Hello Bruno.
> >
> > Le ven. 8 févr. 2019 à 02:54, Bruno P. Kinoshita <[hidden email]> a écrit :
> > >
> > > Hi,
> > >
> > > Had a bit of spare time to investigate this one (almost end of Friday for me anyway, hooray!).
> > >
> > > There are two unit tests in Sha512 hanging for me in Eclipse, testSha512CryptExplicitCall and testSha512CryptNullData. The code that the test uses and hangs in my JVM can be simplified to:
> > >
> > > ```
> > > String salt = B64.getRandomSalt(8);
> > > System.out.println(salt); // never seen
> > > ```
> > >
> > > Looking at B64, we have this: `SecureRandom.getInstanceStrong()`, which is the random object. Used to randomly pick a letter of the B64 alphabet.
> >
> > Where is that code?
> > https://gitbox.apache.org/repos/asf?p=commons-codec.git;a=blob;f=src/main/java/org/apache/commons/codec/digest/B64.java;h=abd83fc34cd3b0df61fb6c0b33772d9cb5f559a7;hb=refs/heads/1_12
> >
> > Gilles
> >
> > >
> > > It appears this one may take a long time in some systems due to low entropy. i.e. it tries to gather more random data to give you a really strong random... only that it appears to take a long long time for my JVM.
> > >
> > > Cheers
> > > Bruno
> > >
> > > https://tersesystems.com/blog/2015/12/17/the-right-way-to-use-securerandom/
> > >
> > >
> > >
> > >
> > >
> > > On Friday, 8 February 2019, 2:31:35 pm NZDT, Rob Tompkins <[hidden email]> wrote:
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > > On Feb 7, 2019, at 8:17 PM, sebb <[hidden email]> wrote:
> > > >
> > > > It builds fine on ubuntu trusty with Java 8
> > >
> > > Agree
> > >
> > > >
> > > > https://builds.apache.org/view/A-D/view/Commons/job/Commons-Codec-Adhoc/
> > > >
> > > > Maybe sprinkle the Sha2Crypt.sha2Crypt method with debug prints to see
> > > > where the code is hanging?
> > > >
> > > > Or can you run the test in an IDE that allows you to interrupt it if it hangs?
> > > > > > [...]
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
>
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Apache Commons Codec 1.12 based on RC2

garydgregory
In reply to this post by Gilles Sadowski-2
On Fri, Feb 8, 2019, 03:58 Gilles Sadowski <[hidden email] wrote:

> Hello Bruno.
>
> Le ven. 8 févr. 2019 à 02:54, Bruno P. Kinoshita <[hidden email]> a
> écrit :
> >
> > Hi,
> >
> > Had a bit of spare time to investigate this one (almost end of Friday
> for me anyway, hooray!).
> >
> > There are two unit tests in Sha512 hanging for me in Eclipse,
> testSha512CryptExplicitCall and testSha512CryptNullData. The code that the
> test uses and hangs in my JVM can be simplified to:
> >
> > ```
> > String salt = B64.getRandomSalt(8);
> > System.out.println(salt); // never seen
> > ```
> >
> > Looking at B64, we have this: `SecureRandom.getInstanceStrong()`, which
> is the random object. Used to randomly pick a letter of the B64 alphabet.
>
> Where is that code?
>
> https://gitbox.apache.org/repos/asf?p=commons-codec.git;a=blob;f=src/main/java/org/apache/commons/codec/digest/B64.java;h=abd83fc34cd3b0df61fb6c0b33772d9cb5f559a7;hb=refs/heads/1_12


That should be an array, not a string IMO.

Gary

>
>
> Gilles
>
> >
> > It appears this one may take a long time in some systems due to low
> entropy. i.e. it tries to gather more random data to give you a really
> strong random... only that it appears to take a long long time for my JVM.
> >
> > Cheers
> > Bruno
> >
> >
> https://tersesystems.com/blog/2015/12/17/the-right-way-to-use-securerandom/
> >
> >
> >
> >
> >
> > On Friday, 8 February 2019, 2:31:35 pm NZDT, Rob Tompkins <
> [hidden email]> wrote:
> >
> >
> >
> >
> >
> >
> >
> > > On Feb 7, 2019, at 8:17 PM, sebb <[hidden email]> wrote:
> > >
> > > It builds fine on ubuntu trusty with Java 8
> >
> > Agree
> >
> > >
> > >
> https://builds.apache.org/view/A-D/view/Commons/job/Commons-Codec-Adhoc/
> > >
> > > Maybe sprinkle the Sha2Crypt.sha2Crypt method with debug prints to see
> > > where the code is hanging?
> > >
> > > Or can you run the test in an IDE that allows you to interrupt it if
> it hangs?
> > > > > [...]
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Apache Commons Codec 1.12 based on RC2

sebb-2-2
-1 to the release:
I don't think we can release the code as is; it is bound to cause
significant delays on some systems.

I think we need to establish whether using 'new SecureRandom()'
instead of SecureRandom.getInstanceStrong() makes the long delays go
away.

Then we need to establish whether we really need
SecureRandom.getInstanceStrong().
From what I read in the link posted by Bruno:

https://tersesystems.com/blog/2015/12/17/the-right-way-to-use-securerandom/
and linked posts such as:
https://www.2uo.de/myths-about-urandom/

it looks like 'new SecureRandom()' would be just as good for our purposes.

S.

On Fri, 8 Feb 2019 at 11:12, Gary Gregory <[hidden email]> wrote:

>
> On Fri, Feb 8, 2019, 03:58 Gilles Sadowski <[hidden email] wrote:
>
> > Hello Bruno.
> >
> > Le ven. 8 févr. 2019 à 02:54, Bruno P. Kinoshita <[hidden email]> a
> > écrit :
> > >
> > > Hi,
> > >
> > > Had a bit of spare time to investigate this one (almost end of Friday
> > for me anyway, hooray!).
> > >
> > > There are two unit tests in Sha512 hanging for me in Eclipse,
> > testSha512CryptExplicitCall and testSha512CryptNullData. The code that the
> > test uses and hangs in my JVM can be simplified to:
> > >
> > > ```
> > > String salt = B64.getRandomSalt(8);
> > > System.out.println(salt); // never seen
> > > ```
> > >
> > > Looking at B64, we have this: `SecureRandom.getInstanceStrong()`, which
> > is the random object. Used to randomly pick a letter of the B64 alphabet.
> >
> > Where is that code?
> >
> > https://gitbox.apache.org/repos/asf?p=commons-codec.git;a=blob;f=src/main/java/org/apache/commons/codec/digest/B64.java;h=abd83fc34cd3b0df61fb6c0b33772d9cb5f559a7;hb=refs/heads/1_12
>
>
> That should be an array, not a string IMO.
>
> Gary
>
> >
> >
> > Gilles
> >
> > >
> > > It appears this one may take a long time in some systems due to low
> > entropy. i.e. it tries to gather more random data to give you a really
> > strong random... only that it appears to take a long long time for my JVM.
> > >
> > > Cheers
> > > Bruno
> > >
> > >
> > https://tersesystems.com/blog/2015/12/17/the-right-way-to-use-securerandom/
> > >
> > >
> > >
> > >
> > >
> > > On Friday, 8 February 2019, 2:31:35 pm NZDT, Rob Tompkins <
> > [hidden email]> wrote:
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > > On Feb 7, 2019, at 8:17 PM, sebb <[hidden email]> wrote:
> > > >
> > > > It builds fine on ubuntu trusty with Java 8
> > >
> > > Agree
> > >
> > > >
> > > >
> > https://builds.apache.org/view/A-D/view/Commons/job/Commons-Codec-Adhoc/
> > > >
> > > > Maybe sprinkle the Sha2Crypt.sha2Crypt method with debug prints to see
> > > > where the code is hanging?
> > > >
> > > > Or can you run the test in an IDE that allows you to interrupt it if
> > it hangs?
> > > > > > [...]
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
> >

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Apache Commons Codec 1.12 based on RC2

garydgregory
Whatever we do, let's document it as best we can in places users will find
it.

Gary

On Fri, Feb 8, 2019, 06:36 sebb <[hidden email] wrote:

> -1 to the release:
> I don't think we can release the code as is; it is bound to cause
> significant delays on some systems.
>
> I think we need to establish whether using 'new SecureRandom()'
> instead of SecureRandom.getInstanceStrong() makes the long delays go
> away.
>
> Then we need to establish whether we really need
> SecureRandom.getInstanceStrong().
> From what I read in the link posted by Bruno:
>
> https://tersesystems.com/blog/2015/12/17/the-right-way-to-use-securerandom/
> and linked posts such as:
> https://www.2uo.de/myths-about-urandom/
>
> it looks like 'new SecureRandom()' would be just as good for our purposes.
>
> S.
>
> On Fri, 8 Feb 2019 at 11:12, Gary Gregory <[hidden email]> wrote:
> >
> > On Fri, Feb 8, 2019, 03:58 Gilles Sadowski <[hidden email] wrote:
> >
> > > Hello Bruno.
> > >
> > > Le ven. 8 févr. 2019 à 02:54, Bruno P. Kinoshita <[hidden email]> a
> > > écrit :
> > > >
> > > > Hi,
> > > >
> > > > Had a bit of spare time to investigate this one (almost end of Friday
> > > for me anyway, hooray!).
> > > >
> > > > There are two unit tests in Sha512 hanging for me in Eclipse,
> > > testSha512CryptExplicitCall and testSha512CryptNullData. The code that
> the
> > > test uses and hangs in my JVM can be simplified to:
> > > >
> > > > ```
> > > > String salt = B64.getRandomSalt(8);
> > > > System.out.println(salt); // never seen
> > > > ```
> > > >
> > > > Looking at B64, we have this: `SecureRandom.getInstanceStrong()`,
> which
> > > is the random object. Used to randomly pick a letter of the B64
> alphabet.
> > >
> > > Where is that code?
> > >
> > >
> https://gitbox.apache.org/repos/asf?p=commons-codec.git;a=blob;f=src/main/java/org/apache/commons/codec/digest/B64.java;h=abd83fc34cd3b0df61fb6c0b33772d9cb5f559a7;hb=refs/heads/1_12
> >
> >
> > That should be an array, not a string IMO.
> >
> > Gary
> >
> > >
> > >
> > > Gilles
> > >
> > > >
> > > > It appears this one may take a long time in some systems due to low
> > > entropy. i.e. it tries to gather more random data to give you a really
> > > strong random... only that it appears to take a long long time for my
> JVM.
> > > >
> > > > Cheers
> > > > Bruno
> > > >
> > > >
> > >
> https://tersesystems.com/blog/2015/12/17/the-right-way-to-use-securerandom/
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On Friday, 8 February 2019, 2:31:35 pm NZDT, Rob Tompkins <
> > > [hidden email]> wrote:
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > > On Feb 7, 2019, at 8:17 PM, sebb <[hidden email]> wrote:
> > > > >
> > > > > It builds fine on ubuntu trusty with Java 8
> > > >
> > > > Agree
> > > >
> > > > >
> > > > >
> > >
> https://builds.apache.org/view/A-D/view/Commons/job/Commons-Codec-Adhoc/
> > > > >
> > > > > Maybe sprinkle the Sha2Crypt.sha2Crypt method with debug prints to
> see
> > > > > where the code is hanging?
> > > > >
> > > > > Or can you run the test in an IDE that allows you to interrupt it
> if
> > > it hangs?
> > > > > > > [...]
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [hidden email]
> > > For additional commands, e-mail: [hidden email]
> > >
> > >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

[CANCEL][VOTE] Release Apache Commons Codec 1.12 based on RC2

Rob Tompkins
I’m a -1 as well. I have some ideas here and will wok on those going forward.

-Rob

> On Feb 8, 2019, at 6:41 AM, Gary Gregory <[hidden email]> wrote:
>
> Whatever we do, let's document it as best we can in places users will find
> it.
>
> Gary
>
>> On Fri, Feb 8, 2019, 06:36 sebb <[hidden email] wrote:
>>
>> -1 to the release:
>> I don't think we can release the code as is; it is bound to cause
>> significant delays on some systems.
>>
>> I think we need to establish whether using 'new SecureRandom()'
>> instead of SecureRandom.getInstanceStrong() makes the long delays go
>> away.
>>
>> Then we need to establish whether we really need
>> SecureRandom.getInstanceStrong().
>> From what I read in the link posted by Bruno:
>>
>> https://tersesystems.com/blog/2015/12/17/the-right-way-to-use-securerandom/
>> and linked posts such as:
>> https://www.2uo.de/myths-about-urandom/
>>
>> it looks like 'new SecureRandom()' would be just as good for our purposes.
>>
>> S.
>>
>>> On Fri, 8 Feb 2019 at 11:12, Gary Gregory <[hidden email]> wrote:
>>>
>>>> On Fri, Feb 8, 2019, 03:58 Gilles Sadowski <[hidden email] wrote:
>>>>
>>>> Hello Bruno.
>>>>
>>>> Le ven. 8 févr. 2019 à 02:54, Bruno P. Kinoshita <[hidden email]> a
>>>> écrit :
>>>>>
>>>>> Hi,
>>>>>
>>>>> Had a bit of spare time to investigate this one (almost end of Friday
>>>> for me anyway, hooray!).
>>>>>
>>>>> There are two unit tests in Sha512 hanging for me in Eclipse,
>>>> testSha512CryptExplicitCall and testSha512CryptNullData. The code that
>> the
>>>> test uses and hangs in my JVM can be simplified to:
>>>>>
>>>>> ```
>>>>> String salt = B64.getRandomSalt(8);
>>>>> System.out.println(salt); // never seen
>>>>> ```
>>>>>
>>>>> Looking at B64, we have this: `SecureRandom.getInstanceStrong()`,
>> which
>>>> is the random object. Used to randomly pick a letter of the B64
>> alphabet.
>>>>
>>>> Where is that code?
>>>>
>>>>
>> https://gitbox.apache.org/repos/asf?p=commons-codec.git;a=blob;f=src/main/java/org/apache/commons/codec/digest/B64.java;h=abd83fc34cd3b0df61fb6c0b33772d9cb5f559a7;hb=refs/heads/1_12
>>>
>>>
>>> That should be an array, not a string IMO.
>>>
>>> Gary
>>>
>>>>
>>>>
>>>> Gilles
>>>>
>>>>>
>>>>> It appears this one may take a long time in some systems due to low
>>>> entropy. i.e. it tries to gather more random data to give you a really
>>>> strong random... only that it appears to take a long long time for my
>> JVM.
>>>>>
>>>>> Cheers
>>>>> Bruno
>>>>>
>>>>>
>>>>
>> https://tersesystems.com/blog/2015/12/17/the-right-way-to-use-securerandom/
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Friday, 8 February 2019, 2:31:35 pm NZDT, Rob Tompkins <
>>>> [hidden email]> wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> On Feb 7, 2019, at 8:17 PM, sebb <[hidden email]> wrote:
>>>>>>
>>>>>> It builds fine on ubuntu trusty with Java 8
>>>>>
>>>>> Agree
>>>>>
>>>>>>
>>>>>>
>>>>
>> https://builds.apache.org/view/A-D/view/Commons/job/Commons-Codec-Adhoc/
>>>>>>
>>>>>> Maybe sprinkle the Sha2Crypt.sha2Crypt method with debug prints to
>> see
>>>>>> where the code is hanging?
>>>>>>
>>>>>> Or can you run the test in an IDE that allows you to interrupt it
>> if
>>>> it hangs?
>>>>>>>> [...]
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: [hidden email]
>>>> For additional commands, e-mail: [hidden email]
>>>>
>>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Apache Commons Codec 1.12 based on RC2

Gilles Sadowski-2
In reply to this post by sebb-2-2
Le ven. 8 févr. 2019 à 12:36, sebb <[hidden email]> a écrit :
>
> -1 to the release:

The Javadoc does not mention that "SecureRandom" is used
by default.

And... where is the branch?

Gilles

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Apache Commons Codec 1.12 based on RC2

Alex Herbert
-1

It hangs on my machine when built from the git tag:

mvn -version
Apache Maven 3.5.4 (1edded0938998edf8bf061f1ceb3cfdeccf443fe;
2018-06-17T19:33:14+01:00)
Maven home: /usr/local/apache-maven-3.5.4
Java version: 1.8.0_191, vendor: Oracle Corporation, runtime:
/usr/lib/jvm/java-8-openjdk-amd64/jre
Default locale: en_GB, platform encoding: UTF-8
OS name: "linux", version: "4.4.0-141-generic", arch: "amd64", family:
"unix"

git clone https://gitbox.apache.org/repos/asf/commons-codec.git

git checkout commons-codec-1.12-RC2

mvn test


First hangs at: org.apache.commons.codec.digest.Md5CryptTest

This has a test that eventually calls B64.getRandomSalt, which I can
confirm in the code is using SecureRandom. getInstanceStrong() and the
Javadoc states this.


BTW: If the intention is to have the generation of the salt as a fast
method then you can:

- Avoid StringBuilder and just write to a char[] (which is then passed
to new String(char[]) at the end)

- Create 5 * 6-bit base 64 characters per sample from nextInt()

For most of the default 8 character salts that will reduce the calls to
nextInt() from 8 down to 2. I can provide code if required.

This is based on speed tests I did for commons-rng for Hex string
generation and later for any base 2 radix string. The ticket is still
open here:

https://issues.apache.org/jira/browse/RNG-54

Regards,

Alex


On 08/02/2019 12:12, Gilles Sadowski wrote:

> Le ven. 8 févr. 2019 à 12:36, sebb <[hidden email]> a écrit :
>> -1 to the release:
> The Javadoc does not mention that "SecureRandom" is used
> by default.
>
> And... where is the branch?
>
> Gilles
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

12