[VOTE] Release Commons Collections 3.2.2 Based on RC2

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

[VOTE] Release Commons Collections 3.2.2 Based on RC2

Thomas Neidhart
Hi all,

in order to provide a work-around for the known remote code exploit via
java de-serialization of malicious InvokerTransformer instances, I would
like to start a vote to release Commons Collections 3.2.2 based on RC2.

Notes:

 * the site will not be published, it just serves as a reference to
access the various reports. After a successful vote, the current 4.X
branch site will be updated with relevant information and published.

 * some tests might fail with various IBM JDK 6 JREs, these are known
issues and have been worked-around in the 4.X branch but are not
back-ported to this release.

 * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
with a newly introduced default method in the Map interface.

 * the collections-testframework.jar that has been published in previous
versions is not included in this release


Changes from RC1:

 * fixed RAT report
 * fixed NOTICE file
 * improve the security fix: it has been made symmetric in the sense
   that also the serialization of an unsafe class is disabled by
   default and will result in an exception
 * changed the system property to re-enable serialization of unsafe
   classes. It is now
   "org.apache.commons.collections.enableUnsafeSerialization"
 * all classes in the functor package which (based on current
   knowledge) have to be considered unsafe cannot be serialized/
   de-serialized any more by default. This includes the following
   classes:

 ** CloneTransformer
 ** PrototypeFactory (inner classes
                      PrototypeCloneFactory and
                      PrototypeSerializationFactory)
 ** InstantiateFactory
 ** InstantiateTransformer
 ** ForClosure
 ** WhileClosure
 ** InvokerTransformer



Collections 3.2.2 RC2 is available for review here:
    https://dist.apache.org/repos/dist/dev/commons/collections/
    (svn revision 11147)

Maven artifacts are here:

https://repository.apache.org/content/repositories/orgapachecommons-1116/commons-collections/commons-collections/3.2.2/

Details of changes since 3.2.1 are in the release notes:

https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt

http://people.apache.org/builds/commons/collections/3.2.2/RC2/changes-report.html

The tag is here:

https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC2
    (svn revision 1713883)

Site:
    http://people.apache.org/builds/commons/collections/3.2.2/RC2/

Clirr Report (compared to 3.2.1):

http://people.apache.org/builds/commons/collections/3.2.2/RC2/clirr-report.html

RAT Report:

http://people.apache.org/builds/commons/collections/3.2.2/RC2/rat-report.html

KEYS:
  https://www.apache.org/dist/commons/KEYS

Please review the release candidate and vote.


Considering that this is a security related release and that RC1 did not
show any functional problems with the release, I plan to close this vote
in 24 from now, i.e. after 1800 GMT 12-November 2015

  [ ] +1 Release these artifacts
  [ ] +0 OK, but...
  [ ] -0 OK, but really should fix...
  [ ] -1 I oppose this release because...

Thanks,

Thomas

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC2

garydgregory
-1

I'm sorry, but the RAT check is still not right.

If you look at the POM:

https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC2/pom.xml

you will see:

<exclude>src/test/resources/data/test/*</exclude>

This folder does not exist.

Which is why I see the following when I build:

Unapproved licenses:

  data/test/NullComparator.version2.obj1
  data/test/NullComparator.version2.obj2


and

B     data/test/NodeCachingLinkedList.fullCollection.version3.obj
 !????? data/test/NullComparator.version2.obj1
 !????? data/test/NullComparator.version2.obj2
  B     data/test/PredicatedBag.emptyCollection.version3.1.obj


Instead it should be:

<exclude>data/test/*</exclude>

and the RAT check is fine. Fixed in SVN.

Thank you,
Gary

On Wed, Nov 11, 2015 at 8:27 AM, Thomas Neidhart <[hidden email]>
wrote:

> Hi all,
>
> in order to provide a work-around for the known remote code exploit via
> java de-serialization of malicious InvokerTransformer instances, I would
> like to start a vote to release Commons Collections 3.2.2 based on RC2.
>
> Notes:
>
>  * the site will not be published, it just serves as a reference to
> access the various reports. After a successful vote, the current 4.X
> branch site will be updated with relevant information and published.
>
>  * some tests might fail with various IBM JDK 6 JREs, these are known
> issues and have been worked-around in the 4.X branch but are not
> back-ported to this release.
>
>  * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
> with a newly introduced default method in the Map interface.
>
>  * the collections-testframework.jar that has been published in previous
> versions is not included in this release
>
>
> Changes from RC1:
>
>  * fixed RAT report
>  * fixed NOTICE file
>  * improve the security fix: it has been made symmetric in the sense
>    that also the serialization of an unsafe class is disabled by
>    default and will result in an exception
>  * changed the system property to re-enable serialization of unsafe
>    classes. It is now
>    "org.apache.commons.collections.enableUnsafeSerialization"
>  * all classes in the functor package which (based on current
>    knowledge) have to be considered unsafe cannot be serialized/
>    de-serialized any more by default. This includes the following
>    classes:
>
>  ** CloneTransformer
>  ** PrototypeFactory (inner classes
>                       PrototypeCloneFactory and
>                       PrototypeSerializationFactory)
>  ** InstantiateFactory
>  ** InstantiateTransformer
>  ** ForClosure
>  ** WhileClosure
>  ** InvokerTransformer
>
>
>
> Collections 3.2.2 RC2 is available for review here:
>     https://dist.apache.org/repos/dist/dev/commons/collections/
>     (svn revision 11147)
>
> Maven artifacts are here:
>
>
> https://repository.apache.org/content/repositories/orgapachecommons-1116/commons-collections/commons-collections/3.2.2/
>
> Details of changes since 3.2.1 are in the release notes:
>
>
> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
>
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC2/changes-report.html
>
> The tag is here:
>
>
> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC2
>     (svn revision 1713883)
>
> Site:
>     http://people.apache.org/builds/commons/collections/3.2.2/RC2/
>
> Clirr Report (compared to 3.2.1):
>
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC2/clirr-report.html
>
> RAT Report:
>
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC2/rat-report.html
>
> KEYS:
>   https://www.apache.org/dist/commons/KEYS
>
> Please review the release candidate and vote.
>
>
> Considering that this is a security related release and that RC1 did not
> show any functional problems with the release, I plan to close this vote
> in 24 from now, i.e. after 1800 GMT 12-November 2015
>
>   [ ] +1 Release these artifacts
>   [ ] +0 OK, but...
>   [ ] -0 OK, but really should fix...
>   [ ] -1 I oppose this release because...
>
> Thanks,
>
> Thomas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>


--
E-Mail: [hidden email] | [hidden email]
Java Persistence with Hibernate, Second Edition
<http://www.manning.com/bauer3/>
JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
Spring Batch in Action <http://www.manning.com/templier/>
Blog: http://garygregory.wordpress.com
Home: http://garygregory.com/
Tweet! http://twitter.com/GaryGregory
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC2

Oliver Heger-3
In reply to this post by Thomas Neidhart
Hi Thomas,

build works fine with Java 1.6 on Windows 10, artifacts and site look
good. So +1.

Unfortunately, I have currently not the time to dig deeper into the
problematic addressed by this release; so I cannot comment on the fixes.
As I do not have a current project that depends on collections 3.x, I
cannot test the release in the wild either. So this is more a technical
review.

Oliver

Am 11.11.2015 um 17:27 schrieb Thomas Neidhart:

> Hi all,
>
> in order to provide a work-around for the known remote code exploit via
> java de-serialization of malicious InvokerTransformer instances, I would
> like to start a vote to release Commons Collections 3.2.2 based on RC2.
>
> Notes:
>
>  * the site will not be published, it just serves as a reference to
> access the various reports. After a successful vote, the current 4.X
> branch site will be updated with relevant information and published.
>
>  * some tests might fail with various IBM JDK 6 JREs, these are known
> issues and have been worked-around in the 4.X branch but are not
> back-ported to this release.
>
>  * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
> with a newly introduced default method in the Map interface.
>
>  * the collections-testframework.jar that has been published in previous
> versions is not included in this release
>
>
> Changes from RC1:
>
>  * fixed RAT report
>  * fixed NOTICE file
>  * improve the security fix: it has been made symmetric in the sense
>    that also the serialization of an unsafe class is disabled by
>    default and will result in an exception
>  * changed the system property to re-enable serialization of unsafe
>    classes. It is now
>    "org.apache.commons.collections.enableUnsafeSerialization"
>  * all classes in the functor package which (based on current
>    knowledge) have to be considered unsafe cannot be serialized/
>    de-serialized any more by default. This includes the following
>    classes:
>
>  ** CloneTransformer
>  ** PrototypeFactory (inner classes
>                       PrototypeCloneFactory and
>                       PrototypeSerializationFactory)
>  ** InstantiateFactory
>  ** InstantiateTransformer
>  ** ForClosure
>  ** WhileClosure
>  ** InvokerTransformer
>
>
>
> Collections 3.2.2 RC2 is available for review here:
>     https://dist.apache.org/repos/dist/dev/commons/collections/
>     (svn revision 11147)
>
> Maven artifacts are here:
>
> https://repository.apache.org/content/repositories/orgapachecommons-1116/commons-collections/commons-collections/3.2.2/
>
> Details of changes since 3.2.1 are in the release notes:
>
> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC2/changes-report.html
>
> The tag is here:
>
> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC2
>     (svn revision 1713883)
>
> Site:
>     http://people.apache.org/builds/commons/collections/3.2.2/RC2/
>
> Clirr Report (compared to 3.2.1):
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC2/clirr-report.html
>
> RAT Report:
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC2/rat-report.html
>
> KEYS:
>   https://www.apache.org/dist/commons/KEYS
>
> Please review the release candidate and vote.
>
>
> Considering that this is a security related release and that RC1 did not
> show any functional problems with the release, I plan to close this vote
> in 24 from now, i.e. after 1800 GMT 12-November 2015
>
>   [ ] +1 Release these artifacts
>   [ ] +0 OK, but...
>   [ ] -0 OK, but really should fix...
>   [ ] -1 I oppose this release because...
>
> Thanks,
>
> Thomas
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC2

garydgregory
In reply to this post by garydgregory
FYI, I was testing with:


On Wed, Nov 11, 2015 at 11:05 AM, Gary Gregory <[hidden email]>
wrote:

> -1
>
> I'm sorry, but the RAT check is still not right.
>
> If you look at the POM:
>
>
> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC2/pom.xml
>
> you will see:
>
> <exclude>src/test/resources/data/test/*</exclude>
>
> This folder does not exist.
>
> Which is why I see the following when I build:
>
> Unapproved licenses:
>
>   data/test/NullComparator.version2.obj1
>   data/test/NullComparator.version2.obj2
>
>
> and
>
> B     data/test/NodeCachingLinkedList.fullCollection.version3.obj
>  !????? data/test/NullComparator.version2.obj1
>  !????? data/test/NullComparator.version2.obj2
>   B     data/test/PredicatedBag.emptyCollection.version3.1.obj
>
>
> Instead it should be:
>
> <exclude>data/test/*</exclude>
>
> and the RAT check is fine. Fixed in SVN.
>
> Thank you,
> Gary
>
> On Wed, Nov 11, 2015 at 8:27 AM, Thomas Neidhart <
> [hidden email]> wrote:
>
>> Hi all,
>>
>> in order to provide a work-around for the known remote code exploit via
>> java de-serialization of malicious InvokerTransformer instances, I would
>> like to start a vote to release Commons Collections 3.2.2 based on RC2.
>>
>> Notes:
>>
>>  * the site will not be published, it just serves as a reference to
>> access the various reports. After a successful vote, the current 4.X
>> branch site will be updated with relevant information and published.
>>
>>  * some tests might fail with various IBM JDK 6 JREs, these are known
>> issues and have been worked-around in the 4.X branch but are not
>> back-ported to this release.
>>
>>  * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
>> with a newly introduced default method in the Map interface.
>>
>>  * the collections-testframework.jar that has been published in previous
>> versions is not included in this release
>>
>>
>> Changes from RC1:
>>
>>  * fixed RAT report
>>  * fixed NOTICE file
>>  * improve the security fix: it has been made symmetric in the sense
>>    that also the serialization of an unsafe class is disabled by
>>    default and will result in an exception
>>  * changed the system property to re-enable serialization of unsafe
>>    classes. It is now
>>    "org.apache.commons.collections.enableUnsafeSerialization"
>>  * all classes in the functor package which (based on current
>>    knowledge) have to be considered unsafe cannot be serialized/
>>    de-serialized any more by default. This includes the following
>>    classes:
>>
>>  ** CloneTransformer
>>  ** PrototypeFactory (inner classes
>>                       PrototypeCloneFactory and
>>                       PrototypeSerializationFactory)
>>  ** InstantiateFactory
>>  ** InstantiateTransformer
>>  ** ForClosure
>>  ** WhileClosure
>>  ** InvokerTransformer
>>
>>
>>
>> Collections 3.2.2 RC2 is available for review here:
>>     https://dist.apache.org/repos/dist/dev/commons/collections/
>>     (svn revision 11147)
>>
>> Maven artifacts are here:
>>
>>
>> https://repository.apache.org/content/repositories/orgapachecommons-1116/commons-collections/commons-collections/3.2.2/
>>
>> Details of changes since 3.2.1 are in the release notes:
>>
>>
>> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
>>
>>
>> http://people.apache.org/builds/commons/collections/3.2.2/RC2/changes-report.html
>>
>> The tag is here:
>>
>>
>> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC2
>>     (svn revision 1713883)
>>
>> Site:
>>     http://people.apache.org/builds/commons/collections/3.2.2/RC2/
>>
>> Clirr Report (compared to 3.2.1):
>>
>>
>> http://people.apache.org/builds/commons/collections/3.2.2/RC2/clirr-report.html
>>
>> RAT Report:
>>
>>
>> http://people.apache.org/builds/commons/collections/3.2.2/RC2/rat-report.html
>>
>> KEYS:
>>   https://www.apache.org/dist/commons/KEYS
>>
>> Please review the release candidate and vote.
>>
>>
>> Considering that this is a security related release and that RC1 did not
>> show any functional problems with the release, I plan to close this vote
>> in 24 from now, i.e. after 1800 GMT 12-November 2015
>>
>>   [ ] +1 Release these artifacts
>>   [ ] +0 OK, but...
>>   [ ] -0 OK, but really should fix...
>>   [ ] -1 I oppose this release because...
>>
>> Thanks,
>>
>> Thomas
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>
>
>
> --
> E-Mail: [hidden email] | [hidden email]
> Java Persistence with Hibernate, Second Edition
> <http://www.manning.com/bauer3/>
> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
> Spring Batch in Action <http://www.manning.com/templier/>
> Blog: http://garygregory.wordpress.com
> Home: http://garygregory.com/
> Tweet! http://twitter.com/GaryGregory
>



--
E-Mail: [hidden email] | [hidden email]
Java Persistence with Hibernate, Second Edition
<http://www.manning.com/bauer3/>
JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
Spring Batch in Action <http://www.manning.com/templier/>
Blog: http://garygregory.wordpress.com
Home: http://garygregory.com/
Tweet! http://twitter.com/GaryGregory
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC2

garydgregory
FYI, I was testing with:

Apache Maven 3.3.9 (bb52d8502b132ec0a5a3f4c09453c07478323dc5;
2015-11-10T08:41:47-08:00)
Maven home: E:\Java\apache-maven-3.3.9\bin\..
Java version: 1.8.0_65, vendor: Oracle Corporation
Java home: C:\Program Files\Java\jdk1.8.0_65\jre
Default locale: en_US, platform encoding: Cp1252
OS name: "windows 7", version: "6.1", arch: "amd64", family: "dos"

(This is a release candidate for Maven 3.3.9).
Gary

On Wed, Nov 11, 2015 at 2:26 PM, Gary Gregory <[hidden email]>
wrote:

> FYI, I was testing with:
>
>
> On Wed, Nov 11, 2015 at 11:05 AM, Gary Gregory <[hidden email]>
> wrote:
>
>> -1
>>
>> I'm sorry, but the RAT check is still not right.
>>
>> If you look at the POM:
>>
>>
>> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC2/pom.xml
>>
>> you will see:
>>
>> <exclude>src/test/resources/data/test/*</exclude>
>>
>> This folder does not exist.
>>
>> Which is why I see the following when I build:
>>
>> Unapproved licenses:
>>
>>   data/test/NullComparator.version2.obj1
>>   data/test/NullComparator.version2.obj2
>>
>>
>> and
>>
>> B     data/test/NodeCachingLinkedList.fullCollection.version3.obj
>>  !????? data/test/NullComparator.version2.obj1
>>  !????? data/test/NullComparator.version2.obj2
>>   B     data/test/PredicatedBag.emptyCollection.version3.1.obj
>>
>>
>> Instead it should be:
>>
>> <exclude>data/test/*</exclude>
>>
>> and the RAT check is fine. Fixed in SVN.
>>
>> Thank you,
>> Gary
>>
>> On Wed, Nov 11, 2015 at 8:27 AM, Thomas Neidhart <
>> [hidden email]> wrote:
>>
>>> Hi all,
>>>
>>> in order to provide a work-around for the known remote code exploit via
>>> java de-serialization of malicious InvokerTransformer instances, I would
>>> like to start a vote to release Commons Collections 3.2.2 based on RC2.
>>>
>>> Notes:
>>>
>>>  * the site will not be published, it just serves as a reference to
>>> access the various reports. After a successful vote, the current 4.X
>>> branch site will be updated with relevant information and published.
>>>
>>>  * some tests might fail with various IBM JDK 6 JREs, these are known
>>> issues and have been worked-around in the 4.X branch but are not
>>> back-ported to this release.
>>>
>>>  * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
>>> with a newly introduced default method in the Map interface.
>>>
>>>  * the collections-testframework.jar that has been published in previous
>>> versions is not included in this release
>>>
>>>
>>> Changes from RC1:
>>>
>>>  * fixed RAT report
>>>  * fixed NOTICE file
>>>  * improve the security fix: it has been made symmetric in the sense
>>>    that also the serialization of an unsafe class is disabled by
>>>    default and will result in an exception
>>>  * changed the system property to re-enable serialization of unsafe
>>>    classes. It is now
>>>    "org.apache.commons.collections.enableUnsafeSerialization"
>>>  * all classes in the functor package which (based on current
>>>    knowledge) have to be considered unsafe cannot be serialized/
>>>    de-serialized any more by default. This includes the following
>>>    classes:
>>>
>>>  ** CloneTransformer
>>>  ** PrototypeFactory (inner classes
>>>                       PrototypeCloneFactory and
>>>                       PrototypeSerializationFactory)
>>>  ** InstantiateFactory
>>>  ** InstantiateTransformer
>>>  ** ForClosure
>>>  ** WhileClosure
>>>  ** InvokerTransformer
>>>
>>>
>>>
>>> Collections 3.2.2 RC2 is available for review here:
>>>     https://dist.apache.org/repos/dist/dev/commons/collections/
>>>     (svn revision 11147)
>>>
>>> Maven artifacts are here:
>>>
>>>
>>> https://repository.apache.org/content/repositories/orgapachecommons-1116/commons-collections/commons-collections/3.2.2/
>>>
>>> Details of changes since 3.2.1 are in the release notes:
>>>
>>>
>>> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
>>>
>>>
>>> http://people.apache.org/builds/commons/collections/3.2.2/RC2/changes-report.html
>>>
>>> The tag is here:
>>>
>>>
>>> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC2
>>>     (svn revision 1713883)
>>>
>>> Site:
>>>     http://people.apache.org/builds/commons/collections/3.2.2/RC2/
>>>
>>> Clirr Report (compared to 3.2.1):
>>>
>>>
>>> http://people.apache.org/builds/commons/collections/3.2.2/RC2/clirr-report.html
>>>
>>> RAT Report:
>>>
>>>
>>> http://people.apache.org/builds/commons/collections/3.2.2/RC2/rat-report.html
>>>
>>> KEYS:
>>>   https://www.apache.org/dist/commons/KEYS
>>>
>>> Please review the release candidate and vote.
>>>
>>>
>>> Considering that this is a security related release and that RC1 did not
>>> show any functional problems with the release, I plan to close this vote
>>> in 24 from now, i.e. after 1800 GMT 12-November 2015
>>>
>>>   [ ] +1 Release these artifacts
>>>   [ ] +0 OK, but...
>>>   [ ] -0 OK, but really should fix...
>>>   [ ] -1 I oppose this release because...
>>>
>>> Thanks,
>>>
>>> Thomas
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [hidden email]
>>> For additional commands, e-mail: [hidden email]
>>>
>>>
>>
>>
>> --
>> E-Mail: [hidden email] | [hidden email]
>> Java Persistence with Hibernate, Second Edition
>> <http://www.manning.com/bauer3/>
>> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
>> Spring Batch in Action <http://www.manning.com/templier/>
>> Blog: http://garygregory.wordpress.com
>> Home: http://garygregory.com/
>> Tweet! http://twitter.com/GaryGregory
>>
>
>
>
> --
> E-Mail: [hidden email] | [hidden email]
> Java Persistence with Hibernate, Second Edition
> <http://www.manning.com/bauer3/>
> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
> Spring Batch in Action <http://www.manning.com/templier/>
> Blog: http://garygregory.wordpress.com
> Home: http://garygregory.com/
> Tweet! http://twitter.com/GaryGregory
>



--
E-Mail: [hidden email] | [hidden email]
Java Persistence with Hibernate, Second Edition
<http://www.manning.com/bauer3/>
JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
Spring Batch in Action <http://www.manning.com/templier/>
Blog: http://garygregory.wordpress.com
Home: http://garygregory.com/
Tweet! http://twitter.com/GaryGregory
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC2

Phil Steitz
In reply to this post by garydgregory


> On Nov 11, 2015, at 12:05 PM, Gary Gregory <[hidden email]> wrote:
>
> -1

That is frankly ridiculous.  To -1 a release based on false positive report about files not included in the release is absurd.

Phil

>
> I'm sorry, but the RAT check is still not right.
>
> If you look at the POM:
>
> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC2/pom.xml
>
> you will see:
>
> <exclude>src/test/resources/data/test/*</exclude>
>
> This folder does not exist.
>
> Which is why I see the following when I build:
>
> Unapproved licenses:
>
>  data/test/NullComparator.version2.obj1
>  data/test/NullComparator.version2.obj2
>
>
> and
>
> B     data/test/NodeCachingLinkedList.fullCollection.version3.obj
> !????? data/test/NullComparator.version2.obj1
> !????? data/test/NullComparator.version2.obj2
>  B     data/test/PredicatedBag.emptyCollection.version3.1.obj
>
>
> Instead it should be:
>
> <exclude>data/test/*</exclude>
>
> and the RAT check is fine. Fixed in SVN.
>
> Thank you,
> Gary
>
> On Wed, Nov 11, 2015 at 8:27 AM, Thomas Neidhart <[hidden email]>
> wrote:
>
>> Hi all,
>>
>> in order to provide a work-around for the known remote code exploit via
>> java de-serialization of malicious InvokerTransformer instances, I would
>> like to start a vote to release Commons Collections 3.2.2 based on RC2.
>>
>> Notes:
>>
>> * the site will not be published, it just serves as a reference to
>> access the various reports. After a successful vote, the current 4.X
>> branch site will be updated with relevant information and published.
>>
>> * some tests might fail with various IBM JDK 6 JREs, these are known
>> issues and have been worked-around in the 4.X branch but are not
>> back-ported to this release.
>>
>> * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
>> with a newly introduced default method in the Map interface.
>>
>> * the collections-testframework.jar that has been published in previous
>> versions is not included in this release
>>
>>
>> Changes from RC1:
>>
>> * fixed RAT report
>> * fixed NOTICE file
>> * improve the security fix: it has been made symmetric in the sense
>>   that also the serialization of an unsafe class is disabled by
>>   default and will result in an exception
>> * changed the system property to re-enable serialization of unsafe
>>   classes. It is now
>>   "org.apache.commons.collections.enableUnsafeSerialization"
>> * all classes in the functor package which (based on current
>>   knowledge) have to be considered unsafe cannot be serialized/
>>   de-serialized any more by default. This includes the following
>>   classes:
>>
>> ** CloneTransformer
>> ** PrototypeFactory (inner classes
>>                      PrototypeCloneFactory and
>>                      PrototypeSerializationFactory)
>> ** InstantiateFactory
>> ** InstantiateTransformer
>> ** ForClosure
>> ** WhileClosure
>> ** InvokerTransformer
>>
>>
>>
>> Collections 3.2.2 RC2 is available for review here:
>>    https://dist.apache.org/repos/dist/dev/commons/collections/
>>    (svn revision 11147)
>>
>> Maven artifacts are here:
>>
>>
>> https://repository.apache.org/content/repositories/orgapachecommons-1116/commons-collections/commons-collections/3.2.2/
>>
>> Details of changes since 3.2.1 are in the release notes:
>>
>>
>> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
>>
>>
>> http://people.apache.org/builds/commons/collections/3.2.2/RC2/changes-report.html
>>
>> The tag is here:
>>
>>
>> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC2
>>    (svn revision 1713883)
>>
>> Site:
>>    http://people.apache.org/builds/commons/collections/3.2.2/RC2/
>>
>> Clirr Report (compared to 3.2.1):
>>
>>
>> http://people.apache.org/builds/commons/collections/3.2.2/RC2/clirr-report.html
>>
>> RAT Report:
>>
>>
>> http://people.apache.org/builds/commons/collections/3.2.2/RC2/rat-report.html
>>
>> KEYS:
>>  https://www.apache.org/dist/commons/KEYS
>>
>> Please review the release candidate and vote.
>>
>>
>> Considering that this is a security related release and that RC1 did not
>> show any functional problems with the release, I plan to close this vote
>> in 24 from now, i.e. after 1800 GMT 12-November 2015
>>
>>  [ ] +1 Release these artifacts
>>  [ ] +0 OK, but...
>>  [ ] -0 OK, but really should fix...
>>  [ ] -1 I oppose this release because...
>>
>> Thanks,
>>
>> Thomas
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>
>
> --
> E-Mail: [hidden email] | [hidden email]
> Java Persistence with Hibernate, Second Edition
> <http://www.manning.com/bauer3/>
> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
> Spring Batch in Action <http://www.manning.com/templier/>
> Blog: http://garygregory.wordpress.com
> Home: http://garygregory.com/
> Tweet! http://twitter.com/GaryGregory

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC2

Emmanuel Bourg-3
Le 12/11/2015 04:39, Phil Steitz a écrit :

> That is frankly ridiculous.  To -1 a release based on false positive report about files not included in the release is absurd.

I agree with Phil. We are releasing code, not reports.

Emmanuel


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC2

Stefan Bodewig
In reply to this post by Phil Steitz
On 2015-11-12, Phil Steitz wrote:

>> On Nov 11, 2015, at 12:05 PM, Gary Gregory <[hidden email]> wrote:

>> -1

> That is frankly ridiculous.

Couldn't agree more.

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC2

Stefan Bodewig
In reply to this post by Thomas Neidhart
On 2015-11-11, Thomas Neidhart wrote:

> Please review the release candidate and vote.

+1

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC2

Luc Maisonobe-2
Le 2015-11-12 10:18, Stefan Bodewig a écrit :
> On 2015-11-11, Thomas Neidhart wrote:
>
>> Please review the release candidate and vote.


+1 for the release.

Luc

>
> +1
>
> Stefan
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC2

garydgregory
In reply to this post by Emmanuel Bourg-3
On Nov 11, 2015 11:45 PM, "Emmanuel Bourg" <[hidden email]> wrote:
>
> Le 12/11/2015 04:39, Phil Steitz a écrit :
>
> > That is frankly ridiculous.  To -1 a release based on false positive
report about files not included in the release is absurd.
>
> I agree with Phil. We are releasing code, not reports.

Keep in mind that we release sources and provide binaries as a convenience.
I consider it cleaner and proper to have all files in the source package
cleanly licensed and producing a clean build.

Gary

>
> Emmanuel
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC2

Jörg Schaible
In reply to this post by Thomas Neidhart
Hi Thomas,

Thomas Neidhart wrote:

> Hi all,
>
> in order to provide a work-around for the known remote code exploit via
> java de-serialization of malicious InvokerTransformer instances, I would
> like to start a vote to release Commons Collections 3.2.2 based on RC2.
>
> Notes:
>
>  * the site will not be published, it just serves as a reference to
> access the various reports. After a successful vote, the current 4.X
> branch site will be updated with relevant information and published.
>
>  * some tests might fail with various IBM JDK 6 JREs, these are known
> issues and have been worked-around in the 4.X branch but are not
> back-ported to this release.
>
>  * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
> with a newly introduced default method in the Map interface.
>
>  * the collections-testframework.jar that has been published in previous
> versions is not included in this release
>
>
> Changes from RC1:
>
>  * fixed RAT report
>  * fixed NOTICE file
>  * improve the security fix: it has been made symmetric in the sense
>    that also the serialization of an unsafe class is disabled by
>    default and will result in an exception
>  * changed the system property to re-enable serialization of unsafe
>    classes. It is now
>    "org.apache.commons.collections.enableUnsafeSerialization"
>  * all classes in the functor package which (based on current
>    knowledge) have to be considered unsafe cannot be serialized/
>    de-serialized any more by default. This includes the following
>    classes:
>
>  ** CloneTransformer
>  ** PrototypeFactory (inner classes
>                       PrototypeCloneFactory and
>                       PrototypeSerializationFactory)
>  ** InstantiateFactory
>  ** InstantiateTransformer
>  ** ForClosure
>  ** WhileClosure
>  ** InvokerTransformer
>
>
>
> Collections 3.2.2 RC2 is available for review here:
>     https://dist.apache.org/repos/dist/dev/commons/collections/
>     (svn revision 11147)
>
> Maven artifacts are here:
>
>
https://repository.apache.org/content/repositories/orgapachecommons-1116/commons-collections/commons-collections/3.2.2/https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC2

>     (svn revision 1713883)
>
> Site:
>     http://people.apache.org/builds/commons/collections/3.2.2/RC2/
>
> Clirr Report (compared to 3.2.1):
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC2/clirr-report.html
>
> RAT Report:
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC2/rat-report.html
>
> KEYS:
>   https://www.apache.org/dist/commons/KEYS
>
> Please review the release candidate and vote.
>
>
> Considering that this is a security related release and that RC1 did not
> show any functional problems with the release, I plan to close this vote
> in 24 from now, i.e. after 1800 GMT 12-November 2015
>
>   [ ] +1 Release these artifacts
>   [ ] +0 OK, but...
>   [ ] -0 OK, but really should fix...
>   [ ] -1 I oppose this release because...

-1,

sorry, but there's a regression

The package claims to be compatible with Java 1.3. Well, I don't have 1.3
anymore, but 1.4. And I can build CC-3.2.1 and run all tests with Blackdown
JDK 1.4 and Maven 2.0.11.

For CC-3.2.2 I have to use at least Java 5 and Maven 3.0(.5):

- Using java-1.4 profile: Build fails, because tests no longer compile
- Sun JDK 1.5: TestAllPackages fails due to SecurityException:
================== %< ==================
Running org.apache.commons.collections.TestAllPackages
java.lang.SecurityException
        at
org.apache.commons.collections.TestExtendedProperties$1.checkPropertyAccess(TestExtendedProperties.java:322)
        at java.lang.System.getProperty(System.java:628)
        at
sun.security.action.GetPropertyAction.run(GetPropertyAction.java:66)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.io.PrintWriter.<init>(PrintWriter.java:77)
        at java.io.PrintWriter.<init>(PrintWriter.java:61)
        at
org.apache.maven.surefire.report.LegacyPojoStackTraceWriter.writeTraceToString(LegacyPojoStackTraceWriter.java:56)
        at
org.apache.maven.surefire.booter.ForkingRunListener.encode(ForkingRunListener.java:330)
        at
org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:119)
================== %< ==================
- Sun JDK 1.6: OK
- Oracle JDK 1.7: OK
- IBM JDK 1.5: OK (!!)
- IBM JDK 1.6 (J9 2.4): fails (as expected, same for CC-3.2.1)
- IBM JDK 1.7: OK (!!)
- IcedTea 6 (OpenJDK): TestAllPackages fails due to SecurityException:
================== %< ==================
Running org.apache.commons.collections.TestAllPackages
java.lang.SecurityException
        at
org.apache.commons.collections.TestExtendedProperties$1.checkPropertyAccess(TestExtendedProperties.java:322)
        at java.lang.System.getProperty(System.java:628)
        at
sun.security.action.GetPropertyAction.run(GetPropertyAction.java:66)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.io.PrintWriter.<init>(PrintWriter.java:77)
        at java.io.PrintWriter.<init>(PrintWriter.java:61)
        at
org.apache.maven.surefire.report.LegacyPojoStackTraceWriter.writeTraceToString(LegacyPojoStackTraceWriter.java:56)
        at
org.apache.maven.surefire.booter.ForkingRunListener.encode(ForkingRunListener.java:330)
        at
org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:119)
================== %< ==================
- IcedTea 7 (OpenJDK): OK


TestExtendedProperties.testActiveSecurityManager is the only test using a
SM, but I wonder, why it fails the test now, because both failing JDKs have
no problem building CC-3.2.1 (using Maven 3.0.5) and all tests pass fine.

Cheers,
Jörg


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC2

Thomas Neidhart
On 11/12/2015 07:14 PM, Jörg Schaible wrote:

> Hi Thomas,
>
> Thomas Neidhart wrote:
>
>> Hi all,
>>
>> in order to provide a work-around for the known remote code exploit via
>> java de-serialization of malicious InvokerTransformer instances, I would
>> like to start a vote to release Commons Collections 3.2.2 based on RC2.
>>
>> Notes:
>>
>>  * the site will not be published, it just serves as a reference to
>> access the various reports. After a successful vote, the current 4.X
>> branch site will be updated with relevant information and published.
>>
>>  * some tests might fail with various IBM JDK 6 JREs, these are known
>> issues and have been worked-around in the 4.X branch but are not
>> back-ported to this release.
>>
>>  * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
>> with a newly introduced default method in the Map interface.
>>
>>  * the collections-testframework.jar that has been published in previous
>> versions is not included in this release
>>
>>
>> Changes from RC1:
>>
>>  * fixed RAT report
>>  * fixed NOTICE file
>>  * improve the security fix: it has been made symmetric in the sense
>>    that also the serialization of an unsafe class is disabled by
>>    default and will result in an exception
>>  * changed the system property to re-enable serialization of unsafe
>>    classes. It is now
>>    "org.apache.commons.collections.enableUnsafeSerialization"
>>  * all classes in the functor package which (based on current
>>    knowledge) have to be considered unsafe cannot be serialized/
>>    de-serialized any more by default. This includes the following
>>    classes:
>>
>>  ** CloneTransformer
>>  ** PrototypeFactory (inner classes
>>                       PrototypeCloneFactory and
>>                       PrototypeSerializationFactory)
>>  ** InstantiateFactory
>>  ** InstantiateTransformer
>>  ** ForClosure
>>  ** WhileClosure
>>  ** InvokerTransformer
>>
>>
>>
>> Collections 3.2.2 RC2 is available for review here:
>>     https://dist.apache.org/repos/dist/dev/commons/collections/
>>     (svn revision 11147)
>>
>> Maven artifacts are here:
>>
>>
> https://repository.apache.org/content/repositories/orgapachecommons-1116/commons-collections/commons-collections/3.2.2/
>>
>> Details of changes since 3.2.1 are in the release notes:
>>
>> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
>>
>> http://people.apache.org/builds/commons/collections/3.2.2/RC2/changes-report.html
>>
>> The tag is here:
>>
>>
> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC2
>>     (svn revision 1713883)
>>
>> Site:
>>     http://people.apache.org/builds/commons/collections/3.2.2/RC2/
>>
>> Clirr Report (compared to 3.2.1):
>>
>> http://people.apache.org/builds/commons/collections/3.2.2/RC2/clirr-report.html
>>
>> RAT Report:
>>
>> http://people.apache.org/builds/commons/collections/3.2.2/RC2/rat-report.html
>>
>> KEYS:
>>   https://www.apache.org/dist/commons/KEYS
>>
>> Please review the release candidate and vote.
>>
>>
>> Considering that this is a security related release and that RC1 did not
>> show any functional problems with the release, I plan to close this vote
>> in 24 from now, i.e. after 1800 GMT 12-November 2015
>>
>>   [ ] +1 Release these artifacts
>>   [ ] +0 OK, but...
>>   [ ] -0 OK, but really should fix...
>>   [ ] -1 I oppose this release because...
>
> -1,
>
> sorry, but there's a regression
>
> The package claims to be compatible with Java 1.3. Well, I don't have 1.3
> anymore, but 1.4. And I can build CC-3.2.1 and run all tests with Blackdown
> JDK 1.4 and Maven 2.0.11.
>
> For CC-3.2.2 I have to use at least Java 5 and Maven 3.0(.5):
>
> - Using java-1.4 profile: Build fails, because tests no longer compile
> - Sun JDK 1.5: TestAllPackages fails due to SecurityException:
> ================== %< ==================
> Running org.apache.commons.collections.TestAllPackages
> java.lang.SecurityException
>         at
> org.apache.commons.collections.TestExtendedProperties$1.checkPropertyAccess(TestExtendedProperties.java:322)
>         at java.lang.System.getProperty(System.java:628)
>         at
> sun.security.action.GetPropertyAction.run(GetPropertyAction.java:66)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at java.io.PrintWriter.<init>(PrintWriter.java:77)
>         at java.io.PrintWriter.<init>(PrintWriter.java:61)
>         at
> org.apache.maven.surefire.report.LegacyPojoStackTraceWriter.writeTraceToString(LegacyPojoStackTraceWriter.java:56)
>         at
> org.apache.maven.surefire.booter.ForkingRunListener.encode(ForkingRunListener.java:330)
>         at
> org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:119)
> ================== %< ==================
> - Sun JDK 1.6: OK
> - Oracle JDK 1.7: OK
> - IBM JDK 1.5: OK (!!)
> - IBM JDK 1.6 (J9 2.4): fails (as expected, same for CC-3.2.1)
> - IBM JDK 1.7: OK (!!)
> - IcedTea 6 (OpenJDK): TestAllPackages fails due to SecurityException:
> ================== %< ==================
> Running org.apache.commons.collections.TestAllPackages
> java.lang.SecurityException
>         at
> org.apache.commons.collections.TestExtendedProperties$1.checkPropertyAccess(TestExtendedProperties.java:322)
>         at java.lang.System.getProperty(System.java:628)
>         at
> sun.security.action.GetPropertyAction.run(GetPropertyAction.java:66)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at java.io.PrintWriter.<init>(PrintWriter.java:77)
>         at java.io.PrintWriter.<init>(PrintWriter.java:61)
>         at
> org.apache.maven.surefire.report.LegacyPojoStackTraceWriter.writeTraceToString(LegacyPojoStackTraceWriter.java:56)
>         at
> org.apache.maven.surefire.booter.ForkingRunListener.encode(ForkingRunListener.java:330)
>         at
> org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:119)
> ================== %< ==================
> - IcedTea 7 (OpenJDK): OK
>
>
> TestExtendedProperties.testActiveSecurityManager is the only test using a
> SM, but I wonder, why it fails the test now, because both failing JDKs have
> no problem building CC-3.2.1 (using Maven 3.0.5) and all tests pass fine.

ok, the errors have been fixed in the branch.

I have successfully tested it with the Oracle/Sun jdk from 1.4 till 1.7

The Jdk 1.3 does not run anymore on my computer.

Maybe you have the time to execute the tests again from trunk, I will
create a new RC in about 2 hours.

Thomas

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[CANCEL][VOTE] Release Commons Collections 3.2.2 Based on RC2

Thomas Neidhart
In reply to this post by Thomas Neidhart
On 11/11/2015 05:27 PM, Thomas Neidhart wrote:

> Hi all,
>
> in order to provide a work-around for the known remote code exploit via
> java de-serialization of malicious InvokerTransformer instances, I would
> like to start a vote to release Commons Collections 3.2.2 based on RC2.
>
> Notes:
>
>  * the site will not be published, it just serves as a reference to
> access the various reports. After a successful vote, the current 4.X
> branch site will be updated with relevant information and published.
>
>  * some tests might fail with various IBM JDK 6 JREs, these are known
> issues and have been worked-around in the 4.X branch but are not
> back-ported to this release.
>
>  * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash
> with a newly introduced default method in the Map interface.
>
>  * the collections-testframework.jar that has been published in previous
> versions is not included in this release
>
>
> Changes from RC1:
>
>  * fixed RAT report
>  * fixed NOTICE file
>  * improve the security fix: it has been made symmetric in the sense
>    that also the serialization of an unsafe class is disabled by
>    default and will result in an exception
>  * changed the system property to re-enable serialization of unsafe
>    classes. It is now
>    "org.apache.commons.collections.enableUnsafeSerialization"
>  * all classes in the functor package which (based on current
>    knowledge) have to be considered unsafe cannot be serialized/
>    de-serialized any more by default. This includes the following
>    classes:
>
>  ** CloneTransformer
>  ** PrototypeFactory (inner classes
>                       PrototypeCloneFactory and
>                       PrototypeSerializationFactory)
>  ** InstantiateFactory
>  ** InstantiateTransformer
>  ** ForClosure
>  ** WhileClosure
>  ** InvokerTransformer
>
>
>
> Collections 3.2.2 RC2 is available for review here:
>     https://dist.apache.org/repos/dist/dev/commons/collections/
>     (svn revision 11147)
>
> Maven artifacts are here:
>
> https://repository.apache.org/content/repositories/orgapachecommons-1116/commons-collections/commons-collections/3.2.2/
>
> Details of changes since 3.2.1 are in the release notes:
>
> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC2/changes-report.html
>
> The tag is here:
>
> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC2
>     (svn revision 1713883)
>
> Site:
>     http://people.apache.org/builds/commons/collections/3.2.2/RC2/
>
> Clirr Report (compared to 3.2.1):
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC2/clirr-report.html
>
> RAT Report:
>
> http://people.apache.org/builds/commons/collections/3.2.2/RC2/rat-report.html
>
> KEYS:
>   https://www.apache.org/dist/commons/KEYS
>
> Please review the release candidate and vote.
>
>
> Considering that this is a security related release and that RC1 did not
> show any functional problems with the release, I plan to close this vote
> in 24 from now, i.e. after 1800 GMT 12-November 2015
>
>   [ ] +1 Release these artifacts
>   [ ] +0 OK, but...
>   [ ] -0 OK, but really should fix...
>   [ ] -1 I oppose this release because...

The vote is cancelled to fix the test errors on some java versions.

Thomas

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC2

Donald Freeman
In reply to this post by garydgregory

I wanted to forward this on. I found this article this morning talking about the issue on itworld.
http://www.itworld.com/article/3004632/thousands-of-java-applications-vulnerable-to-nine-month-old-remote-code-execution-exploit.html

Thanks,Don Freeman

 
  On Thu, Nov 12, 2015 at 10:11 AM, Gary Gregory<[hidden email]> wrote:   On Nov 11, 2015 11:45 PM, "Emmanuel Bourg" <[hidden email]> wrote:
>
> Le 12/11/2015 04:39, Phil Steitz a écrit :
>
> > That is frankly ridiculous.  To -1 a release based on false positive
report about files not included in the release is absurd.
>
> I agree with Phil. We are releasing code, not reports.

Keep in mind that we release sources and provide binaries as a convenience.
I consider it cleaner and proper to have all files in the source package
cleanly licensed and producing a clean build.

Gary

>
> Emmanuel
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>  
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC2

Hank Grabowski
A more reasonable and measured article that appeared in JavaWorld:

http://www.javaworld.com/article/3003197/security/library-misuse-exposes-leading-java-platforms-to-attack.html



On Fri, Nov 13, 2015 at 8:19 AM, Donald Freeman <[hidden email]>
wrote:

>
> I wanted to forward this on. I found this article this morning talking
> about the issue on itworld.
>
> http://www.itworld.com/article/3004632/thousands-of-java-applications-vulnerable-to-nine-month-old-remote-code-execution-exploit.html
>
> Thanks,Don Freeman
>
>
>   On Thu, Nov 12, 2015 at 10:11 AM, Gary Gregory<[hidden email]>
> wrote:   On Nov 11, 2015 11:45 PM, "Emmanuel Bourg" <[hidden email]>
> wrote:
> >
> > Le 12/11/2015 04:39, Phil Steitz a écrit :
> >
> > > That is frankly ridiculous.  To -1 a release based on false positive
> report about files not included in the release is absurd.
> >
> > I agree with Phil. We are releasing code, not reports.
>
> Keep in mind that we release sources and provide binaries as a convenience.
> I consider it cleaner and proper to have all files in the source package
> cleanly licensed and producing a clean build.
>
> Gary
>
> >
> > Emmanuel
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
> >
>