[io] Black Duck apparently sees vulnerability in 2.5

Hi all

https://issues.apache.org/jira/browse/IO-559 says BlackDuck would call
IO 2.5 vulnerable because of this issue - so far I've not been able to
verify this claim. I guess it is because of IO-556 that has been closed
as a duplicate of IO-559.

There is a PR (by me) to fix the bug
https://github.com/apache/commons-io/pull/52 - as this is my first
contribution to IO I'd appreciate if anybody else could spare some time
and verify it. I'll rebase it onto master soon.

Also, would there be any reason to not cut a new release from master? I
mean is there any work in progress that needs to be finished?

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Is there a PMC for IO?


On May 16, 2018 at 02:24:44, Stefan Bodewig ([hidden email]) wrote:

Hi all

https://issues.apache.org/jira/browse/IO-559 says BlackDuck would call
IO 2.5 vulnerable because of this issue - so far I've not been able to
verify this claim. I guess it is because of IO-556 that has been closed
as a duplicate of IO-559.

There is a PR (by me) to fix the bug
https://github.com/apache/commons-io/pull/52 - as this is my first
contribution to IO I'd appreciate if anybody else could spare some time
and verify it. I'll rebase it onto master soon.

Also, would there be any reason to not cut a new release from master? I
mean is there any work in progress that needs to be finished?

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

On 2018-05-16, Otto Fowler wrote:

> Is there a PMC for IO?

Sure, IO is a component overseen by the Apache Commons PMC.

Maybe I should also point at http://commons.apache.org/security.html ?

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

On Wed, 16 May 2018 07:33:54 -0700, Otto Fowler wrote:
> Is there a PMC for IO?

There is a PMC for all of "Commons".
Components are unequal wrt the number of contributors (and
attention they get from the PMC).

Gilles



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

I believe all security related issues and vulnerabilities need to be
handled privately by the PMC for the project.
Has this issue gone through he PMC?


On May 16, 2018 at 10:50:21, Gilles ([hidden email]) wrote:

On Wed, 16 May 2018 07:33:54 -0700, Otto Fowler wrote:
> Is there a PMC for IO?

There is a PMC for all of "Commons".
Components are unequal wrt the number of contributors (and
attention they get from the PMC).

Gilles



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

On 2018-05-16, Otto Fowler wrote:

> I believe all security related issues and vulnerabilities need to be
> handled privately by the PMC for the project.
> Has this issue gone through he PMC?

The "issue" is public discussion in a JIRA issue, it is public knowledge
anyway.

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Am 16.05.2018 um 08:24 schrieb Stefan Bodewig:
> Also, would there be any reason to not cut a new release from master? I
> mean is there any work in progress that needs to be finished?

I think a new release from master can be done any time.

-Pascal

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

On 2018-05-17, Pascal Schumacher wrote:

> Am 16.05.2018 um 08:24 schrieb Stefan Bodewig:

>> Also, would there be any reason to not cut a new release from master? I
>> mean is there any work in progress that needs to be finished?

> I think a new release from master can be done any time.

Thanks, I also looked through the commits. To me it looks as if master
contained commits that address
https://issues.apache.org/jira/browse/IO-567 but the ticket says "in
progress".

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

WRT releasing, the new file system class needs to be finished/cleanup or
removed.

Gary

On Thu, May 17, 2018 at 1:27 PM, Stefan Bodewig <[hidden email]> wrote: