Hi all
https://issues.apache.org/jira/browse/IO-559 says BlackDuck would call IO 2.5 vulnerable because of this issue - so far I've not been able to verify this claim. I guess it is because of IO-556 that has been closed as a duplicate of IO-559. There is a PR (by me) to fix the bug https://github.com/apache/commons-io/pull/52 - as this is my first contribution to IO I'd appreciate if anybody else could spare some time and verify it. I'll rebase it onto master soon. Also, would there be any reason to not cut a new release from master? I mean is there any work in progress that needs to be finished? Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email] |
Is there a PMC for IO?
On May 16, 2018 at 02:24:44, Stefan Bodewig ([hidden email]) wrote: Hi all https://issues.apache.org/jira/browse/IO-559 says BlackDuck would call IO 2.5 vulnerable because of this issue - so far I've not been able to verify this claim. I guess it is because of IO-556 that has been closed as a duplicate of IO-559. There is a PR (by me) to fix the bug https://github.com/apache/commons-io/pull/52 - as this is my first contribution to IO I'd appreciate if anybody else could spare some time and verify it. I'll rebase it onto master soon. Also, would there be any reason to not cut a new release from master? I mean is there any work in progress that needs to be finished? Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email] |
On 2018-05-16, Otto Fowler wrote:
> Is there a PMC for IO? Sure, IO is a component overseen by the Apache Commons PMC. Maybe I should also point at http://commons.apache.org/security.html ? Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email] |
In reply to this post by Otto Fowler
On Wed, 16 May 2018 07:33:54 -0700, Otto Fowler wrote:
> Is there a PMC for IO? There is a PMC for all of "Commons". Components are unequal wrt the number of contributors (and attention they get from the PMC). Gilles > On May 16, 2018 at 02:24:44, Stefan Bodewig ([hidden email]) > wrote: > > Hi all > > https://issues.apache.org/jira/browse/IO-559 says BlackDuck would > call > IO 2.5 vulnerable because of this issue - so far I've not been able > to > verify this claim. I guess it is because of IO-556 that has been > closed > as a duplicate of IO-559. > > There is a PR (by me) to fix the bug > https://github.com/apache/commons-io/pull/52 - as this is my first > contribution to IO I'd appreciate if anybody else could spare some > time > and verify it. I'll rebase it onto master soon. > > Also, would there be any reason to not cut a new release from master? > I > mean is there any work in progress that needs to be finished? > > Stefan > --------------------------------------------------------------------- To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email] |
I believe all security related issues and vulnerabilities need to be
handled privately by the PMC for the project. Has this issue gone through he PMC? On May 16, 2018 at 10:50:21, Gilles ([hidden email]) wrote: On Wed, 16 May 2018 07:33:54 -0700, Otto Fowler wrote: > Is there a PMC for IO? There is a PMC for all of "Commons". Components are unequal wrt the number of contributors (and attention they get from the PMC). Gilles > On May 16, 2018 at 02:24:44, Stefan Bodewig ([hidden email]) > wrote: > > Hi all > > https://issues.apache.org/jira/browse/IO-559 says BlackDuck would > call > IO 2.5 vulnerable because of this issue - so far I've not been able > to > verify this claim. I guess it is because of IO-556 that has been > closed > as a duplicate of IO-559. > > There is a PR (by me) to fix the bug > https://github.com/apache/commons-io/pull/52 - as this is my first > contribution to IO I'd appreciate if anybody else could spare some > time > and verify it. I'll rebase it onto master soon. > > Also, would there be any reason to not cut a new release from master? > I > mean is there any work in progress that needs to be finished? > > Stefan > --------------------------------------------------------------------- To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email] |
On 2018-05-16, Otto Fowler wrote:
> I believe all security related issues and vulnerabilities need to be > handled privately by the PMC for the project. > Has this issue gone through he PMC? The "issue" is public discussion in a JIRA issue, it is public knowledge anyway. Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email] |
In reply to this post by Stefan Bodewig
Am 16.05.2018 um 08:24 schrieb Stefan Bodewig:
> Also, would there be any reason to not cut a new release from master? I > mean is there any work in progress that needs to be finished? I think a new release from master can be done any time. -Pascal --------------------------------------------------------------------- To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email] |
On 2018-05-17, Pascal Schumacher wrote:
> Am 16.05.2018 um 08:24 schrieb Stefan Bodewig: >> Also, would there be any reason to not cut a new release from master? I >> mean is there any work in progress that needs to be finished? > I think a new release from master can be done any time. Thanks, I also looked through the commits. To me it looks as if master contained commits that address https://issues.apache.org/jira/browse/IO-567 but the ticket says "in progress". Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: [hidden email] For additional commands, e-mail: [hidden email] |
WRT releasing, the new file system class needs to be finished/cleanup or
removed. Gary On Thu, May 17, 2018 at 1:27 PM, Stefan Bodewig <[hidden email]> wrote: > On 2018-05-17, Pascal Schumacher wrote: > > > Am 16.05.2018 um 08:24 schrieb Stefan Bodewig: > > >> Also, would there be any reason to not cut a new release from master? I > >> mean is there any work in progress that needs to be finished? > > > I think a new release from master can be done any time. > > Thanks, I also looked through the commits. To me it looks as if master > contained commits that address > https://issues.apache.org/jira/browse/IO-567 but the ticket says "in > progress". > > Stefan > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [hidden email] > For additional commands, e-mail: [hidden email] > > |
Free forum by Nabble | Edit this page |