[VOTE] Release Commons Collections 3.2.2 Based on RC1

Mon, 09 Nov 2015 14:37:37 -0800 

Hi all,

in order to provide a work-around for the known remote code exploit via
java de-serialization of malicious InvokerTransformer instances, I would
like to start a vote to release Commons Collections 3.2.2 based on RC1.

I would kindly ask people to review the RC especially wrt the following
topics:

 * OSGI compatibility
 * reproducing the exploits and verifying that it provides protection
 * any kind of regression that this release might create with existing
applications

Notes:

 * the site will not be published, it just serves as a reference to
access the various reports. After a successful vote, the current 4.X
branch site will be updated with relevant information and published.

 * some tests might fail with various IBM JDK 6 JREs, these are known
issues and have been worked-around in the 4.X branch but are not
back-ported to this release.


Collections 3.2.2 RC1 is available for review here:
    https://dist.apache.org/repos/dist/dev/commons/collections/
    (svn revision 11092)

Maven artifacts are here:

https://repository.apache.org/content/repositories/orgapachecommons-1115/commons-collections/commons-collections/3.2.2/

Details of changes since 3.2.1 are in the release notes:

https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt

http://people.apache.org/builds/commons/collections/3.2.2/RC1/changes-report.html

The tag is here:

https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC1
    (svn revision 1713561)

Site:
    http://people.apache.org/builds/commons/collections/3.2.2/RC1/

Clirr Report (compared to 3.2.1):

http://people.apache.org/builds/commons/collections/3.2.2/RC1/clirr-report.html

RAT Report:

http://people.apache.org/builds/commons/collections/3.2.2/RC1/rat-report.html

KEYS:
  https://www.apache.org/dist/commons/KEYS

Please review the release candidate and vote.

This vote will close no sooner that 72 hours from now, i.e. after 2300
GMT 12-November 2015

  [ ] +1 Release these artifacts
  [ ] +0 OK, but...
  [ ] -0 OK, but really should fix...
  [ ] -1 I oppose this release because...

Thanks,

Thomas

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Reply via email to