On Tue, Nov 10, 2015 at 2:22 PM, Thomas Neidhart <thomas.neidh...@gmail.com> wrote:
> On 11/10/2015 10:52 PM, Gary Gregory wrote: > > Hi all: > > > > -1 > > > > Sorry, the RAT failure needs to be handled one way or another: exclude > the > > files or add headers: > > > > Unapproved licenses: > > > > data/test/NullComparator.version2.obj1 > > data/test/NullComparator.version2.obj2 > > xdocs/style/project.css > > > > > > I imagine the obj files can be excluded but the CSS file can just have a > > header added, just like > > > https://svn.apache.org/repos/asf/commons/proper/daemon/trunk/src/docs/daemon.css > > > > It's just messy to rush this through without dotting the i's and so on. > > yeah, I did not see the 2 NullComparator files as the problem appears > only on Windows. The same happened for the Collections 4 release, and I > forgot about it. > > @css: wtf, are you serious to vote with -1 because of that and complain > about the RC being messy? I mean, I can handle it if there are real > issues to be fixed, and I had planned to cancel the VOTE anyways to make > some more adjustments but something like that is just ridiculous. Just > take a look at some other published commons releases and count the > number of RAT errors, even for source files. > Sorry, two wrongs to do make a right. If other Commons components have made a mess of specific releases in the past, then that's sad. Either the RAT report is clean or it is not. If it is clean, I have to assume that exclusions in the POM for specific files or types of files have been done with careful consideration and that I can always go digging in the commit log to see a hopefully useful comment as to why the exclusion was made. Since this is a release to address a security issue, I would have hoped that all details would have been handled with extra care. I'd never get away with a sloppy release at work, and I hope I won't have to here either. In any case, a -1 is not a veto on a vote thread like it is on a commit, so this vote may yet pass. It's up to you as the RM to decide what to do. I know that cutting releases is still a pain, we have a lot of gymnastics, it's not like pushing a button, but that' what we're stuck with for now. Gary > > Thomas > > > > > There is also the issue of the possibly wrong revision being tagged or > > being used in the VOTE email thread. That can be fixed for RC2 as well. > > > > Gary > > > > On Mon, Nov 9, 2015 at 2:37 PM, Thomas Neidhart < > thomas.neidh...@gmail.com> > > wrote: > > > >> Hi all, > >> > >> in order to provide a work-around for the known remote code exploit via > >> java de-serialization of malicious InvokerTransformer instances, I would > >> like to start a vote to release Commons Collections 3.2.2 based on RC1. > >> > >> I would kindly ask people to review the RC especially wrt the following > >> topics: > >> > >> * OSGI compatibility > >> * reproducing the exploits and verifying that it provides protection > >> * any kind of regression that this release might create with existing > >> applications > >> > >> Notes: > >> > >> * the site will not be published, it just serves as a reference to > >> access the various reports. After a successful vote, the current 4.X > >> branch site will be updated with relevant information and published. > >> > >> * some tests might fail with various IBM JDK 6 JREs, these are known > >> issues and have been worked-around in the 4.X branch but are not > >> back-ported to this release. > >> > >> > >> Collections 3.2.2 RC1 is available for review here: > >> https://dist.apache.org/repos/dist/dev/commons/collections/ > >> (svn revision 11092) > >> > >> Maven artifacts are here: > >> > >> > >> > https://repository.apache.org/content/repositories/orgapachecommons-1115/commons-collections/commons-collections/3.2.2/ > >> > >> Details of changes since 3.2.1 are in the release notes: > >> > >> > >> > https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt > >> > >> > >> > http://people.apache.org/builds/commons/collections/3.2.2/RC1/changes-report.html > >> > >> The tag is here: > >> > >> > >> > https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC1 > >> (svn revision 1713561) > >> > >> Site: > >> http://people.apache.org/builds/commons/collections/3.2.2/RC1/ > >> > >> Clirr Report (compared to 3.2.1): > >> > >> > >> > http://people.apache.org/builds/commons/collections/3.2.2/RC1/clirr-report.html > >> > >> RAT Report: > >> > >> > >> > http://people.apache.org/builds/commons/collections/3.2.2/RC1/rat-report.html > >> > >> KEYS: > >> https://www.apache.org/dist/commons/KEYS > >> > >> Please review the release candidate and vote. > >> > >> This vote will close no sooner that 72 hours from now, i.e. after 2300 > >> GMT 12-November 2015 > >> > >> [ ] +1 Release these artifacts > >> [ ] +0 OK, but... > >> [ ] -0 OK, but really should fix... > >> [ ] -1 I oppose this release because... > >> > >> Thanks, > >> > >> Thomas > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > >> For additional commands, e-mail: dev-h...@commons.apache.org > >> > >> > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > > -- E-Mail: garydgreg...@gmail.com | ggreg...@apache.org Java Persistence with Hibernate, Second Edition <http://www.manning.com/bauer3/> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/> Spring Batch in Action <http://www.manning.com/templier/> Blog: http://garygregory.wordpress.com Home: http://garygregory.com/ Tweet! http://twitter.com/GaryGregory
