Hi Thomas, build works fine with Java 1.6 on Windows 10, artifacts and site look good. So +1.
Unfortunately, I have currently not the time to dig deeper into the problematic addressed by this release; so I cannot comment on the fixes. As I do not have a current project that depends on collections 3.x, I cannot test the release in the wild either. So this is more a technical review. Oliver Am 11.11.2015 um 17:27 schrieb Thomas Neidhart: > Hi all, > > in order to provide a work-around for the known remote code exploit via > java de-serialization of malicious InvokerTransformer instances, I would > like to start a vote to release Commons Collections 3.2.2 based on RC2. > > Notes: > > * the site will not be published, it just serves as a reference to > access the various reports. After a successful vote, the current 4.X > branch site will be updated with relevant information and published. > > * some tests might fail with various IBM JDK 6 JREs, these are known > issues and have been worked-around in the 4.X branch but are not > back-ported to this release. > > * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash > with a newly introduced default method in the Map interface. > > * the collections-testframework.jar that has been published in previous > versions is not included in this release > > > Changes from RC1: > > * fixed RAT report > * fixed NOTICE file > * improve the security fix: it has been made symmetric in the sense > that also the serialization of an unsafe class is disabled by > default and will result in an exception > * changed the system property to re-enable serialization of unsafe > classes. It is now > "org.apache.commons.collections.enableUnsafeSerialization" > * all classes in the functor package which (based on current > knowledge) have to be considered unsafe cannot be serialized/ > de-serialized any more by default. This includes the following > classes: > > ** CloneTransformer > ** PrototypeFactory (inner classes > PrototypeCloneFactory and > PrototypeSerializationFactory) > ** InstantiateFactory > ** InstantiateTransformer > ** ForClosure > ** WhileClosure > ** InvokerTransformer > > > > Collections 3.2.2 RC2 is available for review here: > https://dist.apache.org/repos/dist/dev/commons/collections/ > (svn revision 11147) > > Maven artifacts are here: > > https://repository.apache.org/content/repositories/orgapachecommons-1116/commons-collections/commons-collections/3.2.2/ > > Details of changes since 3.2.1 are in the release notes: > > https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt > > http://people.apache.org/builds/commons/collections/3.2.2/RC2/changes-report.html > > The tag is here: > > https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC2 > (svn revision 1713883) > > Site: > http://people.apache.org/builds/commons/collections/3.2.2/RC2/ > > Clirr Report (compared to 3.2.1): > > http://people.apache.org/builds/commons/collections/3.2.2/RC2/clirr-report.html > > RAT Report: > > http://people.apache.org/builds/commons/collections/3.2.2/RC2/rat-report.html > > KEYS: > https://www.apache.org/dist/commons/KEYS > > Please review the release candidate and vote. > > > Considering that this is a security related release and that RC1 did not > show any functional problems with the release, I plan to close this vote > in 24 from now, i.e. after 1800 GMT 12-November 2015 > > [ ] +1 Release these artifacts > [ ] +0 OK, but... > [ ] -0 OK, but really should fix... > [ ] -1 I oppose this release because... > > Thanks, > > Thomas > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
