> On Nov 11, 2015, at 12:05 PM, Gary Gregory <garydgreg...@gmail.com> wrote: > > -1
That is frankly ridiculous. To -1 a release based on false positive report about files not included in the release is absurd. Phil > > I'm sorry, but the RAT check is still not right. > > If you look at the POM: > > https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC2/pom.xml > > you will see: > > <exclude>src/test/resources/data/test/*</exclude> > > This folder does not exist. > > Which is why I see the following when I build: > > Unapproved licenses: > > data/test/NullComparator.version2.obj1 > data/test/NullComparator.version2.obj2 > > > and > > B data/test/NodeCachingLinkedList.fullCollection.version3.obj > !????? data/test/NullComparator.version2.obj1 > !????? data/test/NullComparator.version2.obj2 > B data/test/PredicatedBag.emptyCollection.version3.1.obj > > > Instead it should be: > > <exclude>data/test/*</exclude> > > and the RAT check is fine. Fixed in SVN. > > Thank you, > Gary > > On Wed, Nov 11, 2015 at 8:27 AM, Thomas Neidhart <thomas.neidh...@gmail.com> > wrote: > >> Hi all, >> >> in order to provide a work-around for the known remote code exploit via >> java de-serialization of malicious InvokerTransformer instances, I would >> like to start a vote to release Commons Collections 3.2.2 based on RC2. >> >> Notes: >> >> * the site will not be published, it just serves as a reference to >> access the various reports. After a successful vote, the current 4.X >> branch site will be updated with relevant information and published. >> >> * some tests might fail with various IBM JDK 6 JREs, these are known >> issues and have been worked-around in the 4.X branch but are not >> back-ported to this release. >> >> * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash >> with a newly introduced default method in the Map interface. >> >> * the collections-testframework.jar that has been published in previous >> versions is not included in this release >> >> >> Changes from RC1: >> >> * fixed RAT report >> * fixed NOTICE file >> * improve the security fix: it has been made symmetric in the sense >> that also the serialization of an unsafe class is disabled by >> default and will result in an exception >> * changed the system property to re-enable serialization of unsafe >> classes. It is now >> "org.apache.commons.collections.enableUnsafeSerialization" >> * all classes in the functor package which (based on current >> knowledge) have to be considered unsafe cannot be serialized/ >> de-serialized any more by default. This includes the following >> classes: >> >> ** CloneTransformer >> ** PrototypeFactory (inner classes >> PrototypeCloneFactory and >> PrototypeSerializationFactory) >> ** InstantiateFactory >> ** InstantiateTransformer >> ** ForClosure >> ** WhileClosure >> ** InvokerTransformer >> >> >> >> Collections 3.2.2 RC2 is available for review here: >> https://dist.apache.org/repos/dist/dev/commons/collections/ >> (svn revision 11147) >> >> Maven artifacts are here: >> >> >> https://repository.apache.org/content/repositories/orgapachecommons-1116/commons-collections/commons-collections/3.2.2/ >> >> Details of changes since 3.2.1 are in the release notes: >> >> >> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt >> >> >> http://people.apache.org/builds/commons/collections/3.2.2/RC2/changes-report.html >> >> The tag is here: >> >> >> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC2 >> (svn revision 1713883) >> >> Site: >> http://people.apache.org/builds/commons/collections/3.2.2/RC2/ >> >> Clirr Report (compared to 3.2.1): >> >> >> http://people.apache.org/builds/commons/collections/3.2.2/RC2/clirr-report.html >> >> RAT Report: >> >> >> http://people.apache.org/builds/commons/collections/3.2.2/RC2/rat-report.html >> >> KEYS: >> https://www.apache.org/dist/commons/KEYS >> >> Please review the release candidate and vote. >> >> >> Considering that this is a security related release and that RC1 did not >> show any functional problems with the release, I plan to close this vote >> in 24 from now, i.e. after 1800 GMT 12-November 2015 >> >> [ ] +1 Release these artifacts >> [ ] +0 OK, but... >> [ ] -0 OK, but really should fix... >> [ ] -1 I oppose this release because... >> >> Thanks, >> >> Thomas >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> For additional commands, e-mail: dev-h...@commons.apache.org > > > -- > E-Mail: garydgreg...@gmail.com | ggreg...@apache.org > Java Persistence with Hibernate, Second Edition > <http://www.manning.com/bauer3/> > JUnit in Action, Second Edition <http://www.manning.com/tahchiev/> > Spring Batch in Action <http://www.manning.com/templier/> > Blog: http://garygregory.wordpress.com > Home: http://garygregory.com/ > Tweet! http://twitter.com/GaryGregory --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
