Two findings: * Selenium is now included in fortress-web as runtime dependency, I guess it is only requried as test dependency? License wise that's fine and not a blocker because it uses Apache License. However it increases the WAR file size from 26MB to 34MB and adds many more libs which may increase attack surface. I let you decide if that should be considered as blocker. * Future releases should not include md5 checksums, please see mail from Henk with subject "checksum file Release Distribution Policy" and https://www.apache.org/dev/release-distribution#sigs-and-sums. But currently it's still allowed, right?
Otherwise +1 from me: * Verified checksums and signatures of the source packages * Checked license and notice files * Built all 4 source packages with OpenJDK 1.8.0_172 on Linux * Run fortress core integration tests against ApacheDS and OpenLDAP Kind Regards, Stefan On 07/09/2018 04:41 PM, Shawn McKinney wrote: > Hello, > > I’m happy to announce that after a year’s worth of work we’ve managed to put > together a new release. Just to set expectations, it won’t be another before > the next one. > > There are some interesting items that need out. Yudhi’s High availability > being one of them. > > Also I should mention a few patches security related, i.e. ++versions on > artifacts from apache cxf and others which make this release particularly > important. > > For those new to *testing* Fortress releases, I highly recommend using one of > the DOCKER quick starts listed below. Run the steps up to and including > ‘integration tests’. On a linux machine that has preqs (docker, java8, mvn, > git) should take < 10 minutes to complete. Do not hesitate to prompt me on > our ml if you have questions or doubts. > > Lastly, apologize in advance. Wrt to improving the fortress source > bundling/staging to simplify *your* job testing the releases. Both Stefan > and Colm kindly offered suggestions last year, but the ball got dropped. > We’ll get ‘er right by next time. > > Now the release… > > ********************* > > This is an announcement to vote for the next Apache Directory Fortress. > > The version, 2.0.1, has a tag created in git: ‘2.0.1’. > > and the sources may be pulled using git commands: > git clone --branch 2.0.1 > https://git-wip-us.apache.org/repos/asf/directory-fortress-core.git > git clone --branch 2.0.1 > https://git-wip-us.apache.org/repos/asf/directory-fortress-realm.git > git clone --branch 2.0.1 > https://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse.git > git clone --branch 2.0.1 > https://git-wip-us.apache.org/repos/asf/directory-fortress-commander.git > > with their associated checksums: > - core: 4009d2d0a5cc7b6d2a5a2e744a7dabab52c64e65 > - realm: dc23b6cbb93d1d0e998f0dcd03e7665df8c97475 > - rest: 1189b666a66176731c745c7c8be984f76f59a76d > - web: 0423ea8b8dc3a6a410e84908ba9272661bcadb63 > > Or, source distros may be downloaded from this location: > http://home.apache.org/~smckinney/ > > The staging repos on Nexus: > - core: > https://repository.apache.org/content/repositories/orgapachedirectory-1159 > - realm: > https://repository.apache.org/content/repositories/orgapachedirectory-1160 > - rest: > https://repository.apache.org/content/repositories/orgapachedirectory-1161 > - web: > https://repository.apache.org/content/repositories/orgapachedirectory-1162 > > Test using one of these: > * > https://github.com/apache/directory-fortress-core/blob/master/README-QUICKSTART-DOCKER-APACHEDS.md > * > https://github.com/apache/directory-fortress-core/blob/master/README-QUICKSTART-APACHEDS.md > * > https://github.com/apache/directory-fortress-core/blob/master/README-QUICKSTART-DOCKER-SLAPD.md > * > https://github.com/apache/directory-fortress-core/blob/master/README-QUICKSTART-SLAPD.md > > - Choose one of the above. Complete (only) the sections leading up to and > including the SECTION entitled: 'Apache Fortress Core Integration Test’ > - Choose the docker quickstart & save time. Won't have to install an LDAP > server for the integration tests. > > 2.0.1 includes: > * Update to use Apache LDAP API v1.0.2 > * FC-235 Add support for runtime constraints to be placed on activated roles > * FC-102 [fortress-web] fix problems with group page > * FC-108 Add support for RFC2307 BIS > * FC-217 Option to disable role occupants > * FC-226 ehcache masking security exceptions > * FC-227 Exclude xml-apis from LDAP api > * FC-228 [fortress-rest] CVE-2017-12624: Apache CXF web services that process > attachments are vulnerable to Denial of Service (DoS) attacks > * FC-233 [FORTRESS-REST] Upgrade to Spring 5 and latest CXF > * FC-232 [fortress-web] to Spring 5 and Wicket 7.9 > > * The complete list from JIRA: > https://issues.apache.org/jira/browse/FC-232?jql=project%20%3D%2012315921%20AND%20fixVersion%20%3D%2012338782%20ORDER%20BY%20priority%20DESC%2C%20key%20ASC > > Please vote: > > [ ] +1 | Release Fortress core, realm, rest and web 2.0.1 > [ ] +/-0 | Abstain > [ ] -1 | Do *NOT* Release Fortress core, realm, rest and web 2.0.1 > > Shawn > > > > >
