> On Jul 9, 2018, at 3:07 PM, Stefan Seelmann <m...@stefan-seelmann.de> wrote: > > Two findings: > > * Selenium is now included in fortress-web as runtime dependency, I > guess it is only requried as test dependency? License wise that's fine > and not a blocker because it uses Apache License. However it increases > the WAR file size from 26MB to 34MB and adds many more libs which may > increase attack surface. I let you decide if that should be considered > as blocker.
Good eye Stefan! Updated in trunk. I don’t believe this is a show-stopper, more of an annoyance, and will proceed unless there are objections from others. > > On Jul 9, 2018, at 3:07 PM, Stefan Seelmann <m...@stefan-seelmann.de> wrote: > > Two findings: > > * Future releases should not include md5 checksums, please see mail from > Henk with subject "checksum file Release Distribution Policy" and > https://www.apache.org/dev/release-distribution#sigs-and-sums. But > currently it's still allowed, right? Ah OK. I’ll make note of that in my release procedures. I suppose we can still exclude right? Just remove from the maven staging repo and won’t load into SVN dist. Let me know if that doesn’t sound right. > On Jul 9, 2018, at 3:07 PM, Stefan Seelmann <m...@stefan-seelmann.de> wrote: > > Otherwise +1 from me: > > * Verified checksums and signatures of the source packages > * Checked license and notice files > * Built all 4 source packages with OpenJDK 1.8.0_172 on Linux > * Run fortress core integration tests against ApacheDS and OpenLDAP Cool, thanks!! —Shawn > > On Jul 9, 2018, at 3:07 PM, Stefan Seelmann <m...@stefan-seelmann.de> wrote: > > Two findings: > > * Selenium is now included in fortress-web as runtime dependency, I > guess it is only requried as test dependency? License wise that's fine > and not a blocker because it uses Apache License. However it increases > the WAR file size from 26MB to 34MB and adds many more libs which may > increase attack surface. I let you decide if that should be considered > as blocker. > * Future releases should not include md5 checksums, please see mail from > Henk with subject "checksum file Release Distribution Policy" and > https://www.apache.org/dev/release-distribution#sigs-and-sums. But > currently it's still allowed, right? > > > Otherwise +1 from me: > > * Verified checksums and signatures of the source packages > * Checked license and notice files > * Built all 4 source packages with OpenJDK 1.8.0_172 on Linux > * Run fortress core integration tests against ApacheDS and OpenLDAP
