One might expect "commiter" to imply a coder, but could someone who is
not going to actually work on xerces code be made a committer? If so,
what skills would such a person need in order to help get the release out?
On 01/11/2018 01:42 PM, Michael Glavassevich wrote:
A lot of what needs to get done requires write-access and that can
only be done by committers [1]. That's where this project has been
hurting for a long time and where we definitely need help. Of course
there are activities such as testing or doing a build that anyone
could do, but someone with commit access is needed to pull a release
together.
Thanks.
[1] http://www.apache.org/foundation/getinvolved.html#become-a-committer
Michael Glavassevich
XML Technologies and WAS Development
IBM Toronto Lab
E-mail: mrgla...@ca.ibm.com
E-mail: mrgla...@apache.org
Will Herrmann <wjherrm...@gmail.com> wrote on 01/10/2018 11:34:39 PM:
> I too work with an organization that is a bit concerned about using
> a library with a 5-year old security issue. If the issue is a lack
> of volunteers, what can we do to help, especially given that the fix
> is already done? Do you need testers? People to build from source?
> Something else?
>
> -Will Herrmann
>
> > As has been the case for a long time, Xerces-J 2.12.0 needs
volunteers to
> > actually make this release happen.
> >
> > Michael Glavassevich
> > XML Technologies and WAS Development
> > IBM Toronto Lab
> > E-mail: mrgla...@ca.ibm.com
> > E-mail: mrgla...@apache.org
> >
> > Gary Gregory <garydgreg...@gmail.com> wrote on 12/22/2017 01:46:28 PM:
> >
> > > Good question. Xerces has been rather... inactive :-(
> > >
> > > Gary
> > >
> > > On Fri, Dec 22, 2017 at 7:15 AM, Yves Geissbühler <
> > > yves.geissbueh...@incentage.com> wrote:
> > > Hi all,
> > > my problem is that Xerces-J 2.11.0 pops up on the OWASP Dependency
> > > Check [1] having the vulnerability CVE-2012-0881.
> > >
> > > After some investigation I found that CVE-2012-0881 has been indeed
> > > fixed and is scheduled to be released for Xerces-J 2.12.0 [2].
> > >
> > > However, no specific release date is given [3].
> > >
> > > Could you point me to a release schedule or do you know the release
> > date?
> > >
> > > Using libraries which contain vulnerabilities is not an option for
> > > my organisation. So, I'm hoping for a Xerces-J 2.11.0 release
> > > happening soonish.
> > >
> > > Best regards,
> > > Yves
> > >
> > > [1] https://urldefense.proofpoint.com/v2/url?
>
u=https-3A__www.owasp.org_index.php_OWASP-5FDependency-5FCheck&d=DwIFaQ&c=jf_iaSHvJObTbx-
> siA1ZOg&r=KSsQtaTrbQnz98UqasbfUccVGXxb9hHxwso62zJ-
> DKI&m=mhg1UoAqEyPAE-
>
iRxRa_1F1tVGzXVcJXZNLn39oyBRM&s=8VFeoB1BkOSReGrRxENRnFx7vA5raEwKWVB8GdwRkf8&e=
> > > [2] https://urldefense.proofpoint.com/v2/url?
>
u=https-3A__issues.apache.org_jira_browse_XERCESJ-2D1685&d=DwIFaQ&c=jf_iaSHvJObTbx-
> siA1ZOg&r=KSsQtaTrbQnz98UqasbfUccVGXxb9hHxwso62zJ-
> DKI&m=mhg1UoAqEyPAE-
>
iRxRa_1F1tVGzXVcJXZNLn39oyBRM&s=hCJU3BJU6XA9RAk8dWjptod9p0vLPln5AdUllsOIlus&e=
> > > [3] https://urldefense.proofpoint.com/v2/url?
>
u=https-3A__issues.apache.org_jira_projects_XERCESJ_versions_12336542&d=DwIFaQ&c=jf_iaSHvJObTbx-
> siA1ZOg&r=KSsQtaTrbQnz98UqasbfUccVGXxb9hHxwso62zJ-
> DKI&m=mhg1UoAqEyPAE-
>
iRxRa_1F1tVGzXVcJXZNLn39oyBRM&s=InGKcCzaUSGYeBbHNA8i3dJtU2CQb40diziknWlHYJY&e=
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org
> For additional commands, e-mail: j-users-h...@xerces.apache.org
