date:20221123

Re: Correctly configuring Apache Commons components for oss-fuzz

2022-11-23 Thread Mark Thomas

On 21/11/2022 04:22, Oliver Chang wrote:

Hi Mark,

Thanks for the early feedback.

Re a), unfortunately I'm not aware of an easy way to do this with our
current bug tracking system (Monorail). If it's an important feature to
have, one way to achieve this may be to set up a separate "
security-oss-fuzz-not...@commons.apache.org" group or something similar to
be CCed on all issues, which just forwards any notifications to the main "
secur...@commons.apache.org" list. The main list can then filter out emails
based on the recipient to avoid duplication. Would that work?

Given that Monorail is a Google owned / controlled project I'd hope that 
such a feature addition would be possible.

Re b), thank you for the feedback. We will be working on making our bug
reports contain more actionable context in the notifications themselves.

Thank you.

I have just finished reviewing approximately 50 oss-fuzz reports for 
Commons. Give the excessive noise to signal ratio, the Apache Commons 
project has disabled all email notifications from monorail to our 
security team unless we explicitly mark the issue of interest.

That gets us to a position where our security mailing list isn't swamped.

We will continue to receive notifications for all issues at 
fuzz-test...@commons.apache.org

If you could ensure that fuzz-test...@commons.apache.org is on the CC 
for all Apache Commons components that would ensure we don't miss anything.

On reflection, it would probably be better if 
fuzz-test...@commons.apache.org was the primary contact for all Commons 
components and secur...@commons.apache.org was on the CC list.

The remaining major point is triage of discovered issues. We are still 
putting together our thoughts on that given the high number of issues 
and high false positive rate.

Mark

Best,
Oliver

On Sun, 20 Nov 2022 at 21:24, Mark Thomas  wrote:

Hi Oliver,

The following are a couple of (hopefully) low hanging fruit that will
smooth a couple of rough edges. These aren't the biggest issues - just
something to get started with.

a) It would be very helpful if there was an option to enable sending of
 notifications for your own comments.

b) It would be helpful if more (actually all) of the issue detail was
 included in the notification emails.

Mark

On 18/11/2022 00:02, Oliver Chang wrote:

Thanks Mark.

Please let us know how we can help make this fuzzing experience better
for you. We're also happy to jump on a call to walk through your
concerns and reach a good outcome.

Best regards,
--
Oliver

On Thu, 17 Nov 2022 at 06:56, Mark Thomas mailto:ma...@apache.org>> wrote:

 I haven't forgotten about this. I am currently working through the

open

 issues. I want to complete first that so feedback isn't skewed by a
 single project.

 Mark

 On 11/11/2022 14:45, Roman Wagner wrote:
  > Hi Mark,
  >
  > I think the best way forward is to collaborate and have a short
 feedback
  > loop.
  >
  > Did you mean build failures by “Invalid due to broken test”? If
 yes, I am
  > not sure what we can do about the broken tests since those are
 already
  > executed and tested by check build scripts locally and in a CI/CD
 pipeline.
  > Build and Coverage failures are sometimes supposed to happen if
 there are
  > changes in the target repository itself or if there are
 infrastructure
  > issues in OSS-Fuzz. We will investigate those issues in more
 detail. Maybe
  > some filter in the apache mailing list is helpful for you in the
 short
  > term, Fuzzing and Coverage build issues have a "build failure"
 string in
  > the subject. That would enable you to focus on the reports only.
  >
  > In order to make sure that we get high-quality tests and results,
  > maintainer feedback from apache will be very valuable and
 welcome. You have
  > the best domain knowledge about your code base and can give
 valuable hints
  > on which APIs to tackle best. There was already some valuable
 feedback for
  > Apache Tomcat in
 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53153
 .
  > Let us extend  this collaboration. We can discuss and agree on
 the attack
  > vectors in apache-commons components.
  >
  > Best regards
  > Roman
  >
  > On Thu, Nov 10, 2022 at 10:29 AM Mark Thomas mailto:ma...@apache.org>> wrote:
  >
  >> Oliver,
  >>
  >> My requirements regarding configuration are:
  >>
  >> - secur...@commons.apache.org
  MUST be notified of all

security

  >> vulnerability reports for all Apache Commons components
  >>
  >> - a mechanism MUST be provided for the
 secur...@commons.apache.org 
  >> Google user to view all historical repor

Re: [commons-daemon] tag commons-daemon-1.3.2 created (now 4189f27)

2022-11-23 Thread Gary Gregory

Don't you mean 1.3.3?

Gary

On Wed, Nov 23, 2022, 14:32  wrote:

> This is an automated email from the ASF dual-hosted git repository.
>
> markt pushed a change to tag commons-daemon-1.3.2
> in repository https://gitbox.apache.org/repos/asf/commons-daemon.git
>
>
>   at 4189f27  (commit)
> No new revisions were added by this update.
>
>

Re: [commons-daemon] tag commons-daemon-1.3.2 created (now 4189f27)

2022-11-23 Thread Mark Thomas

No. We only had the RC1 tag for 1.3.2. This just creates a duplicate tag 
for that version without the RC1 suffix.


But I did spot the need for it while preparing for 1.3.3-RC1.

Mark

On 23/11/2022 19:34, Gary Gregory wrote:

Don't you mean 1.3.3?

Gary

On Wed, Nov 23, 2022, 14:32  wrote:


This is an automated email from the ASF dual-hosted git repository.

markt pushed a change to tag commons-daemon-1.3.2
in repository https://gitbox.apache.org/repos/asf/commons-daemon.git


   at 4189f27  (commit)
No new revisions were added by this update.






-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: [commons-daemon] tag commons-daemon-1.3.2 created (now 4189f27)

2022-11-23 Thread Gary Gregory

Ah, then it should have the rel/ prefix.

Gary

On Wed, Nov 23, 2022, 15:30 Mark Thomas  wrote:

> No. We only had the RC1 tag for 1.3.2. This just creates a duplicate tag
> for that version without the RC1 suffix.
>
> But I did spot the need for it while preparing for 1.3.3-RC1.
>
> Mark
>
> On 23/11/2022 19:34, Gary Gregory wrote:
> > Don't you mean 1.3.3?
> >
> > Gary
> >
> > On Wed, Nov 23, 2022, 14:32  wrote:
> >
> >> This is an automated email from the ASF dual-hosted git repository.
> >>
> >> markt pushed a change to tag commons-daemon-1.3.2
> >> in repository https://gitbox.apache.org/repos/asf/commons-daemon.git
> >>
> >>
> >>at 4189f27  (commit)
> >> No new revisions were added by this update.
> >>
> >>
> >
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>
>

[VOTE] Release Apache Commons Daemon 1.3.3 based on RC1

2022-11-23 Thread Mark Thomas

We have fixed a few bugssince Apache Commons Daemon 1.3.2 was released, 
so I would like to release Apache Commons Daemon 1.3.3.


Apache Commons Daemon 1.3.3 RC1 is available for review here:
https://dist.apache.org/repos/dist/dev/commons/daemon/1.3.3-RC1 
(svn revision svn: 58217


The Git tag commons-daemon-1.3.3-RC1 commit for this RC is 
5ead75b56ce0e171931de808bf0529666c1c4cbb which you can browse here:


https://gitbox.apache.org/repos/asf?p=commons-daemon.git;a=commit;h=5ead75b56ce0e171931de808bf0529666c1c4cbb
You may checkout this tag using:
git clone https://gitbox.apache.org/repos/asf/commons-daemon.git 
--branch commons-daemon-1.3.3-RC1 commons-daemon-1.3.3-RC1


Maven artifacts are here:

https://repository.apache.org/content/repositories/orgapachecommons-1606/commons-daemon/commons-daemon/1.3.3/

These are the artifacts and their hashes:

#Release SHA-512s
commons-daemon-1.3.3.jar=ee877434645400193ef5578f52e1314e90604c28224a77d03176c1370e7bcdae393d62238bce371b4cbb1495b867c06d2bf6a33ea1ab3aea56c2b872ea2b0b6c
Apache Commons 
Daemon-1.3.3.spdx.rdf.xml=c7c4416afbe3b14d62c94d5b1da413794ac0db8732c51453a1bb39677a0e564af245a6ab8bc4f2d66ac95b6b594faa208ec2da12ac66241c47db6e853d141a5f

commons-daemon-1.3.3-bin-windows.zip=f291b142dadb179fee6845b4d26a52e7961bd39e57680ce2398505efe8c04de00271ed35bc39392c82d1e2d0f60b868cc5a1e80a7b8af8de923554877e0003ba
commons-daemon-1.3.3-bin.tar.gz=6600f3c182a46005928a77ade2a7f7e32ba29ebdfdc2255275cbd07445c4d278a96de4d8555031fa90eef29c4f50325b3b79eec0e4e09308d152583807189578
commons-daemon-1.3.3-bin.zip=ef89d6cac12b7f90575ccfeca0d58ed96f8d2dca702946882d54fa10df5f770ba9c08097951589f8704419a8e14b205cd95135c5bc12a59107ef5ee84db17fa9
commons-daemon-1.3.3-bom.json=d199cc4ac629f0b7cde86ab4084251dbb57b20a8d94d3086d5d6e0533e77a0f07d01b4326059e645d4eec2f460f144b79376cae95e1ba619fc96a4caaa0465e3
commons-daemon-1.3.3-bom.xml=e299fd88c34c9eb4ecd431f83f43a4aa978d6d123ffc5d14ffc718826832ff1972dc3b3fb944ceca4c608185d2edcb32e91ea3d2aab10e2a4e3812a4ba872887
commons-daemon-1.3.3-javadoc.jar=64423f84f26633748c61d7c2e34c6e6283d35ec95ccc162c5dcdd28bc5fa73222181fe429304a93b1de32b63385f14301f52fa44c02f710cc6a9a62b6fef6730
commons-daemon-1.3.3-native-src.tar.gz=a3d200e5c35c4f2d397164fbaee52f235d954ba8fe342bf136fb2a7da3ca2df472af31c7f68d71b114ab3632ac712f6c7b7a3d3043f8e754c58c402658e1
commons-daemon-1.3.3-native-src.zip=bbd9ea0b6b8438c305a537dd30d3754fe8cda33af7cd416b039548f4a33a1afbde295590e98801f75ad73a0aefb512aa91f8c0b1dd716c332facd6ace0cce646
commons-daemon-1.3.3-sources.jar=a7179691a4c7fabdd379d8b6ca9b221bd792382439ebff7dc618d1c6f287a77defe2e5a85d594da618ecb14c8b5062560c9e09c9ccebab0d0527cda42d618159
commons-daemon-1.3.3-src.tar.gz=ec246e2c05d66408374ba56b3715b13f8f24f89af11fa00c2381dc19c188f1b6228f19351c97d5774808a804b83fdbdfb8f537d099db062c39ffd281c142ee77
commons-daemon-1.3.3-src.zip=d622db66ea21ac6c1b096506173d1e66c7c2e5db49cefaeac818fe6f106c32c2daef946a9c6faf8c664716fc8acb7501d5e5e0c6faf66ab02d7c94849b21df19



KEYS:
  https://www.apache.org/dist/commons/KEYS

Please review the release candidate and vote.
This vote will close no sooner than 72 hours from now.

  [ ] +1 Release these artifacts
  [ ] +0 OK, but...
  [ ] -0 OK, but really should fix...
  [ ] -1 I oppose this release because...

Thank you,

Mark Thomas,
Release Manager (using key 10C01C5A2F6059E7)

For following is intended as a helper and refresher for reviewers.

Validating a release candidate
==

These guidelines are NOT complete.

Requirements: Git, Java, Maven.

You can validate a release from a release candidate (RC) tag as follows.

1) Clone and checkout the RC tag

git clone https://gitbox.apache.org/repos/asf/commons-daemon.git 
--branch commons-daemon-1.3.3-RC1 commons-daemon-1.3.3-RC1

cd commons-daemon-1.3.3-RC1

2) Check Apache licenses

This step is not required if the site includes a RAT report page which 
you then must check.


mvn apache-rat:check

3) Check binary compatibility

Older components still use Apache Clirr:

This step is not required if the site includes a Clirr report page which 
you then must check.


mvn clirr:check

Newer components use JApiCmp with the japicmp Maven Profile:

This step is not required if the site includes a JApiCmp report page 
which you then must check.


mvn install -DskipTests -P japicmp japicmp:cmp

4) Build the package

mvn -V clean package

You can record the Maven and Java version produced by -V in your VOTE reply.
To gather OS information from a command line:
Windows: ver
Linux: uname -a

5) Build the site for a single module project

Note: Some plugins require the components to be installed instead of 
packaged.


mvn site
Check the site reports in:
- Windows: target\site\index.html
- Linux: target/site/index.html

6) Build the site for a multi-module project

mvn site
mvn site:stage
Check the site reports in:
- Windows: target\site\index.html
- Linux: target/site/index.html

-the end-

--

Re: [VOTE] Release Apache Commons Daemon 1.3.3 based on RC1

2022-11-23 Thread Gary D. Gregory

Testing src zip: ASC, SHA, Apache RAT, Maven default goal, JApiCmp, all OK on:

Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63)
Maven home: C:\java\apache-maven-3.8.6
Java version: 1.8.0_352, vendor: Temurin, runtime: C:\Program Files\Eclipse 
Adoptium\jdk-8.0.352.8-hotspot\jre
Default locale: en_US, platform encoding: Cp1252
OS name: "windows 10", version: "10.0", arch: "amd64", family: "windows"
Microsoft Windows [Version 10.0.19044.2130]

Building Windows natives OK using 'nmake CPU=X64' with:

Microsoft (R) Program Maintenance Utility Version 14.33.31630.0
Microsoft (R) C/C++ Optimizing Compiler Version 19.33.31630 for x64
Microsoft (R) Incremental Linker Version 14.33.31630.0

Gary

On 2022/11/23 20:45:07 Mark Thomas wrote:
> We have fixed a few bugssince Apache Commons Daemon 1.3.2 was released, 
> so I would like to release Apache Commons Daemon 1.3.3.
> 
> Apache Commons Daemon 1.3.3 RC1 is available for review here:
>  https://dist.apache.org/repos/dist/dev/commons/daemon/1.3.3-RC1 
> (svn revision svn: 58217
> 
> The Git tag commons-daemon-1.3.3-RC1 commit for this RC is 
> 5ead75b56ce0e171931de808bf0529666c1c4cbb which you can browse here:
>  
> https://gitbox.apache.org/repos/asf?p=commons-daemon.git;a=commit;h=5ead75b56ce0e171931de808bf0529666c1c4cbb
> You may checkout this tag using:
>  git clone https://gitbox.apache.org/repos/asf/commons-daemon.git 
> --branch commons-daemon-1.3.3-RC1 commons-daemon-1.3.3-RC1
> 
> Maven artifacts are here:
>  
> https://repository.apache.org/content/repositories/orgapachecommons-1606/commons-daemon/commons-daemon/1.3.3/
> 
> These are the artifacts and their hashes:
> 
> #Release SHA-512s
> commons-daemon-1.3.3.jar=ee877434645400193ef5578f52e1314e90604c28224a77d03176c1370e7bcdae393d62238bce371b4cbb1495b867c06d2bf6a33ea1ab3aea56c2b872ea2b0b6c
> Apache Commons 
> Daemon-1.3.3.spdx.rdf.xml=c7c4416afbe3b14d62c94d5b1da413794ac0db8732c51453a1bb39677a0e564af245a6ab8bc4f2d66ac95b6b594faa208ec2da12ac66241c47db6e853d141a5f
> commons-daemon-1.3.3-bin-windows.zip=f291b142dadb179fee6845b4d26a52e7961bd39e57680ce2398505efe8c04de00271ed35bc39392c82d1e2d0f60b868cc5a1e80a7b8af8de923554877e0003ba
> commons-daemon-1.3.3-bin.tar.gz=6600f3c182a46005928a77ade2a7f7e32ba29ebdfdc2255275cbd07445c4d278a96de4d8555031fa90eef29c4f50325b3b79eec0e4e09308d152583807189578
> commons-daemon-1.3.3-bin.zip=ef89d6cac12b7f90575ccfeca0d58ed96f8d2dca702946882d54fa10df5f770ba9c08097951589f8704419a8e14b205cd95135c5bc12a59107ef5ee84db17fa9
> commons-daemon-1.3.3-bom.json=d199cc4ac629f0b7cde86ab4084251dbb57b20a8d94d3086d5d6e0533e77a0f07d01b4326059e645d4eec2f460f144b79376cae95e1ba619fc96a4caaa0465e3
> commons-daemon-1.3.3-bom.xml=e299fd88c34c9eb4ecd431f83f43a4aa978d6d123ffc5d14ffc718826832ff1972dc3b3fb944ceca4c608185d2edcb32e91ea3d2aab10e2a4e3812a4ba872887
> commons-daemon-1.3.3-javadoc.jar=64423f84f26633748c61d7c2e34c6e6283d35ec95ccc162c5dcdd28bc5fa73222181fe429304a93b1de32b63385f14301f52fa44c02f710cc6a9a62b6fef6730
> commons-daemon-1.3.3-native-src.tar.gz=a3d200e5c35c4f2d397164fbaee52f235d954ba8fe342bf136fb2a7da3ca2df472af31c7f68d71b114ab3632ac712f6c7b7a3d3043f8e754c58c402658e1
> commons-daemon-1.3.3-native-src.zip=bbd9ea0b6b8438c305a537dd30d3754fe8cda33af7cd416b039548f4a33a1afbde295590e98801f75ad73a0aefb512aa91f8c0b1dd716c332facd6ace0cce646
> commons-daemon-1.3.3-sources.jar=a7179691a4c7fabdd379d8b6ca9b221bd792382439ebff7dc618d1c6f287a77defe2e5a85d594da618ecb14c8b5062560c9e09c9ccebab0d0527cda42d618159
> commons-daemon-1.3.3-src.tar.gz=ec246e2c05d66408374ba56b3715b13f8f24f89af11fa00c2381dc19c188f1b6228f19351c97d5774808a804b83fdbdfb8f537d099db062c39ffd281c142ee77
> commons-daemon-1.3.3-src.zip=d622db66ea21ac6c1b096506173d1e66c7c2e5db49cefaeac818fe6f106c32c2daef946a9c6faf8c664716fc8acb7501d5e5e0c6faf66ab02d7c94849b21df19
> 
> 
> 
> KEYS:
>https://www.apache.org/dist/commons/KEYS
> 
> Please review the release candidate and vote.
> This vote will close no sooner than 72 hours from now.
> 
>[ ] +1 Release these artifacts
>[ ] +0 OK, but...
>[ ] -0 OK, but really should fix...
>[ ] -1 I oppose this release because...
> 
> Thank you,
> 
> Mark Thomas,
> Release Manager (using key 10C01C5A2F6059E7)
> 
> For following is intended as a helper and refresher for reviewers.
> 
> Validating a release candidate
> ==
> 
> These guidelines are NOT complete.
> 
> Requirements: Git, Java, Maven.
> 
> You can validate a release from a release candidate (RC) tag as follows.
> 
> 1) Clone and checkout the RC tag
> 
> git clone https://gitbox.apache.org/repos/asf/commons-daemon.git 
> --branch commons-daemon-1.3.3-RC1 commons-daemon-1.3.3-RC1
> cd commons-daemon-1.3.3-RC1
> 
> 2) Check Apache licenses
> 
> This step is not required if the site includes a RAT report page which 
> you then must check.
> 
> mvn apache-rat:check
> 
> 3) Check binary compatibility
> 
> Older components still use Apache Clirr:
> 
> This step is not required if the site incl

Re: Correctly configuring Apache Commons components for oss-fuzz

Re: [commons-daemon] tag commons-daemon-1.3.2 created (now 4189f27)

Re: [commons-daemon] tag commons-daemon-1.3.2 created (now 4189f27)

Re: [commons-daemon] tag commons-daemon-1.3.2 created (now 4189f27)

[VOTE] Release Apache Commons Daemon 1.3.3 based on RC1

Re: [VOTE] Release Apache Commons Daemon 1.3.3 based on RC1

6 matches

Site Navigation

Mail list logo

Footer information