Re: Any Xerces-J 2.12.0 release date to address CVE-2012-0881?
Perhaps xerces should auto add a wider group of commiters as was done in Apache Commons, in order to spur activity Original message From: Michael Glavassevich Date: 1/11/18 3:29 PM (GMT-05:00) To: j-users@xerces.apache.org Subject: Re: Any Xerces-J 2.12.0 release date to address CVE-2012-0881? Some of these steps are out-of-date but this [1] should give you a general idea of what's involved in preparing a release. I think some projects have had committers who just wrote documentation or contributed in other non-coding ways so that's certainly a possibility. Thanks. [1] http://xerces.apache.org/xerces2-j/faq-contributing.html#faq-2 Michael Glavassevich XML Technologies and WAS Development IBM Toronto Lab E-mail: mrgla...@ca.ibm.com E-mail: mrgla...@apache.org "Eric J. Schwarzenbach" wrote on 01/11/2018 02:05:12 PM: > From: "Eric J. Schwarzenbach" > To: j-users@xerces.apache.org > Date: 01/11/2018 02:05 PM > Subject: Re: Any Xerces-J 2.12.0 release date to address CVE-2012-0881? > > One might expect "commiter" to imply a coder, but could someone who > is not going to actually work on xerces code be made a committer? If > so, what skills would such a person need in order to help get the release out? > On 01/11/2018 01:42 PM, Michael Glavassevich wrote: > A lot of what needs to get done requires write-access and that can > only be done by committers [1]. That's where this project has been > hurting for a long time and where we definitely need help. Of course > there are activities such as testing or doing a build that anyone > could do, but someone with commit access is needed to pull a releasetogether. > > Thanks. > > [1] http://www.apache.org/foundation/getinvolved.html#become-a-committer > > Michael Glavassevich > XML Technologies and WAS Development > IBM Toronto Lab > E-mail: mrgla...@ca.ibm.com > E-mail: mrgla...@apache.org > > Will Herrmann wrote on 01/10/2018 11:34:39 PM: > > > I too work with an organization that is a bit concerned about using > > a library with a 5-year old security issue. If the issue is a lack > > of volunteers, what can we do to help, especially given that the fix > > is already done? Do you need testers? People to build from source? > > Something else? > > > > -Will Herrmann > > > > > As has been the case for a long time, Xerces-J 2.12.0 needs volunteers to > > > actually make this release happen. > > > > > > Michael Glavassevich > > > XML Technologies and WAS Development > > > IBM Toronto Lab > > > E-mail: mrgla...@ca.ibm.com > > > E-mail: mrgla...@apache.org > > > > > > Gary Gregory wrote on 12/22/2017 01:46:28 PM: > > > > > > > Good question. Xerces has been rather... inactive :-( > > > > > > > > Gary > > > > > > > > On Fri, Dec 22, 2017 at 7:15 AM, Yves Geissbühler < > > > > yves.geissbueh...@incentage.com> wrote: > > > > Hi all, > > > > my problem is that Xerces-J 2.11.0 pops up on the OWASP Dependency > > > > Check [1] having the vulnerability CVE-2012-0881. > > > > > > > > After some investigation I found that CVE-2012-0881 has been indeed > > > > fixed and is scheduled to be released for Xerces-J 2.12.0 [2]. > > > > > > > > However, no specific release date is given [3]. > > > > > > > > Could you point me to a release schedule or do you know the release > > > date? > > > > > > > > Using libraries which contain vulnerabilities is not an option for > > > > my organisation. So, I'm hoping for a Xerces-J 2.11.0 release > > > > happening soonish. > > > > > > > > Best regards, > > > > Yves > > > > > > > > [1] https://urldefense.proofpoint.com/v2/url? > > > u=https-3A__www.owasp.org_index.php_OWASP-5FDependency-5FCheck&d=DwIFaQ&c=jf_iaSHvJObTbx- > > siA1ZOg&r=KSsQtaTrbQnz98UqasbfUccVGXxb9hHxwso62zJ- > > DKI&m=mhg1UoAqEyPAE- > > > iRxRa_1F1tVGzXVcJXZNLn39oyBRM&s=8VFeoB1BkOSReGrRxENRnFx7vA5raEwKWVB8GdwRkf8&e= > > > > [2] https://urldefense.proofpoint.com/v2/url? > > > u=https-3A__issues.apache.org_jira_browse_XERCESJ-2D1685&d=DwIFaQ&c=jf_iaSHvJObTbx- > > siA1ZOg&r=KSsQtaTrbQnz98UqasbfUccVGXxb9hHxwso62zJ- > > DKI&m=mhg1UoAqEyPAE- > > > iRxRa_1F1tVGzXVcJXZNLn39oyBRM&s=hCJU3BJU6XA9RAk8dWjptod9p0vLPln5AdUllsOIlus&e= > > > > [3] https://urldefense.proofpoint.com/v2/url? > > > u=https-3A__issues.apache.org_jira_projects_XERCESJ_versions_12336542&d=DwIFaQ&c=jf_iaSHvJObTbx- > > siA1ZOg&r=KSsQtaTrbQnz98UqasbfUccVGXxb9hHxwso62zJ- > > DKI&m=mhg1UoAqEyPAE- > > > iRxRa_1F1tVGzXVcJXZNLn39oyBRM&s=InGKcCzaUSGYeBbHNA8i3dJtU2CQb40diziknWlHYJY&e= > > > > - > > To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org > > For additional commands, e-mail: j-users-h...@xerces.apache.org
Re: Any Xerces-J 2.12.0 release date to address CVE-2012-0881?
On 1/14/18, 10:30 PM, "Will Herrmann" wrote: > I’m interested in becoming a committer, although admittedly, I’m only > interested in building a new release that fixes > this bug (which was previously stated to already be in the code). What do I > need to do to make that happen? Probably the biggie is getting an Apache CLA on file, which would involve your employer in a lot of cases if you're not self-employed. -- Scott - To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org For additional commands, e-mail: j-users-h...@xerces.apache.org
Re: Any Xerces-J 2.12.0 release date to address CVE-2012-0881?
It’s necessary to get my employer on file even if I’m not doing it on company time? Also, in my case, I both have an employer and am self-employed (side job). How does that work? -Will > On Jan 15, 2018, at 4:39 PM, Cantor, Scott wrote: > > On 1/14/18, 10:30 PM, "Will Herrmann" wrote: > >> I’m interested in becoming a committer, although admittedly, I’m only >> interested in building a new release that fixes >> this bug (which was previously stated to already be in the code). What do I >> need to do to make that happen? > > Probably the biggie is getting an Apache CLA on file, which would involve > your employer in a lot of cases if you're not self-employed. > > -- Scott > > > > - > To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org > For additional commands, e-mail: j-users-h...@xerces.apache.org - To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org For additional commands, e-mail: j-users-h...@xerces.apache.org
Re: Any Xerces-J 2.12.0 release date to address CVE-2012-0881?
On 1/15/18, 5:41 PM, "Will Herrmann" wrote: > It’s necessary to get my employer on file even if I’m not doing it on company > time? That depends on the jurisdiction, I couldn't answer that for you. Most US states are, I think, work for hire, meaning your employer owns anything you do that is remotely related to your work, regardless of whether you do it on their time. Yes, really. Ohio is, for example, so my employer owns essentially everything I do, and I do my Apache work under a contract with a third party that stipulates that the third party can license what I do for them. So the CLA was signed by that third party. I cannot do one myself, because I'd be lying. > Also, in my case, I both have an employer and am self-employed (side job). > How does that work? Doesn't change the essential issue of whether your employer gets a say. -- Scott
Re: Any Xerces-J 2.12.0 release date to address CVE-2012-0881?
Alright, in that case, how do I go about getting an Apache CLA on file with my employer being involved? -Will > On Jan 15, 2018, at 4:45 PM, Cantor, Scott wrote: > > On 1/15/18, 5:41 PM, "Will Herrmann" wrote: > >> It’s necessary to get my employer on file even if I’m not doing it on >> company time? > > That depends on the jurisdiction, I couldn't answer that for you. Most US > states are, I think, work for hire, meaning your employer owns anything you > do that is remotely related to your work, regardless of whether you do it on > their time. Yes, really. Ohio is, for example, so my employer owns > essentially everything I do, and I do my Apache work under a contract with a > third party that stipulates that the third party can license what I do for > them. So the CLA was signed by that third party. I cannot do one myself, > because I'd be lying. > >> Also, in my case, I both have an employer and am self-employed (side job). >> How does that work? > > Doesn't change the essential issue of whether your employer gets a say. > > -- Scott > > > > - > To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org > For additional commands, e-mail: j-users-h...@xerces.apache.org - To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org For additional commands, e-mail: j-users-h...@xerces.apache.org
Re: Any Xerces-J 2.12.0 release date to address CVE-2012-0881?
On 1/15/18, 5:47 PM, "Will Herrmann" wrote: > Alright, in that case, how do I go about getting an Apache CLA on file with > my employer being involved? Well, the CLA files are split into the two types. http://apache.org/dev/new-committers-guide#cla The Corporate one is the one that would handle somebody who doesn't own their own work, and you really would have to talk with your management on that, and it is, like with anything of this nature, very much dependent on the company. It could be routine or it could be nightmarish. -- Scott
