Re: [REVISED VOTE]: Xerces-J 2.12.0 release

2018-04-23 Thread Mukul Gandhi 
On Sun, Apr 22, 2018 at 3:19 PM, sebb  wrote:

Contains MD5 hashes; these are deprecated and should be removed.
>

I alone can't decide on this (though I sort of agree with you). Lets see
how others react to the topic of having or not having MD5 hashes, and we
can accordingly finalize as this voting concludes.


>
> Also the revision is needed for traceability; currently it is
>
> Last Changed Rev: 26447
>

If we look at this page,
https://dist.apache.org/repos/dist/dev/xerces/j/2.12.0/ it says on top,
"dist - Revision* 26466*: /dev/xerces/j/2.12.0"

Are you talking about the revision number I've marked in bold emphasis? Do
you require mentioning this revision number in voting mails (along side the
link, https://dist.apache.org/repos/dist/dev/xerces/j/2.12.0/) ?




-- 
Regards,
Mukul Gandhi

Re: [REVISED VOTE]: Xerces-J 2.12.0 release

2018-04-23 Thread sebb 
On 23 April 2018 at 11:04, Mukul Gandhi  wrote:
> On Sun, Apr 22, 2018 at 3:19 PM, sebb  wrote:
>
>> Contains MD5 hashes; these are deprecated and should be removed.
>
>
> I alone can't decide on this (though I sort of agree with you). Lets see how
> others react to the topic of having or not having MD5 hashes, and we can
> accordingly finalize as this voting concludes.

The ASF policy was updated recently, as notified to the PMC at the
beginning of March:

https://lists.apache.org/thread.html/d11f3dbcfe844b4d1eb06ba09c9f533bfbbc1f0a1a808185984832f6@%3Cprivate.xerces.apache.org%3E

>>
>>
>> Also the revision is needed for traceability; currently it is
>>
>> Last Changed Rev: 26447
>
>
> If we look at this page,
> https://dist.apache.org/repos/dist/dev/xerces/j/2.12.0/ it says on top,
> "dist - Revision 26466: /dev/xerces/j/2.12.0"
>
> Are you talking about the revision number I've marked in bold emphasis? Do
> you require mentioning this revision number in voting mails (along side the
> link, https://dist.apache.org/repos/dist/dev/xerces/j/2.12.0/) ?

Yes, it needs to be in the email so one can trace the provenance later
if necessary.
This is particularly true of /dist/dev/ URLs as those are generally
moved / deleted after use.
And indeed re-used, as here.

>
>
>
> --
> Regards,
> Mukul Gandhi

-
To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org
For additional commands, e-mail: j-users-h...@xerces.apache.org

Re: [REVISED VOTE]: Xerces-J 2.12.0 release

2018-04-23 Thread Mukul Gandhi 
On Mon, Apr 23, 2018 at 4:51 PM, sebb  wrote:

> > I alone can't decide on this (though I sort of agree with you). Lets see
> how
> > others react to the topic of having or not having MD5 hashes, and we can
> > accordingly finalize as this voting concludes.
>
> The ASF policy was updated recently, as notified to the PMC at the
> beginning of March:
>
> https://lists.apache.org/thread.html/d11f3dbcfe844b4d1eb06ba09c9f53
> 3bfbbc1f0a1a808185984832f6@%3Cprivate.xerces.apache.org%3E
>
>
Thanks for this information. Its useful.


> > If we look at this page,
> > https://dist.apache.org/repos/dist/dev/xerces/j/2.12.0/ it says on top,
> > "dist - Revision 26466: /dev/xerces/j/2.12.0"
> >
> > Are you talking about the revision number I've marked in bold emphasis?
> Do
> > you require mentioning this revision number in voting mails (along side
> the
> > link, https://dist.apache.org/repos/dist/dev/xerces/j/2.12.0/) ?
>
> Yes, it needs to be in the email so one can trace the provenance later
> if necessary.
> This is particularly true of /dist/dev/ URLs as those are generally
> moved / deleted after use.
> And indeed re-used, as here.


I've deleted the .md5 files from the location,
https://dist.apache.org/repos/dist/dev/xerces/j/2.12.0/.

I'll write a new voting mail again, as a continuation of this thread.



-- 
Regards,
Mukul Gandhi

Re: [REVISED VOTE]: Xerces-J 2.12.0 release

2018-04-23 Thread Mukul Gandhi 
Hi all,
   The 1st voting for Xerces-J 2.12.0 release was stopped, due to certain
issues that were in the release candidates (RC) that were found by the
reviewers ([5]). Those have been fixed now, and I'm initiating this new
mail for the Vote for new RC.

I've uploaded Xerces-J 2.12.0 release candidates (the revised one) to [1]
for review. In this release candidate there are two sets of packages, the
main release built from the trunk [2] and the XML Schema 1.1 release built
from the XML Schema 1.1 development branch [3]. The change summary is
available here [4] in JIRA. 81 issues (plus issues that were mentioned,
during the review of 1st RC) were resolved.

Test results have been looking good, so I'd like to call an official vote
now on the release.

To start, here's my +1.

Great work everyone.

[1] https://dist.apache.org/repos/dist/dev/xerces/j/2.12.0/
Revision 26468

[2] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0/
Directory revision: 1829687 (of 1829689)

[3]
http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0-xml-schema-1.1/
Directory revision: 1829688 (of 1829689)

[4]
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=10520&version=12336542

[5] https://markmail.org/message/54obpdyqrn6nfzgi : discussion about
previous RC, suggesting a revote

[6] Deleting .md5 hash files from the RC distribution at,
https://dist.apache.org/repos/dist/dev/xerces/j/2.12.0/. Mentioned Revision
number in point [1] above. (suggestions from sebb, seb...@gmail.com during
this voting)




-- 
Regards,
Mukul Gandhi

RE: [EXTERNAL] Re: [VOTE]: Xerces-J 2.12.0 Release

2018-04-23 Thread David Dillard 
Hi,

Can someone please get a CVE for the readObject issue?  I don’t know what the 
internal ASF process is for that, but ASF is its own CNA so it seems there must 
be one.

Also, it’d be good to issue a security advisory concurrent with the release 
announcement.


Regards,

David


From: Mukul Gandhi [mailto:muk...@apache.org]
Sent: Saturday, April 21, 2018 1:05 AM
To: j-...@xerces.apache.org
Cc: priv...@xerces.apache.org; j-users@xerces.apache.org
Subject: [EXTERNAL] Re: [VOTE]: Xerces-J 2.12.0 Release

Hi Michael & all,
   I've fixed all the below mentioned issues that were found in previous RC, 
within the revised RC for 2.12.0 release. I'll shortly be writing a separate 
mail, for the Vote for new RC.

On Fri, Apr 20, 2018 at 2:29 AM, Michael Glavassevich 
mailto:mrgla...@ca.ibm.com>> wrote:
Should fix the copyright years in the docs too. It currently has: 1999-2014 in 
the footer of all the pages.



Michael Glavassevich mailto:mrgla...@ca.ibm.com>> wrote on 
04/19/2018 04:40:16 PM:

> Hi Mukul,
>
> I noticed that the copyright year in the NOTICE file still says
> 2015. I'm pretty sure that this needs to be updated.
>
> There's also the discussion on the list about CVE-2018-2799 that we
> have an opportunity to address.
>
> I think we should stop the vote on this release candidate and respin
> with fixes for these issues.
>
> Thanks.
>
> Michael Glavassevich
> XML Technologies and WAS Development
> IBM Toronto Lab
> E-mail: mrgla...@ca.ibm.com
> E-mail: mrgla...@apache.org



--
Regards,
Mukul Gandhi