Re: JEXL Security

2022-10-26 Thread Henri Biestro
Fair points, thank you. They seem to lead into the point of view that JEXL (or any scripting solution?) should not expose any feature that could be considered security-related avoiding the CVE potential turmoils alltogether. Trusted sanitised input is expected and required so this is a moot d

Re: [VOTE] Release Apache Commons Compress 1.22 based on RC1

2022-10-26 Thread Gary Gregory
+1 ASC and SHA512 files OK Built from src zip with default Maven goal using: Darwin 21.6.0 Darwin Kernel Version 21.6.0: Mon Aug 22 20:17:10 PDT 2022; root:xnu-8020.140.49~2/RELEASE_X86_64 x86_64 Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63) Maven home: /usr/local/Cellar/mave

Re: [VOTE] Release Apache Commons BCEL 6.6.1 based on RC1

2022-10-26 Thread Gary D. Gregory
Ping ;-) On 2022/10/23 14:58:05 Gary Gregory wrote: > We have fixed one bug since Apache Commons BCEL 6.6.0 was released, so > I would like to release Apache Commons BCEL 6.6.1. This will help > SpotBugs migrate from 6.5.0. > > Apache Commons BCEL 6.6.1 RC1 is available for review here: > htt

Re: [VOTE] Release Apache Commons BCEL 6.6.1 based on RC1

2022-10-26 Thread Alex Herbert
Validated signatures on the binary and src distributions. Built from src.zip using: maven install site -P jacoco -P japicmp Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63) Maven home: /usr/local/apache-maven-3 Java version: 11.0.16, vendor: Ubuntu, runtime: /usr/lib/jvm/java-11-ope

(RestJiraDownloader) Re: [VOTE] Release Apache Commons BCEL 6.6.1 based on RC1

2022-10-26 Thread Eric Bresie
Looking on the plug-in side (1) if this hasn’t changed any and I’m reading it correctly, seems like the json Node in use has no displayName or name attributes present. Reference (1) https://github.com/behrica/maven-changes-plugin/blob/master/src/main/java/org/apache/maven/plugin/jira/RestJiraDownl

Re: JEXL Security

2022-10-26 Thread Mark Thomas
On 26/10/2022 08:58, Henri Biestro wrote: Fair points, thank you. They seem to lead into the point of view that JEXL (or any scripting solution?) should not expose any feature that could be considered security-related avoiding the CVE potential turmoils alltogether. Trusted sanitised input is

RE: [VOTE] Release Apache Commons BCEL 6.6.1 based on RC1

2022-10-26 Thread Mark Roberts
I think a camelCase edit was missed in classfile/FieldOrMethod.java. The method 'copy_' has constantPool in the arg list and constant_pool in the body. constant_pool is class field and I don’t think the intention of copy_ is to reuse the existing ConstantPool. Mark -Original Message- Fr