FYI, I was testing with: Apache Maven 3.3.9 (bb52d8502b132ec0a5a3f4c09453c07478323dc5; 2015-11-10T08:41:47-08:00) Maven home: E:\Java\apache-maven-3.3.9\bin\.. Java version: 1.8.0_65, vendor: Oracle Corporation Java home: C:\Program Files\Java\jdk1.8.0_65\jre Default locale: en_US, platform encoding: Cp1252 OS name: "windows 7", version: "6.1", arch: "amd64", family: "dos"
(This is a release candidate for Maven 3.3.9). Gary On Wed, Nov 11, 2015 at 2:26 PM, Gary Gregory <garydgreg...@gmail.com> wrote: > FYI, I was testing with: > > > On Wed, Nov 11, 2015 at 11:05 AM, Gary Gregory <garydgreg...@gmail.com> > wrote: > >> -1 >> >> I'm sorry, but the RAT check is still not right. >> >> If you look at the POM: >> >> >> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC2/pom.xml >> >> you will see: >> >> <exclude>src/test/resources/data/test/*</exclude> >> >> This folder does not exist. >> >> Which is why I see the following when I build: >> >> Unapproved licenses: >> >> data/test/NullComparator.version2.obj1 >> data/test/NullComparator.version2.obj2 >> >> >> and >> >> B data/test/NodeCachingLinkedList.fullCollection.version3.obj >> !????? data/test/NullComparator.version2.obj1 >> !????? data/test/NullComparator.version2.obj2 >> B data/test/PredicatedBag.emptyCollection.version3.1.obj >> >> >> Instead it should be: >> >> <exclude>data/test/*</exclude> >> >> and the RAT check is fine. Fixed in SVN. >> >> Thank you, >> Gary >> >> On Wed, Nov 11, 2015 at 8:27 AM, Thomas Neidhart < >> thomas.neidh...@gmail.com> wrote: >> >>> Hi all, >>> >>> in order to provide a work-around for the known remote code exploit via >>> java de-serialization of malicious InvokerTransformer instances, I would >>> like to start a vote to release Commons Collections 3.2.2 based on RC2. >>> >>> Notes: >>> >>> * the site will not be published, it just serves as a reference to >>> access the various reports. After a successful vote, the current 4.X >>> branch site will be updated with relevant information and published. >>> >>> * some tests might fail with various IBM JDK 6 JREs, these are known >>> issues and have been worked-around in the 4.X branch but are not >>> back-ported to this release. >>> >>> * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash >>> with a newly introduced default method in the Map interface. >>> >>> * the collections-testframework.jar that has been published in previous >>> versions is not included in this release >>> >>> >>> Changes from RC1: >>> >>> * fixed RAT report >>> * fixed NOTICE file >>> * improve the security fix: it has been made symmetric in the sense >>> that also the serialization of an unsafe class is disabled by >>> default and will result in an exception >>> * changed the system property to re-enable serialization of unsafe >>> classes. It is now >>> "org.apache.commons.collections.enableUnsafeSerialization" >>> * all classes in the functor package which (based on current >>> knowledge) have to be considered unsafe cannot be serialized/ >>> de-serialized any more by default. This includes the following >>> classes: >>> >>> ** CloneTransformer >>> ** PrototypeFactory (inner classes >>> PrototypeCloneFactory and >>> PrototypeSerializationFactory) >>> ** InstantiateFactory >>> ** InstantiateTransformer >>> ** ForClosure >>> ** WhileClosure >>> ** InvokerTransformer >>> >>> >>> >>> Collections 3.2.2 RC2 is available for review here: >>> https://dist.apache.org/repos/dist/dev/commons/collections/ >>> (svn revision 11147) >>> >>> Maven artifacts are here: >>> >>> >>> https://repository.apache.org/content/repositories/orgapachecommons-1116/commons-collections/commons-collections/3.2.2/ >>> >>> Details of changes since 3.2.1 are in the release notes: >>> >>> >>> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt >>> >>> >>> http://people.apache.org/builds/commons/collections/3.2.2/RC2/changes-report.html >>> >>> The tag is here: >>> >>> >>> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC2 >>> (svn revision 1713883) >>> >>> Site: >>> http://people.apache.org/builds/commons/collections/3.2.2/RC2/ >>> >>> Clirr Report (compared to 3.2.1): >>> >>> >>> http://people.apache.org/builds/commons/collections/3.2.2/RC2/clirr-report.html >>> >>> RAT Report: >>> >>> >>> http://people.apache.org/builds/commons/collections/3.2.2/RC2/rat-report.html >>> >>> KEYS: >>> https://www.apache.org/dist/commons/KEYS >>> >>> Please review the release candidate and vote. >>> >>> >>> Considering that this is a security related release and that RC1 did not >>> show any functional problems with the release, I plan to close this vote >>> in 24 from now, i.e. after 1800 GMT 12-November 2015 >>> >>> [ ] +1 Release these artifacts >>> [ ] +0 OK, but... >>> [ ] -0 OK, but really should fix... >>> [ ] -1 I oppose this release because... >>> >>> Thanks, >>> >>> Thomas >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >>> For additional commands, e-mail: dev-h...@commons.apache.org >>> >>> >> >> >> -- >> E-Mail: garydgreg...@gmail.com | ggreg...@apache.org >> Java Persistence with Hibernate, Second Edition >> <http://www.manning.com/bauer3/> >> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/> >> Spring Batch in Action <http://www.manning.com/templier/> >> Blog: http://garygregory.wordpress.com >> Home: http://garygregory.com/ >> Tweet! http://twitter.com/GaryGregory >> > > > > -- > E-Mail: garydgreg...@gmail.com | ggreg...@apache.org > Java Persistence with Hibernate, Second Edition > <http://www.manning.com/bauer3/> > JUnit in Action, Second Edition <http://www.manning.com/tahchiev/> > Spring Batch in Action <http://www.manning.com/templier/> > Blog: http://garygregory.wordpress.com > Home: http://garygregory.com/ > Tweet! http://twitter.com/GaryGregory > -- E-Mail: garydgreg...@gmail.com | ggreg...@apache.org Java Persistence with Hibernate, Second Edition <http://www.manning.com/bauer3/> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/> Spring Batch in Action <http://www.manning.com/templier/> Blog: http://garygregory.wordpress.com Home: http://garygregory.com/ Tweet! http://twitter.com/GaryGregory
