Hi! the release was announced some days ago at [email protected], [email protected] and [email protected], binaries are at central now, etc.
There's one vulnerability on master that warranted another release for the 2.x/javax line, so some other fixes for other CVEs followed up there too. Regarding the variable manager, without spoiling too much until disclosure, leaked sensitive data, hence the changes. Perhaps it should have been 2.13.0 instead of 2.12.4, but the point for us was to release a fix for the CVEs on 2.x/javax and then focus on releasing 3.0.0. At least, last RC allows a whitelist for variables that can be printed out. I'll try to get the site and the wiki updated through the week. Hope the changes make more sense now. Cheers, juan pablo El mar, 14 abr 2026, 18:30, Ulf Dittmer <[email protected]> escribió: > Well, it has already been released, sort of, even if not been announced > everywhere: https://jspwiki-wiki.apache.org/Wiki.jsp?page=Downloads. > That's > what I meant by it being too late. > > On Tue, Apr 14, 2026 at 5:48 PM Murray Altheim <[email protected]> > wrote: > > > +1 > > > > I'd rather we do this right than rushed. > > > > On 15/04/2026 03:31, Arturo Bernal wrote: > > > Hi all, > > > > > > > > > Given the backward-compatibility concern in a 2.12.x release, why don’t > > we > > > cancel this vote and cut a new RC once the DefaultVariableManager issue > > is > > > fixed? > > > > > > > > > Arturo > > > > > > > > > On Tue, 14 Apr 2026 at 4:23 PM, Murray Altheim <[email protected]> > > wrote: > > > > > >> Hi Ulf, > > >> > > >> I think it's a fair statement to consider that a bug on 2.x. Fine on > 3.x > > >> but > > >> you're correct, this should not have passed in a dot release. > > >> > > >> Cheers, > > >> > > >> Murray > > >> > > >> On 15/04/2026 01:15, Ulf Dittmer wrote: > > >>> AFAICT, the behavior of the DefaultVariableManager that I mentioned > in > > my > > >>> response to the previous release vote (breaking variable names that > > start > > >>> with "jspwiki") has not been changed. I'm aware that it is too late > > now, > > >>> and that I don't really have a vote anyway, so I'd just like to > > register > > >> my > > >>> displeasure that JSPWiki, which has a pretty good history of > backwards > > >>> compatibility, breaks it so cavalierly in a dot-dot release of a > major > > >>> version that is many years old. For 3.0, that's a reasonable > decision, > > >> but > > >>> for 2.12 it's rather questionable, IMO. > > >>> > > >>> Ulf > > >>> > > >>> On Tue, Apr 7, 2026 at 1:46 AM Alex O'Ree <[email protected]> > wrote: > > >>> > > >>>> I think it's been over 72 hours, that's +4 yes. We should be good to > > go. > > >>>> When I have a spare moment, I can do the rest of the processes to > get > > >> this > > >>>> out the door. > > >>>> > > >>>> Thanks for testing everyone! > > >>>> > > >>>> On Sat, Apr 4, 2026 at 6:50 PM Murray Altheim <[email protected] > > > > >>>> wrote: > > >>>> > > >>>>> +1 > > >>>>> > > >>>>> This was plug-and-play for me. Built with no issues on Java > 17.0.17, > > >>>>> deployed to > > >>>>> Tomcat 9 and it worked. > > >>>>> > > >>>>> Cheers, > > >>>>> > > >>>>> Murray > > >>>>> > > >>>>> On 03/04/2026 13:31, Alex O'Ree wrote: > > >>>>>> This is a release vote for Apache JSPWiki, version 2.12.4. The > > vote > > >>>>> will > > >>>>>> be open for at least 72 hours from now. > > >>>>>> > > >>>>>> This is a revision of the previous attempt that addresses some > > issues > > >>>>>> flagged by the community. Namely the one change in behavior can > now > > be > > >>>>>> reverted if necessary. > > >>>>>> > > >>>>>> It fixes the following issues: > > >>>>>> > > >>>>> > > >>>> > > >> > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310732&version=2.12.4 > > >>>>>> > > >>>>>> You can see a curated changelog at > > >>>>>> https://jspwiki-wiki.apache.org/Wiki.jsp?page=NewIn2.12.4 > > >>>>>> > > >>>>>> Note that we are voting upon the source (tag), binaries are > provided > > >>>> for > > >>>>>> convenience. > > >>>>>> > > >>>>>> Everybody is encouraged to vote. > > >>>>>> > > >>>>>> Source and binary files: > > >>>>>> https://dist.apache.org/repos/dist/dev/jspwiki/2.12.4-RC > > >>>>>> <https://dist.apache.org/repos/dist/dev/jspwiki/2.12.4-RC1>2 > > >>>>>> > > >>>>>> Nexus staging repo: > > >>>>>> > > >>>> > > >> > > https://repository.apache.org/content/repositories/orgapachejspwiki-1037 > > >>>>>> > > >>>>>> The tag to be voted upon: > > >>>>>> https://github.com/apache/jspwiki/tree/2.12.4-RC > > >>>>>> <https://github.com/apache/jspwiki/tree/2.12.4-RC1>2 > > >>>>>> > > >>>>>> JSPWiki's KEYS file containing PGP keys we use to sign the > release: > > >>>>>> https://www.apache.org/dist/jspwiki/KEYS > > >>>>>> > > >>>>>> == Reproducible Builds == > > >>>>>> JSPWiki should follow Reproducible Builds ( > > >>>>> https://reproducible-builds.org/). > > >>>>>> In order to verify > > >>>>>> artifacts' build reproducibility, please use > > >>>>>> > > >>>>>> mvn verify artifact:compare -Dreference.repo= > > >>>>>> https://repository.apache.org/content/repositories/staging/ > > >>>>>> > > >>>>>> *** Please download, test and vote: > > >>>>>> > > >>>>>> [ ] +1 Approve the release > > >>>>>> [ ] 0 Don't mind > > >>>>>> [ ] -1 Disapprove the release (please provide specific comments) > > >>>>>> > > >>>>>> +1 for me > > >>>>>> > > >>>>> > > >>>>> -- > > >>>>> > > >>>>> > > >>>> > > >> > > > ........................................................................... > > >>>>> Murray Altheim <murray18 at altheim dot com> > = > > = > > >>>> === > > >>>>> http://www.altheim.com/murray/ > > === > > >>>>> === > > >>>>> > > = > > >> = > > >>>>> === > > >>>>> In the evening > > >>>>> The rice leaves in the garden > > >>>>> Rustle in the autumn wind > > >>>>> That blows through my reed hut. > > >>>>> -- Minamoto no Tsunenobu > > >>>>> > > >>>>> > > >>>>> > > >>>> > > >>> > > >> > > >> -- > > >> > > >> > > > ........................................................................... > > >> Murray Altheim <murray18 at altheim dot com> = = > > === > > >> http://www.altheim.com/murray/ > === > > >> === > > >> > = = > > >> === > > >> In the evening > > >> The rice leaves in the garden > > >> Rustle in the autumn wind > > >> That blows through my reed hut. > > >> -- Minamoto no Tsunenobu > > >> > > >> > > >> > > > > > > > -- > > > > > ........................................................................... > > Murray Altheim <murray18 at altheim dot com> = = > === > > http://www.altheim.com/murray/ === > > === > > = = > > === > > In the evening > > The rice leaves in the garden > > Rustle in the autumn wind > > That blows through my reed hut. > > -- Minamoto no Tsunenobu > > > > > > >
