Thank you Jacques and Taher. So it seems we can move on and temporarily remove the jar.
Jacopo On Wed, Sep 7, 2016 at 5:11 PM, Taher Alkhateeb <slidingfilame...@gmail.com> wrote: > Hi Jacques, > > First of all the ofbizSecure task is gone instead everything calls the > correct jvm arguments by default to fetch notsoserial. > > The work to remove notsoserial is almost nothing. You just to remove a few > jvm args and that's it. Even if you don't remove the jvm args nothing > happens because it will just ignore it as missing from the classpath. > > Taher Alkhateeb > > On Sep 7, 2016 5:48 PM, "Jacques Le Roux" <jacques.le.r...@les7arts.com> > wrote: > > > Huho, I was too fast on this. Currently the Gradle "ofbizSecure" tasks > > depends on the notsoserial-1.0-SNAPSHOT.jar > > > > So this would need more work and w/o answers from them I suspect they > will > > not publish the jar. > > > > Now it's a serious security but not OOTB. So I see 2 possibilities. > > > > 1. Ask the ASF for a derogation (after all it's a Java issue not an OFBiz > > one) > > 2. Do what I said before AND change the Gradle "ofbizSecure" tasks > > > > Opinions? > > > > Jacques > > > > > > Le 07/09/2016 à 14:01, Jacques Le Roux a écrit : > > > >> Yes I see no problems with that. I just need to add directions for users > >> before. I'll then remove the jars... very soon... > >> > >> Jacques > >> > >> > >> Le 07/09/2016 à 13:09, Jacopo Cappellato a écrit : > >> > >>> Jacques, any news from notsoserial? > >>> If not, I think we can proceed by (temporarily) removing the jars until > >>> they will publish the jar. > >>> > >>> Regards, > >>> > >>> Jacopo > >>> > >>> On Sat, Aug 20, 2016 at 11:12 AM, Jacques Le Roux < > >>> jacques.le.r...@les7arts.com> wrote: > >>> > >>> Yes that's what I proposed also, I will try that before the worse > >>>> solution > >>>> as Taher called them, would you help? > >>>> > >>>> Jacques > >>>> > >>>> > >>>> > >>>> Le 20/08/2016 à 08:32, Pierre Smits a écrit : > >>>> > >>>> Hi Jacques, > >>>>> > >>>>> Why not try to convince the people behind notsoserial to have them > push > >>>>> the > >>>>> library to maven central and/or jpublish? In stead of this community > >>>>> doing > >>>>> the work? > >>>>> > >>>>> Best regards, > >>>>> > >>>>> > >>>>> Pierre Smits > >>>>> > >>>>> ORRTIZ.COM <http://www.orrtiz.com> > >>>>> OFBiz based solutions & services > >>>>> > >>>>> OFBiz Extensions Marketplace > >>>>> http://oem.ofbizci.net/oci-2/ > >>>>> > >>>>> > >>>>> > >> > >> > > >
