Scratch that, actually only the -D arguments are ignored, we must remove
the -javaagent argument because it's not a classpath argument and would
crash the VM
But for consistency's sake, let's remove them all for now. So simply we
apply:
Index: build.gradle
===================================================================
--- build.gradle (revision 1759596)
+++ build.gradle (working copy)
@@ -31,11 +31,7 @@
ext.os = System.getProperty('os.name').toLowerCase()
// java settings
-def jvmArguments = ['-Xms128M', '-Xmx1024M',
-
"-javaagent:${rootDir}/tools/security/notsoserial/notsoserial-1.0-SNAPSHOT.jar",
-
"-Dnotsoserial.whitelist=${rootDir}/tools/security/notsoserial/empty.txt",
-
"-Dnotsoserial.dryrun=${rootDir}/tools/security/notsoserial/is-deserialized.txt",
-
"-Dnotsoserial.trace=${rootDir}/tools/security/notsoserial/deserialize-trace.txt"]
+def jvmArguments = ['-Xms128M', '-Xmx1024M']
ext.ofbizMainClass = 'org.apache.ofbiz.base.start.Start'
javadoc.failOnError = false
sourceCompatibility = '1.8'
On Wed, Sep 7, 2016 at 9:04 PM, Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:
> OK Cool, if the JVM arguments are simply ignored, then I will proceed with
> an addition in the readme and remove the jar, simple
>
> Jacques
>
>
>
> Le 07/09/2016 à 17:16, Jacopo Cappellato a écrit :
>
>> Thank you Jacques and Taher.
>>
>> So it seems we can move on and temporarily remove the jar.
>>
>> Jacopo
>>
>>
>> On Wed, Sep 7, 2016 at 5:11 PM, Taher Alkhateeb <
>> slidingfilame...@gmail.com>
>> wrote:
>>
>> Hi Jacques,
>>>
>>> First of all the ofbizSecure task is gone instead everything calls the
>>> correct jvm arguments by default to fetch notsoserial.
>>>
>>> The work to remove notsoserial is almost nothing. You just to remove a
>>> few
>>> jvm args and that's it. Even if you don't remove the jvm args nothing
>>> happens because it will just ignore it as missing from the classpath.
>>>
>>> Taher Alkhateeb
>>>
>>> On Sep 7, 2016 5:48 PM, "Jacques Le Roux" <jacques.le.r...@les7arts.com>
>>> wrote:
>>>
>>> Huho, I was too fast on this. Currently the Gradle "ofbizSecure" tasks
>>>> depends on the notsoserial-1.0-SNAPSHOT.jar
>>>>
>>>> So this would need more work and w/o answers from them I suspect they
>>>>
>>> will
>>>
>>>> not publish the jar.
>>>>
>>>> Now it's a serious security but not OOTB. So I see 2 possibilities.
>>>>
>>>> 1. Ask the ASF for a derogation (after all it's a Java issue not an
>>>> OFBiz
>>>> one)
>>>> 2. Do what I said before AND change the Gradle "ofbizSecure" tasks
>>>>
>>>> Opinions?
>>>>
>>>> Jacques
>>>>
>>>>
>>>> Le 07/09/2016 à 14:01, Jacques Le Roux a écrit :
>>>>
>>>> Yes I see no problems with that. I just need to add directions for users
>>>>> before. I'll then remove the jars... very soon...
>>>>>
>>>>> Jacques
>>>>>
>>>>>
>>>>> Le 07/09/2016 à 13:09, Jacopo Cappellato a écrit :
>>>>>
>>>>> Jacques, any news from notsoserial?
>>>>>> If not, I think we can proceed by (temporarily) removing the jars
>>>>>> until
>>>>>> they will publish the jar.
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Jacopo
>>>>>>
>>>>>> On Sat, Aug 20, 2016 at 11:12 AM, Jacques Le Roux <
>>>>>> jacques.le.r...@les7arts.com> wrote:
>>>>>>
>>>>>> Yes that's what I proposed also, I will try that before the worse
>>>>>>
>>>>>>> solution
>>>>>>> as Taher called them, would you help?
>>>>>>>
>>>>>>> Jacques
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Le 20/08/2016 à 08:32, Pierre Smits a écrit :
>>>>>>>
>>>>>>> Hi Jacques,
>>>>>>>
>>>>>>>> Why not try to convince the people behind notsoserial to have them
>>>>>>>>
>>>>>>> push
>>>
>>>> the
>>>>>>>> library to maven central and/or jpublish? In stead of this community
>>>>>>>> doing
>>>>>>>> the work?
>>>>>>>>
>>>>>>>> Best regards,
>>>>>>>>
>>>>>>>>
>>>>>>>> Pierre Smits
>>>>>>>>
>>>>>>>> ORRTIZ.COM <http://www.orrtiz.com>
>>>>>>>> OFBiz based solutions & services
>>>>>>>>
>>>>>>>> OFBiz Extensions Marketplace
>>>>>>>> http://oem.ofbizci.net/oci-2/
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>
>
