Scratch that, actually only the -D arguments are ignored, we must remove the -javaagent argument because it's not a classpath argument and would crash the VM
But for consistency's sake, let's remove them all for now. So simply we apply: Index: build.gradle =================================================================== --- build.gradle (revision 1759596) +++ build.gradle (working copy) @@ -31,11 +31,7 @@ ext.os = System.getProperty('os.name').toLowerCase() // java settings -def jvmArguments = ['-Xms128M', '-Xmx1024M', - "-javaagent:${rootDir}/tools/security/notsoserial/notsoserial-1.0-SNAPSHOT.jar", - "-Dnotsoserial.whitelist=${rootDir}/tools/security/notsoserial/empty.txt", - "-Dnotsoserial.dryrun=${rootDir}/tools/security/notsoserial/is-deserialized.txt", - "-Dnotsoserial.trace=${rootDir}/tools/security/notsoserial/deserialize-trace.txt"] +def jvmArguments = ['-Xms128M', '-Xmx1024M'] ext.ofbizMainClass = 'org.apache.ofbiz.base.start.Start' javadoc.failOnError = false sourceCompatibility = '1.8' On Wed, Sep 7, 2016 at 9:04 PM, Jacques Le Roux < jacques.le.r...@les7arts.com> wrote: > OK Cool, if the JVM arguments are simply ignored, then I will proceed with > an addition in the readme and remove the jar, simple > > Jacques > > > > Le 07/09/2016 à 17:16, Jacopo Cappellato a écrit : > >> Thank you Jacques and Taher. >> >> So it seems we can move on and temporarily remove the jar. >> >> Jacopo >> >> >> On Wed, Sep 7, 2016 at 5:11 PM, Taher Alkhateeb < >> slidingfilame...@gmail.com> >> wrote: >> >> Hi Jacques, >>> >>> First of all the ofbizSecure task is gone instead everything calls the >>> correct jvm arguments by default to fetch notsoserial. >>> >>> The work to remove notsoserial is almost nothing. You just to remove a >>> few >>> jvm args and that's it. Even if you don't remove the jvm args nothing >>> happens because it will just ignore it as missing from the classpath. >>> >>> Taher Alkhateeb >>> >>> On Sep 7, 2016 5:48 PM, "Jacques Le Roux" <jacques.le.r...@les7arts.com> >>> wrote: >>> >>> Huho, I was too fast on this. Currently the Gradle "ofbizSecure" tasks >>>> depends on the notsoserial-1.0-SNAPSHOT.jar >>>> >>>> So this would need more work and w/o answers from them I suspect they >>>> >>> will >>> >>>> not publish the jar. >>>> >>>> Now it's a serious security but not OOTB. So I see 2 possibilities. >>>> >>>> 1. Ask the ASF for a derogation (after all it's a Java issue not an >>>> OFBiz >>>> one) >>>> 2. Do what I said before AND change the Gradle "ofbizSecure" tasks >>>> >>>> Opinions? >>>> >>>> Jacques >>>> >>>> >>>> Le 07/09/2016 à 14:01, Jacques Le Roux a écrit : >>>> >>>> Yes I see no problems with that. I just need to add directions for users >>>>> before. I'll then remove the jars... very soon... >>>>> >>>>> Jacques >>>>> >>>>> >>>>> Le 07/09/2016 à 13:09, Jacopo Cappellato a écrit : >>>>> >>>>> Jacques, any news from notsoserial? >>>>>> If not, I think we can proceed by (temporarily) removing the jars >>>>>> until >>>>>> they will publish the jar. >>>>>> >>>>>> Regards, >>>>>> >>>>>> Jacopo >>>>>> >>>>>> On Sat, Aug 20, 2016 at 11:12 AM, Jacques Le Roux < >>>>>> jacques.le.r...@les7arts.com> wrote: >>>>>> >>>>>> Yes that's what I proposed also, I will try that before the worse >>>>>> >>>>>>> solution >>>>>>> as Taher called them, would you help? >>>>>>> >>>>>>> Jacques >>>>>>> >>>>>>> >>>>>>> >>>>>>> Le 20/08/2016 à 08:32, Pierre Smits a écrit : >>>>>>> >>>>>>> Hi Jacques, >>>>>>> >>>>>>>> Why not try to convince the people behind notsoserial to have them >>>>>>>> >>>>>>> push >>> >>>> the >>>>>>>> library to maven central and/or jpublish? In stead of this community >>>>>>>> doing >>>>>>>> the work? >>>>>>>> >>>>>>>> Best regards, >>>>>>>> >>>>>>>> >>>>>>>> Pierre Smits >>>>>>>> >>>>>>>> ORRTIZ.COM <http://www.orrtiz.com> >>>>>>>> OFBiz based solutions & services >>>>>>>> >>>>>>>> OFBiz Extensions Marketplace >>>>>>>> http://oem.ofbizci.net/oci-2/ >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>> >