On Thu, Sep 8, 2016 at 2:54 PM, Jacques Le Roux < jacques.le.r...@les7arts.com> wrote:
> ... > How do you expect to warn users about deserialization driven attacks? I > mean people can have a such risk w/o using RMI, deserialization driven > attacks are not only about RMI. In my opinion a message in the OFBiz README file or in our download page would be more effective that the current content of tools/security/notsoserial. > > >> BTW, when you say "We could always bundle it in another release soon" do >>> you expect to freeze and release R16 very soon? >>> >> I am sorry but I don't get your question. >> > > Simpler question: when would expect to bundle it? > Maybe simpler, but still not very clear: anyway, if you are asking about my expectations for the creation of the release branch release16.09 and for its subsequent release, then they are based on the output of the thread with title "Creating a new release branch in preparation for the new release": please refer to it. But in short I hope to create the branch by the end of this week and then start the thread about how/when do the release. Jacopo > > Jacques > > >> Jacopo >> >> >
