At 10:06 AM -0500 2/16/06, Frank W. Zammetti wrote:
On Thu, February 16, 2006 9:45 am, Niall Pemberton said:
My view is that this is "security hole" that we are fixing, not adding
a new feature. I also think that the original RequestProcessor and
TilesRequestProcessor offer people a way of upgrading to 1.3 and use
tried and tested code - without having to adopt the CoR
implementation.
Since I have implemented the Cancellable behaviour in the 1.2.x
branch, then either it needs also applying to the 1.3 branch or that
change needs to be reversed.
We probably should release a Struts 1.2.9 to fix this issue and the
"DOS attack" issue and I am willing to do that - probably have time in
a couple of weeks.
+1 to Niall's comments, and therefore a non-binding -1 to tagging the
repository... I don't see the point in even simply tagging if there are
two outstanding security issues.
I think it's fine if Struts 1.3.0 is understood to not be expected to
reach GA status. I think we should go ahead and cut the release, and
expect that it will be "beta" at best. I don't think the issues
Niall raised are things that are unheard of in a beta.
We don't seem to have actually narrowed in on a process which lets us
cut releases as frequently as we thought we would when we adopted the
Apache numbering scheme, but by the ideal process, it's not a real
big deal to put the tag on and push the thing out the door.
If people agree with some of the recent concerns about the API, like
the naming and responsibility of the ActionContext class, then they
could vote to mark the release merely Alpha -- but that doesn't mean
there shouldn't be a release.
Joe
--
Joe Germuska
[EMAIL PROTECTED] * http://blog.germuska.com
"You really can't burn anything out by trying something new, and
even if you can burn it out, it can be fixed. Try something new."
-- Robert Moog
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
