Hi Jeff, hey, thanks a lot! This is great plus, that the archetype release also seems to fit as a follow-up release!
The NVD-CVE vulnerability checks/report warnings have to be always rechecked (they are just hints and may be suppressed). I think the two warnings (mail, jython) do not apply, except may be CVE-2016-4000, published July 06, 2017 (Jython): "Jython before 2.7.1rc1 allows attackers to execute arbitrary code via a crafted serialized PyFunction object." - the site http://www.jython.org/latest.html lists Jython 2.7rc3 (NOT 2.7.1) as the latest release and under downloads "The most current stable release of Jython is 2.7.0. For production purposes, please use this version."). As it seems the recommended version is not yet released until now (as a maven dependency). But anyway Jython is just an optional dependency and must be included explicitely. The warning should be considered, if needed, as a hint, what to do .. Best regards, Georg Von: Jeffery Painter <[email protected]> An: Turbine Developers List <[email protected]> Kopie: Georg Kallidis <[email protected]> Datum: 25.10.2017 19:44 Betreff: Re: Antwort: [VOTE] Release Turbine-Core 4.0 based on staged repository Hi Georg, I was able to build from source and there were zero failed tests. My build environment is Ubuntu 17.04, Maven 3.5.0 and JDK 1.8.0_144 [x] +1 release it [ ] +0 go ahead I don't care [ ] -1 no, do not release it because I updated the maven archetype to point to my local repo install of this artifact, and I was able to successfully launch a new app (with some minor modifications required to get the database stuff working and Tomcat / Eclipse ) - otherwise, it looks good to me. There were a couple of NVD-CVE's reported (jython and javax.mail I recall), but not sure if those are worth holding back on the release for. Thanks! Jeff On 2017-10-25 8:02 am, Georg Kallidis wrote: > my vote: > > [x] +1 release it > [ ] +0 go ahead I don't care > [ ] -1 no, do not release it because > > -Georg > > > > Von: "Georg Kallidis" <[email protected]> > An: "Turbine Developers List" <[email protected]>, > [email protected] > Datum: 25.10.2017 14:00 > Betreff: [VOTE] Release Turbine-Core 4.0 based on staged > repository > > > > Hi Turbine Devs, > > a release candidate for the Turbine Core Component, version 4.0 has > been > prepared. > > It contains performance, security fixes, version updates, cleanups, > etc., > cft. to the changes report in the generated project report: > http://turbine.apache.org/turbine/turbine-4.0/changes-report.html > > o Updated dependencies > - fulcrum-security to 1.1.1 > - fulcrum-intake to 1.2.2 > o New dependencies > - slf4j-api 1.7.25 > - slf4j-log4j12 1.7.25 (delegate slf4j to log4j) > - jcl-over-slf4j 1.7.25 (redirect jcl to slf4j) > o Removed dependencies > - xstream > - excalibur > > Tests > o New dependencies > - Mockito 2.0.2-beta > o Removed dependencies > - Mockobjects > > Please verify this release candidate carefully and vote. > > Tag: > https://svn.apache.org/repos/asf/turbine/core/tags/turbine-4.0 > > Artifacts: > https://repository.apache.org/content/repositories/orgapacheturbine-1024 > > Site: > http://turbine.apache.org/turbine/turbine-4.0/ > > --------------------------------------- > Wiki: > https://wiki.apache.org/turbine > > Main Turbine site: > http://turbine.apache.org/ > > Current Development site: > http://turbine.apache.org/turbine/development/turbine-4.1/ > > ... will be updated after the release is done. > > Help always welcome! > ---------------------------------------- > > [ ] +1 release it > [ ] +0 go ahead I don't care > [ ] -1 no, do not release it because > > Thanks! > > Best regards, Georg. > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
