Re: [draft] Board report is due Dec 20.

[Gary Gregory]

The report has been sent to the board for the December 20th meeting.

Gary

On Wed, Dec 13, 2017 at 1:38 PM, Gary Gregory 
wrote:

> Please advise if you think something should be changed:
> --
>
> ## Description:
> - The Apache Commons project focuses on all aspects of reusable Java
> components.
>
> - The Apache Commons components are widely used in many projects, both
> within
>   Apache and without. Any ASF committer can commit to Apache Commons.
>
> - The last report was for the meeting of September 20, 2017.
>
> ## Issues:
>  - There are no issues requiring board attention at this time.
>
> ## Activity:
>  - The project is active with twelve (12) releases this reporting period.
>
> ## Health report:
>  - Most components in Commons are mature, but are still actively maintained
>(12 releases). The dev list is active. JIRA is active. Speed of
> responses
>to users is reasonable in most cases. We have no new PMC members, no
> new
>committers, and Commons is still open to any Apache Committer.
>  - Previous growing pains toward Commons Math 4 might see resolution with
> a
>plan toward splitting off Commons Math into new components.
>
> ## PMC changes:
>
>  - Currently 38 PMC members.
>  - No new PMC members added in the last 3 months
>  - Last PMC addition was Rob Tompkins on Fri Jun 30 2017
>
> ## Committer base changes:
>
>  - Currently 146 committers.
>  - Sergio Fernández was added as a committer on Sat Nov 04 2017
>
> ## Releases:
>
>  - BCEL-6.1 was released on Sun Sep 17 2017
>  - BCEL-6.2 was released on Thu Dec 07 2017
>  - CODEC-1.11 was released on Thu Oct 19 2017
>  - COMPRESS-1.15 was released on Mon Oct 16 2017
>  - CONFIGURATION-2.2 was released on Wed Oct 11 2017
>  - DAEMON-1.1.0 was released on Tue Nov 21 2017
>  - IO-2.6 was released on Sat Oct 14 2017
>  - JELLY-1.0.1 was released on Sat Sep 23 2017
>  - LANG-3.7 was released on Tue Nov 07 2017
>  - POOL-2.4.3 was released on Fri Oct 27 2017
>  - TEXT-1.2 was released on Mon Dec 11 2017
>  - VFS-2.2 was released on Thu Oct 05 2017
>
> ## JIRA activity:
>
>  - 171 JIRA tickets created in the last 3 months
>  - 228 JIRA tickets closed/resolved in the last 3 months
>
> Gary Gregory
> Apache Commons Chair
>

Re: Security mailing list

[sebb]

On 15 December 2017 at 16:12, Matt Sicker  wrote:
> There certainly are several ASF projects that have dedicated security@
> mailing lists (e.g., Tomcat has one). Would bug reporters still just email
> secur...@apache.org and then security@ would forward to the appropriate
> commons list?

Either.

If they mail security@a.o then they will forward to security@commons

If they mail security@commons, then security@a.o is automatically copied.

> On 15 December 2017 at 08:03, Gilles  wrote:
>
>> On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote:
>>
>>> Hi,
>>>
>>> over the last months we have definitely seen our share of security
>>> related issues. However, I also noticed that we had a tendency to
>>> loose these threads in the overall noise, resulting in mails like "Did
>>> anyone reply to the reporter?"
>>>
>>> No, according to Linus Torvalds, that is perfectly fine, because a
>>> security issue is "just another bug". However, I am not Linus, and
>>> would like to see these things in a better state.
>>>
>>> As a consequence, I'd like to question how others are handling this.
>>> Could we have a mailing list, like secur...@commons.apache.org,
>>>
>>
>> +1
>>
>> Gilles
>>
>> preferrably with subscription limited to private@ members, and
>>> secur...@apache.org subscribed automatically. (In theory, we could
>>> subscribe selected committers, too.)
>>>
>>> At the very least, this would allow us to create a filter for security
>>> related messages, thereby concentrate our attention.
>>>
>>> Jochen
>>>
>>
>>
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
>> For additional commands, e-mail: dev-h...@commons.apache.org
>>
>>
>
>
> --
> Matt Sicker 

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: Security mailing list

[Matt Sicker]

There certainly are several ASF projects that have dedicated security@
mailing lists (e.g., Tomcat has one). Would bug reporters still just email
secur...@apache.org and then security@ would forward to the appropriate
commons list?

On 15 December 2017 at 08:03, Gilles  wrote:

> On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote:
>
>> Hi,
>>
>> over the last months we have definitely seen our share of security
>> related issues. However, I also noticed that we had a tendency to
>> loose these threads in the overall noise, resulting in mails like "Did
>> anyone reply to the reporter?"
>>
>> No, according to Linus Torvalds, that is perfectly fine, because a
>> security issue is "just another bug". However, I am not Linus, and
>> would like to see these things in a better state.
>>
>> As a consequence, I'd like to question how others are handling this.
>> Could we have a mailing list, like secur...@commons.apache.org,
>>
>
> +1
>
> Gilles
>
> preferrably with subscription limited to private@ members, and
>> secur...@apache.org subscribed automatically. (In theory, we could
>> subscribe selected committers, too.)
>>
>> At the very least, this would allow us to create a filter for security
>> related messages, thereby concentrate our attention.
>>
>> Jochen
>>
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>
>


-- 
Matt Sicker 

Re: [All] Finer-grained MLs

[Gilles]

On Fri, 15 Dec 2017 15:17:43 +, sebb wrote:
On 15 December 2017 at 14:08, Gilles  
wrote:

On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote:


[...]
Could we have a mailing list, like secur...@commons.apache.org,
[...]



I'd like to expand the suggestion: make component-specific MLs for
automatically generated messages (GitHub, JIRA, Nexus) so that 
people

not actively involved in the development of  are not
overwhelmed by posts that are always to be deleted (in which case it
is rather more efficient to avoid sending it in the first place).


-1

For the same reason that commit messages are of concern to all 
Commons

developers.


YMMV.
They are not if the only action is always "Move to trash".
Such messages are useful only to those who decide so.  They can be
subscribed to as many list they want.
Why should others be annoyed by pull requests notices if they are
never going to apply/read them?

Even worse, I receive some messages twice!
Sometimes there are so many of them that they are blocked by the ISP.
Hence I may be missing the one important (human-generated) message
because of the heap of information-less crap.

In case you did not notice, I'm not asking to split "dev"!
Only "issues".

The "concern" only applies to the assumption that committed code
is hopefully reviewed by (some of) the developers.
Or do I miss something? [We did not need nor used those automated
message for years... The flood of mails is not an improvement!]


Such messages are easy enough to filter if required.


YMMV.
It is healthier to not emit pollution than to filter it.

Gilles


Of course, this opt-out would not concern "commit" messages.

Gilles



-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: [All] Finer-grained MLs (Was: Security mailing list)

[sebb]

On 15 December 2017 at 14:08, Gilles  wrote:
> On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote:
>>
>> [...]
>> Could we have a mailing list, like secur...@commons.apache.org,
>> [...]
>
>
> I'd like to expand the suggestion: make component-specific MLs for
> automatically generated messages (GitHub, JIRA, Nexus) so that people
> not actively involved in the development of  are not
> overwhelmed by posts that are always to be deleted (in which case it
> is rather more efficient to avoid sending it in the first place).

-1

For the same reason that commit messages are of concern to all Commons
developers.

Such messages are easy enough to filter if required.

> Of course, this opt-out would not concern "commit" messages.
>
> Gilles
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

[All] Finer-grained MLs (Was: Security mailing list)

[Gilles]

On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote:

[...]
Could we have a mailing list, like secur...@commons.apache.org,
[...]


I'd like to expand the suggestion: make component-specific MLs for
automatically generated messages (GitHub, JIRA, Nexus) so that people
not actively involved in the development of  are not
overwhelmed by posts that are always to be deleted (in which case it
is rather more efficient to avoid sending it in the first place).

Of course, this opt-out would not concern "commit" messages.

Gilles


-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: Security mailing list

[Gilles]

On Fri, 15 Dec 2017 12:13:12 +0100, Jochen Wiedmann wrote:

Hi,

over the last months we have definitely seen our share of security
related issues. However, I also noticed that we had a tendency to
loose these threads in the overall noise, resulting in mails like 
"Did

anyone reply to the reporter?"

No, according to Linus Torvalds, that is perfectly fine, because a
security issue is "just another bug". However, I am not Linus, and
would like to see these things in a better state.

As a consequence, I'd like to question how others are handling this.
Could we have a mailing list, like secur...@commons.apache.org,


+1

Gilles


preferrably with subscription limited to private@ members, and
secur...@apache.org subscribed automatically. (In theory, we could
subscribe selected committers, too.)

At the very least, this would allow us to create a filter for 
security

related messages, thereby concentrate our attention.

Jochen



-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: [VOTE] Release Commons JCS 2.2.1 based on RC3

[Romain Manni-Bucau]

Here what I tested:

1. svn co 
2. mvn clean install
3. mvn source:jar

=> the same trash is here

4. mvn clean source:jar

=> same happens

so I guess something more fishy happens :(


Romain Manni-Bucau
@rmannibucau  |  Blog
 | Old Blog
 | Github  |
LinkedIn 

2017-12-15 13:51 GMT+01:00 sebb :

> The other possible cause is a bad unit test that does not clear up
> properly.
> I have seen that in other releases where test output ended up in the
> main source archives.
>
> Try a clean checkout followed by a test and see if the files are created.
>
> On 15 December 2017 at 05:58, Romain Manni-Bucau 
> wrote:
> > Tmp is cause i cloned it freshly from so hope not. And even if so then
> how
> > can it end up with this path?
> >
> > Le 15 déc. 2017 01:45, "sebb"  a écrit :
> >
> >> On 14 December 2017 at 21:58, Romain Manni-Bucau  >
> >> wrote:
> >> > Wonder how this one can happen
> >>
> >> Unclean workspace?
> >>
> >> RCs should be built from a clean checkout of the tag.
> >>
> >> > Le 14 déc. 2017 22:10, "Gary Gregory"  a
> écrit :
> >> >
> >> >> On Thu, Dec 14, 2017 at 1:32 PM, Oliver Heger <
> >> >> oliver.he...@oliver-heger.de>
> >> >> wrote:
> >> >>
> >> >> >
> >> >> >
> >> >> > Am 14.12.2017 um 01:38 schrieb Gary Gregory:
> >> >> > > On Wed, Dec 13, 2017 at 2:03 PM, Oliver Heger <
> >> >> > oliver.he...@oliver-heger.de>
> >> >> > > wrote:
> >> >> > >
> >> >> > >> Hi,
> >> >> > >>
> >> >> > >> thank you for your patience.
> >> >> > >>
> >> >> > >> Build works fine with Java 1.7 on Windows 10 (because of the
> Java 8
> >> >> > >> Javadoc errors I built the site with 1.7).
> >> >> > >>
> >> >> > >> I have some minor findings:
> >> >> > >> - As Bruno already noticed, the release notes contain this
> strange
> >> >> text.
> >> >> > >> - In README.md the current version for the dependency should be
> >> >> updated.
> >> >> > >> - The jars with the sources contain spurious folders.
> >> >> > >>
> >> >> > >
> >> >> > > Can you be more specific please?
> >> >> >
> >> >> > If you open for instance commons-jcs-core-2.2.1-sources.jar from
> the
> >> >> > binary distribution, the jar contains a folder with an empty name
> and
> >> >> > one empty folder named "commons-jcs-core-2.2.1-sources". The
> folder
> >> with
> >> >> > the empty name has a path of sub folders down to
> >> >> > commons-jcs-core-2.2.1-sources.jar\\tmp\commons-jcs-
> >> >> > 2.2.1-RC3\commons-jcs-core\target\classes\META-INF\
> >> >> >
> >> >>
> >> >> Yuck! ;-)
> >> >>
> >> >> Gary
> >> >>
> >> >> >
> >> >> > Oliver
> >> >> >
> >> >> > >
> >> >> > > Gary
> >> >> > >
> >> >> > >
> >> >> > >> - There are many Findbugs violations.
> >> >> > >>
> >> >> > >> The text in the release notes is really annoying, the other
> things
> >> are
> >> >> > >> not really blocking. But in total it prevents me from voting +1.
> >> So I
> >> >> am
> >> >> > >> rather +0.
> >> >> > >>
> >> >> > >> Oliver
> >> >> > >>
> >> >> > >> Am 13.12.2017 um 09:02 schrieb Romain Manni-Bucau:
> >> >> > >>> As discussed quite verbosely already I'd like to release JCS
> >> 2.2.1. I
> >> >> > >>> followed the commons procedure this time and hope it works for
> >> you.
> >> >> > >>>
> >> >> > >>> JCS 2.2.1 RC3 is available for review here:
> >> >> > >>> https://dist.apache.org/repos/dist/dev/commons/jcs/ (svn
> >> >> revision
> >> >> > >> 23702)
> >> >> > >>>
> >> >> > >>> The tag is here:
> >> >> > >>>
> >> >> > >>> http://svn.apache.org/repos/asf/commons/proper/jcs/tags/
> >> >> > >> commons-jcs-2.2.1-RC3/
> >> >> > >>> (svn revision 1817933)
> >> >> > >>>
> >> >> > >>> Maven artifacts are here:
> >> >> > >>> https://repository.apache.org/content/repositories/
> >> >> > >> orgapachecommons-1298
> >> >> > >>>
> >> >> > >>> I have tested this with JDK 7, 8 using Maven 3.5.0.
> >> >> > >>>
> >> >> > >>> Details of changes since 2.2 are in the release notes:
> >> >> > >>> https://dist.apache.org/repos/
> dist/dev/commons/jcs/RELEASE-
> >> >> > NOTES.txt
> >> >> > >>>
> >> >> > >>> http://home.apache.org/~rmannibucau/commons-jcs-2.2.1-
> >> >> > >> RC3/changes-report.html
> >> >> > >>>
> >> >> > >>> Site:
> >> >> > >>> http://home.apache.org/~rmannibucau/commons-jcs-2.2.1-
> >> RC3/
> >> >> > >>>
> >> >> > >>> Clirr Report (compared to 2.2):
> >> >> > >>>
> >> >> > >>> http://home.apache.org/~rmannibucau/commons-jcs-2.2.1-
> >> >> > >> RC3/commons-jcs-core/clirr-report.html
> >> >> > >>>
> >> >> > >>> RAT Report:
> >> >> > >>>
> >> >> > >>> http://home.apache.org/~rmannibucau/commons-jcs-2.2.1-
> >> >> > >> RC3/rat-report.html
> >> >> > >>> (the zipcodes.txt file is intended to not have headers)
> >> >> > >>>
> >> >> > >>> KEYS:
> >> >> > >>>   https://www.apache.org/dist/commons/KEYS
> >> >> > >>>
> >> >> > >>> Please review the release candidate and vote.
> >> >> > >>> This vote will close n

Re: [VOTE] Release Commons JCS 2.2.1 based on RC3

[sebb]

The other possible cause is a bad unit test that does not clear up properly.
I have seen that in other releases where test output ended up in the
main source archives.

Try a clean checkout followed by a test and see if the files are created.

On 15 December 2017 at 05:58, Romain Manni-Bucau  wrote:
> Tmp is cause i cloned it freshly from so hope not. And even if so then how
> can it end up with this path?
>
> Le 15 déc. 2017 01:45, "sebb"  a écrit :
>
>> On 14 December 2017 at 21:58, Romain Manni-Bucau 
>> wrote:
>> > Wonder how this one can happen
>>
>> Unclean workspace?
>>
>> RCs should be built from a clean checkout of the tag.
>>
>> > Le 14 déc. 2017 22:10, "Gary Gregory"  a écrit :
>> >
>> >> On Thu, Dec 14, 2017 at 1:32 PM, Oliver Heger <
>> >> oliver.he...@oliver-heger.de>
>> >> wrote:
>> >>
>> >> >
>> >> >
>> >> > Am 14.12.2017 um 01:38 schrieb Gary Gregory:
>> >> > > On Wed, Dec 13, 2017 at 2:03 PM, Oliver Heger <
>> >> > oliver.he...@oliver-heger.de>
>> >> > > wrote:
>> >> > >
>> >> > >> Hi,
>> >> > >>
>> >> > >> thank you for your patience.
>> >> > >>
>> >> > >> Build works fine with Java 1.7 on Windows 10 (because of the Java 8
>> >> > >> Javadoc errors I built the site with 1.7).
>> >> > >>
>> >> > >> I have some minor findings:
>> >> > >> - As Bruno already noticed, the release notes contain this strange
>> >> text.
>> >> > >> - In README.md the current version for the dependency should be
>> >> updated.
>> >> > >> - The jars with the sources contain spurious folders.
>> >> > >>
>> >> > >
>> >> > > Can you be more specific please?
>> >> >
>> >> > If you open for instance commons-jcs-core-2.2.1-sources.jar from the
>> >> > binary distribution, the jar contains a folder with an empty name and
>> >> > one empty folder named "commons-jcs-core-2.2.1-sources". The folder
>> with
>> >> > the empty name has a path of sub folders down to
>> >> > commons-jcs-core-2.2.1-sources.jar\\tmp\commons-jcs-
>> >> > 2.2.1-RC3\commons-jcs-core\target\classes\META-INF\
>> >> >
>> >>
>> >> Yuck! ;-)
>> >>
>> >> Gary
>> >>
>> >> >
>> >> > Oliver
>> >> >
>> >> > >
>> >> > > Gary
>> >> > >
>> >> > >
>> >> > >> - There are many Findbugs violations.
>> >> > >>
>> >> > >> The text in the release notes is really annoying, the other things
>> are
>> >> > >> not really blocking. But in total it prevents me from voting +1.
>> So I
>> >> am
>> >> > >> rather +0.
>> >> > >>
>> >> > >> Oliver
>> >> > >>
>> >> > >> Am 13.12.2017 um 09:02 schrieb Romain Manni-Bucau:
>> >> > >>> As discussed quite verbosely already I'd like to release JCS
>> 2.2.1. I
>> >> > >>> followed the commons procedure this time and hope it works for
>> you.
>> >> > >>>
>> >> > >>> JCS 2.2.1 RC3 is available for review here:
>> >> > >>> https://dist.apache.org/repos/dist/dev/commons/jcs/ (svn
>> >> revision
>> >> > >> 23702)
>> >> > >>>
>> >> > >>> The tag is here:
>> >> > >>>
>> >> > >>> http://svn.apache.org/repos/asf/commons/proper/jcs/tags/
>> >> > >> commons-jcs-2.2.1-RC3/
>> >> > >>> (svn revision 1817933)
>> >> > >>>
>> >> > >>> Maven artifacts are here:
>> >> > >>> https://repository.apache.org/content/repositories/
>> >> > >> orgapachecommons-1298
>> >> > >>>
>> >> > >>> I have tested this with JDK 7, 8 using Maven 3.5.0.
>> >> > >>>
>> >> > >>> Details of changes since 2.2 are in the release notes:
>> >> > >>> https://dist.apache.org/repos/dist/dev/commons/jcs/RELEASE-
>> >> > NOTES.txt
>> >> > >>>
>> >> > >>> http://home.apache.org/~rmannibucau/commons-jcs-2.2.1-
>> >> > >> RC3/changes-report.html
>> >> > >>>
>> >> > >>> Site:
>> >> > >>> http://home.apache.org/~rmannibucau/commons-jcs-2.2.1-
>> RC3/
>> >> > >>>
>> >> > >>> Clirr Report (compared to 2.2):
>> >> > >>>
>> >> > >>> http://home.apache.org/~rmannibucau/commons-jcs-2.2.1-
>> >> > >> RC3/commons-jcs-core/clirr-report.html
>> >> > >>>
>> >> > >>> RAT Report:
>> >> > >>>
>> >> > >>> http://home.apache.org/~rmannibucau/commons-jcs-2.2.1-
>> >> > >> RC3/rat-report.html
>> >> > >>> (the zipcodes.txt file is intended to not have headers)
>> >> > >>>
>> >> > >>> KEYS:
>> >> > >>>   https://www.apache.org/dist/commons/KEYS
>> >> > >>>
>> >> > >>> Please review the release candidate and vote.
>> >> > >>> This vote will close no sooner that 72 hours from now,
>> >> > >>> i.e. sometime after 08:15 UTC 16-December 2017
>> >> > >>>
>> >> > >>>   [ ] +1 Release these artifacts
>> >> > >>>   [ ] +-0 Don't care
>> >> > >>>   [ ] -1 I oppose this release ${because}
>> >> > >>>
>> >> > >>> Thanks!
>> >> > >>> Romain
>> >> > >>>
>> >> > >>
>> >> > >> 
>> -
>> >> > >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
>> >> > >> For additional commands, e-mail: dev-h...@commons.apache.org
>> >> > >>
>> >> > >>
>> >> > >
>> >> >
>> >> > -
>> >> > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
>> >> > For additional commands, e-mail:

Security mailing list

[Jochen Wiedmann]

Hi,

over the last months we have definitely seen our share of security
related issues. However, I also noticed that we had a tendency to
loose these threads in the overall noise, resulting in mails like "Did
anyone reply to the reporter?"

No, according to Linus Torvalds, that is perfectly fine, because a
security issue is "just another bug". However, I am not Linus, and
would like to see these things in a better state.

As a consequence, I'd like to question how others are handling this.
Could we have a mailing list, like secur...@commons.apache.org,
preferrably with subscription limited to private@ members, and
secur...@apache.org subscribed automatically. (In theory, we could
subscribe selected committers, too.)

At the very least, this would allow us to create a filter for security
related messages, thereby concentrate our attention.

Jochen


-- 
The next time you hear: "Don't reinvent the wheel!"

http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org