Re: [ALL] Security tab on GitHub

2020-08-22 Thread sebb 
On Sat, 22 Aug 2020 at 23:45, Gary Gregory  wrote:
>
> On Sat, Aug 22, 2020 at 4:50 PM sebb  wrote:
>
> > On Sat, 22 Aug 2020 at 17:13, Gilles Sadowski 
> > wrote:
> > >
> > > 2020-08-22 16:02 UTC+02:00, Gary Gregory :
> > > > Here is a first cut:
> > > >
> > > > https://github.com/apache/commons-io/security/policy
> >
> > Why does IO have links to Known Vulnerabilities for Compress,
> > Collections etc, but not IO?
> >
>
> That's just a reflection of what is here:
> http://commons.apache.org/security.html

The above is fine, because it is clearly a page that relates to all of Commons.

However when the page is specific to a single component, it is
misleading to show links for other components.

> Gary
>
>
> >
> > > And here is my suggestion:
> > > https://github.com/apache/commons-rng/security/policy
> >
> > I'm inclined to agree with Gilles here; a simple link is sufficient.
> >
> > No need to update multiple files when the text has to be updated.
> >
> > > YMMV,
> > > Gilles
> > >
> > > > [...]
> > >
> > > -
> > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> > > For additional commands, e-mail: dev-h...@commons.apache.org
> > >
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> > For additional commands, e-mail: dev-h...@commons.apache.org
> >
> >

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

[Crypto] requesting help testing native binaries

2020-08-22 Thread Gary Gregory 
Hi all,

I intent on creating a release candidate for Commons Crypto soon.

I pushed a snapshot today which contains native binaries for Windows 32 and
64, Linux 32 and 64, Mac 64, and ARM and ARM HF.

Please help testing these on whatever platforms you may have access to.

Gary

Re: [ALL] Security tab on GitHub

2020-08-22 Thread Gary Gregory 
On Sat, Aug 22, 2020 at 4:50 PM sebb  wrote:

> On Sat, 22 Aug 2020 at 17:13, Gilles Sadowski 
> wrote:
> >
> > 2020-08-22 16:02 UTC+02:00, Gary Gregory :
> > > Here is a first cut:
> > >
> > > https://github.com/apache/commons-io/security/policy
>
> Why does IO have links to Known Vulnerabilities for Compress,
> Collections etc, but not IO?
>

That's just a reflection of what is here:
http://commons.apache.org/security.html

Gary


>
> > And here is my suggestion:
> > https://github.com/apache/commons-rng/security/policy
>
> I'm inclined to agree with Gilles here; a simple link is sufficient.
>
> No need to update multiple files when the text has to be updated.
>
> > YMMV,
> > Gilles
> >
> > > [...]
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> > For additional commands, e-mail: dev-h...@commons.apache.org
> >
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>
>

Re: [ALL] Security tab on GitHub

2020-08-22 Thread sebb 
On Sat, 22 Aug 2020 at 17:13, Gilles Sadowski  wrote:
>
> 2020-08-22 16:02 UTC+02:00, Gary Gregory :
> > Here is a first cut:
> >
> > https://github.com/apache/commons-io/security/policy

Why does IO have links to Known Vulnerabilities for Compress,
Collections etc, but not IO?

> And here is my suggestion:
> https://github.com/apache/commons-rng/security/policy

I'm inclined to agree with Gilles here; a simple link is sufficient.

No need to update multiple files when the text has to be updated.

> YMMV,
> Gilles
>
> > [...]
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: [ALL] Security tab on GitHub

2020-08-22 Thread Gilles Sadowski 
2020-08-22 16:02 UTC+02:00, Gary Gregory :
> Here is a first cut:
>
> https://github.com/apache/commons-io/security/policy

And here is my suggestion:
https://github.com/apache/commons-rng/security/policy

YMMV,
Gilles

> [...]

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: [ALL] Security tab on GitHub

2020-08-22 Thread Rob Tompkins 
I don’t see any harm having more documentation. It’s kinda like the apple 
philosophy of trying to make every thing that someone would think of doing on a 
computer, actually work like they think it would…right? The more intuitive we 
can make things the better we will end up being, I would think.

Thoughts?

-Rob

> On Aug 22, 2020, at 11:26 AM, Gilles Sadowski  wrote:
> 
> 2020-08-22 16:40 UTC+02:00, Gary Gregory  >:
>> Two items: (1) security is different
> 
> from what?
> 
>> because, well, it seems obvious to me
>> that anything security related should be as accessible as possible as
>> opposed to going through an extra hoop
> 
> YMMV, but IMHO the (unique) "source of truth" is on the ASF
> web site(s):
>  https://apache.org 
>  https://commons.apache.org 
> 
> This
>  https://github.com/apache/commons-io/security/policy 
> 
> obviously (?) looks less authoritative.
> 
> and... makes for an "extra hoop".
> 
>> and (2) making/keeping our GitHub
>> presence a first class citizen in how we put a face on the project.
> 
> How does duplicate information improves anything
> (marketing or otherwise)?
> 
> Ultimately, reports still have to be posted to an ASF-hosted
> ML, and not on GH.
> 
> Gilles
> 
>> 
>> Gary
>> 
>> On Sat, Aug 22, 2020, 10:15 Gilles Sadowski  wrote:
>> 
>>> Hi.
>>> 
>>> 2020-08-22 15:26 UTC+02:00, Gary Gregory :
 Hi All,
 
 You may have noticed (or nor) that GitHub has a Security [1] tab for
 our
 repositories. On this tab, you can define a Security Policy.[2] in a
 SECURITY.md (just like we have a README.md).
 
 I would like to fill this in with the same text we now have here:
 https://commons.apache.org/security.html
 
 Each repository should end up with a SECURITY.md which in theory should
>>> be
 the same.
>>> 
>>> As in code, I'd prefer to avoid such duplicated files; currently,
>>> as you point out above, this is managed via our common web
>>> site.
>>> I'm pretty sure the duplication will proceed; so at least, the
>>> contents of this file should just be a terse:
>>> ---CUT---
>>> To report a security problem, please read the
>>> [Apache Commons project's security
>>> page](https://commons.apache.org/security.html).
>>> ---CUT---
>>> 
>>> Regards,
>>> Gilles
>>> 
 
 Gary
 
 [1] https://github.com/apache/commons-compress/security
 [2]
 
>>> https://docs.github.com/en/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository
 
>>> 
>>> -
>>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
>>> For additional commands, e-mail: dev-h...@commons.apache.org
>>> 
>>> 
>> 
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org 
> 
> For additional commands, e-mail: dev-h...@commons.apache.org 
>

Re: [ALL] Security tab on GitHub

2020-08-22 Thread Gilles Sadowski 
2020-08-22 16:40 UTC+02:00, Gary Gregory :
> Two items: (1) security is different

from what?

> because, well, it seems obvious to me
> that anything security related should be as accessible as possible as
> opposed to going through an extra hoop

YMMV, but IMHO the (unique) "source of truth" is on the ASF
web site(s):
  https://apache.org
  https://commons.apache.org

This
  https://github.com/apache/commons-io/security/policy
obviously (?) looks less authoritative.

and... makes for an "extra hoop".

> and (2) making/keeping our GitHub
> presence a first class citizen in how we put a face on the project.

How does duplicate information improves anything
(marketing or otherwise)?

Ultimately, reports still have to be posted to an ASF-hosted
ML, and not on GH.

Gilles

>
> Gary
>
> On Sat, Aug 22, 2020, 10:15 Gilles Sadowski  wrote:
>
>> Hi.
>>
>> 2020-08-22 15:26 UTC+02:00, Gary Gregory :
>> > Hi All,
>> >
>> > You may have noticed (or nor) that GitHub has a Security [1] tab for
>> > our
>> > repositories. On this tab, you can define a Security Policy.[2] in a
>> > SECURITY.md (just like we have a README.md).
>> >
>> > I would like to fill this in with the same text we now have here:
>> > https://commons.apache.org/security.html
>> >
>> > Each repository should end up with a SECURITY.md which in theory should
>> be
>> > the same.
>>
>> As in code, I'd prefer to avoid such duplicated files; currently,
>> as you point out above, this is managed via our common web
>> site.
>> I'm pretty sure the duplication will proceed; so at least, the
>> contents of this file should just be a terse:
>> ---CUT---
>> To report a security problem, please read the
>> [Apache Commons project's security
>> page](https://commons.apache.org/security.html).
>> ---CUT---
>>
>> Regards,
>> Gilles
>>
>> >
>> > Gary
>> >
>> > [1] https://github.com/apache/commons-compress/security
>> > [2]
>> >
>> https://docs.github.com/en/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository
>> >
>>
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
>> For additional commands, e-mail: dev-h...@commons.apache.org
>>
>>
>

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

[ANNOUNCE] Apache Commons JCS 3.0 Released

2020-08-22 Thread Thomas Vandahl 
The Apache Commons Team is pleased to announce the availability of
Apache Commons JCS 3.0

Apache Commons JCS is a distributed, versatile caching system.

This has been a major overhaul of JCS with many adjustments for JDK 8+,
better concurrency and logging.

Commons JCS 3.0 requires Java 8 or later.

The release notes can be reviewed at:
http://www.apache.org/dist/commons/jcs/RELEASE-NOTES.txt

Distribution packages can be downloaded from:
https://commons.apache.org/proper/commons-jcs/download_jcs.cgi

When downloading, please verify signatures using the KEYS file available
at: http://www.apache.org/dist/commons

More information and comprehensive documentation is available at:
https://commons.apache.org/proper/commons-jcs/

Maven artifacts are also available in the central Maven repository:
http://repo1.maven.org/maven2/org/apache/commons/jcs3

The Apache Commons Team


-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: [ALL] Security tab on GitHub

2020-08-22 Thread Gary Gregory 
Two items: (1) security is different because, well, it seems obvious to me
that anything security related should be as accessible as possible as
opposed to going through an extra hoop and (2) making/keeping our GitHub
presence a first class citizen in how we put a face on the project.

Gary

On Sat, Aug 22, 2020, 10:15 Gilles Sadowski  wrote:

> Hi.
>
> 2020-08-22 15:26 UTC+02:00, Gary Gregory :
> > Hi All,
> >
> > You may have noticed (or nor) that GitHub has a Security [1] tab for our
> > repositories. On this tab, you can define a Security Policy.[2] in a
> > SECURITY.md (just like we have a README.md).
> >
> > I would like to fill this in with the same text we now have here:
> > https://commons.apache.org/security.html
> >
> > Each repository should end up with a SECURITY.md which in theory should
> be
> > the same.
>
> As in code, I'd prefer to avoid such duplicated files; currently,
> as you point out above, this is managed via our common web
> site.
> I'm pretty sure the duplication will proceed; so at least, the
> contents of this file should just be a terse:
> ---CUT---
> To report a security problem, please read the
> [Apache Commons project's security
> page](https://commons.apache.org/security.html).
> ---CUT---
>
> Regards,
> Gilles
>
> >
> > Gary
> >
> > [1] https://github.com/apache/commons-compress/security
> > [2]
> >
> https://docs.github.com/en/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository
> >
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>
>

Re: [ALL] Security tab on GitHub

2020-08-22 Thread Gilles Sadowski 
Hi.

2020-08-22 15:26 UTC+02:00, Gary Gregory :
> Hi All,
>
> You may have noticed (or nor) that GitHub has a Security [1] tab for our
> repositories. On this tab, you can define a Security Policy.[2] in a
> SECURITY.md (just like we have a README.md).
>
> I would like to fill this in with the same text we now have here:
> https://commons.apache.org/security.html
>
> Each repository should end up with a SECURITY.md which in theory should be
> the same.

As in code, I'd prefer to avoid such duplicated files; currently,
as you point out above, this is managed via our common web
site.
I'm pretty sure the duplication will proceed; so at least, the
contents of this file should just be a terse:
---CUT---
To report a security problem, please read the
[Apache Commons project's security
page](https://commons.apache.org/security.html).
---CUT---

Regards,
Gilles

>
> Gary
>
> [1] https://github.com/apache/commons-compress/security
> [2]
> https://docs.github.com/en/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository
>

-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

Re: [ALL] Security tab on GitHub

2020-08-22 Thread Gary Gregory 
Here is a first cut:

https://github.com/apache/commons-io/security/policy

This is pretty much a copy of https://commons.apache.org/security.html with
an extra link, a spelling fix, and slightly different formatting.

Gary


On Sat, Aug 22, 2020 at 9:32 AM Gary Gregory  wrote:

> Actually, maybe our build plugin can generate this page like it generates
> others like README.md...
>
> Gary
>
> On Sat, Aug 22, 2020 at 9:26 AM Gary Gregory 
> wrote:
>
>> Hi All,
>>
>> You may have noticed (or nor) that GitHub has a Security [1] tab for our
>> repositories. On this tab, you can define a Security Policy.[2] in a
>> SECURITY.md (just like we have a README.md).
>>
>> I would like to fill this in with the same text we now have here:
>> https://commons.apache.org/security.html
>>
>> Each repository should end up with a SECURITY.md which in theory should
>> be the same.
>>
>> Gary
>>
>> [1] https://github.com/apache/commons-compress/security
>> [2]
>> https://docs.github.com/en/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository
>>
>>
>

Re: [ALL] Security tab on GitHub

2020-08-22 Thread Gary Gregory 
Actually, maybe our build plugin can generate this page like it generates
others like README.md...

Gary

On Sat, Aug 22, 2020 at 9:26 AM Gary Gregory  wrote:

> Hi All,
>
> You may have noticed (or nor) that GitHub has a Security [1] tab for our
> repositories. On this tab, you can define a Security Policy.[2] in a
> SECURITY.md (just like we have a README.md).
>
> I would like to fill this in with the same text we now have here:
> https://commons.apache.org/security.html
>
> Each repository should end up with a SECURITY.md which in theory should be
> the same.
>
> Gary
>
> [1] https://github.com/apache/commons-compress/security
> [2]
> https://docs.github.com/en/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository
>
>

Re: [ALL] Security tab on GitHub

2020-08-22 Thread Melloware 

+1 this is a fantastic idea Gary.

On 8/22/2020 9:26 AM, Gary Gregory wrote:

Hi All,

You may have noticed (or nor) that GitHub has a Security [1] tab for our
repositories. On this tab, you can define a Security Policy.[2] in a
SECURITY.md (just like we have a README.md).

I would like to fill this in with the same text we now have here:
https://commons.apache.org/security.html

Each repository should end up with a SECURITY.md which in theory should be
the same.

Gary

[1] https://github.com/apache/commons-compress/security
[2]
https://docs.github.com/en/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository



-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org

[ALL] Security tab on GitHub

2020-08-22 Thread Gary Gregory 
Hi All,

You may have noticed (or nor) that GitHub has a Security [1] tab for our
repositories. On this tab, you can define a Security Policy.[2] in a
SECURITY.md (just like we have a README.md).

I would like to fill this in with the same text we now have here:
https://commons.apache.org/security.html

Each repository should end up with a SECURITY.md which in theory should be
the same.

Gary

[1] https://github.com/apache/commons-compress/security
[2]
https://docs.github.com/en/github/managing-security-vulnerabilities/adding-a-security-policy-to-your-repository

Re: [Compress] Build failure in jenkins and github actions

2020-08-22 Thread Peter Lee 

> I think we need a different approach, IMO: We only want to allow the
> Pack200 tests to fail on Java >= 14. For that, please create a Maven
> profile in the POM that excludes those tests on JAva >= 14. This will allow
> all us to detect problem in all the other tests.
>

+1
I have pushed a PR on github about this:
https://github.com/apache/commons-compress/pull/129 
(https://link.getmailspring.com/link/9b33ba1b-4173-4682-9dd3-a630a6e08...@getmailspring.com/0?redirect=https%3A%2F%2Fgithub.com%2Fapache%2Fcommons-compress%2Fpull%2F129=ZGV2QGNvbW1vbnMuYXBhY2hlLm9yZw%3D%3D)
cheers,
Lee

On 8 21 2020, at 10:18 , Gary Gregory  wrote:
> On Thu, Aug 20, 2020 at 7:57 AM Peter Lee  wrote:
>
> > Hi all,
> >
> > The builds in jenkins and github actions are failing.
> > For jenkins, the java7, 14 and 16 builds are failing. As we have moved
> > from JAVA 7 to 8, maybe we should disable java 7 build in jenkins? Besides
> > the java 14 and 16 are also failing, and we can have some "allow failure"
> > config on them.
> > For github actions, the java 14 and 15 builds are failing. We can easily
> > make java 14 build a part of experimental build to have it
> > continue-on-error.
> > What do you think?
> >
>
> I think we need a different approach, IMO: We only want to allow the
> Pack200 tests to fail on Java >= 14. For that, please create a Maven
> profile in the POM that excludes those tests on JAva >= 14. This will allow
> all us to detect problem in all the other tests.
>
> Thoughts?
> Gary
>
> > cheers,
> > Lee
> >
>