[VOTE][RESULT] Release Apache Commons JEXL 3.3 based on RC2
This VOTE passes with the following binding +1 votes: - Bruno Kinoshita - Gary Gregory - Henri Biestro
[VOTE] Release Apache Commons JEXL 3.3 based on RC2
We have fixed quite a few bugs and added some significant enhancements since Apache Commons JEXL 3.2.1 was released, so I would like to release Apache Commons JEXL 3.3. Apache Commons JEXL 3.3 RC2 is available for review here: https://dist.apache.org/repos/dist/dev/commons/jexl/3.3-RC2 (svn revision 60698) Only changes since RC1 are 2 fixes for issues discovered during late testing, one regression (JEXL-394) and one reopen (JEXL-393). The Git tag commons-jexl-3.3-RC2 commit for this RC is 4e91dc63dba73204c8a69295e1ab402c1ab7d3e4 which you can browse here: https://gitbox.apache.org/repos/asf?p=commons-jexl.git;a=commit;h=4e91dc63dba73204c8a69295e1ab402c1ab7d3e4 You may checkout this tag using: git clone https://gitbox.apache.org/repos/asf/commons-jexl.git --branch commons-jexl-3.3-RC2 commons-jexl-3.3-RC2 Maven artifacts are here: https://repository.apache.org/content/repositories/orgapachecommons-1627/org/apache/commons/commons-jexl3/3.3/ These are the artifacts and their hashes: #Release SHA-512s #Fri Mar 17 18:51:22 CET 2023 commons-jexl-3.3-bin.tar.gz=70d349cdb450637a7334b0d2943afa14d990104d6ae33215d965ea01c93847a21b13c5a8c5e779af6a58156d2d4bf6eff7fc8b651db35332417f01e1e2a9461b commons-jexl-3.3-bin.zip=271d4b98955430e26b2b36eef1186801acfe4a6f0f2e7a8c6be214fc0d9b98733628e79a5de3351430f4d3ddb8ca41cca8d93db7320270ce7fc3a5ec69f72e58 commons-jexl-3.3-src.tar.gz=241a7d2e8e50a00e7ab64f718ffd8e4592326e5d4cb36434445c466450340adab4116bbe670e9d34f68d5895d4ceb997dd598cb5101d167824cb84a39449d82e commons-jexl-3.3-src.zip=5ec8efbfcdba85ee449013365e1f655fa5cc9d28dcfa8033ae97a21626c984ae02a0953da2a9b29c472975e2120cab4a96601a75bb8dbc6748cf48b857bf0685 commons-jexl3-3.3-bom.json=c7387d4b5c37bcbcd07096c9cf288bf00bee688f439649721ad0b21efb841cdd0dc276999ac333a00ad3fd075088d3271e180a157995b70f7d2dc1f241b857ca commons-jexl3-3.3-bom.xml=a5ebbe64f2c1f8751188c28299a8374ba3f7fc1e00ab764073e43ec5506d3e04be23e96d822c80cb463e848dbab7f0c67c6e068bb2ca9acfe4d00360e1c30eec commons-jexl3-3.3-javadoc.jar=790f36988e7f8b0fa757623e15415023a800e7e60f205e342ad6caf2bb5a9d647adaec3069119ada4312821df739c7e0bf97b04a4b9dece7a7d882b9577cafdf commons-jexl3-3.3-sources.jar=e3ce6e17933859d9545263fdc79e345e8805c6c853ab8852d60bbea3108116c3d9c88333b2f08f81bd463f5a02388a97bbcf1062bf7144b4efd78c4854efd492 commons-jexl3-3.3-test-sources.jar=6f80cad1854047708a05db397b2bbeaa5242d8342adb7a973dc285ffaa8cbca1ccfb1c6e986d40fd106bde5935af08d42b0c3b6d1cabdd1fee3592a5eddc2a58 commons-jexl3-3.3-tests.jar=d30288dc0143b81a0fa133b6e421e006e9f2faad351e57013f52401fc326933c0e1d88482a92f78e41fdb9a286d2c62d5d978e801bf5a131a636ef17bd7eb16b org.apache.commons_commons-jexl3-3.3.spdx.json=07226f97af94fa6cee09fd28d4cbb34f51853984473866683fa21dd9a462b8522566634a2c082fe2c8ba6cd8aed8eb365a85912c251691bbb13687b3cf9546ed I have tested this with 'mvn clean install site' using: Apache Maven 3.8.1 (05c21c65bdfed0f71a2f2ada8b84da59348c4c5d) Maven home: /Users/henri.biestro/Java/apache-maven-3.8.1 Java version: 1.8.0_345, vendor: Azul Systems, Inc., runtime: /Library/Java/JavaVirtualMachines/zulu-8.jdk/Contents/Home/jre Default locale: en_FR, platform encoding: UTF-8 OS name: "mac os x", version: "13.2.1", arch: "aarch64", family: "mac" on Darwin l-hbiestro.home 22.3.0 Darwin Kernel Version 22.3.0: Mon Jan 30 20:38:37 PST 2023; root:xnu-8792.81.3~2/RELEASE_ARM64_T6000 arm64 And with: Apache Maven 3.9.0 (9b58d2bad23a66be161c4664ef21ce219c2c8584) Maven home: /Users/henri/Java/apache-maven-3.9.0 Java version: 1.8.0_362, vendor: Azul Systems, Inc., runtime: /Library/Java/JavaVirtualMachines/zulu-8.jdk/Contents/Home/jre Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "10.15.7", arch: "x86_64", family: "mac" and AApache Maven 3.9.0 (9b58d2bad23a66be161c4664ef21ce219c2c8584) Maven home: /Users/henri/Java/apache-maven-3.9.0 Java version: 17.0.6, vendor: Azul Systems, Inc., runtime: /Library/Java/JavaVirtualMachines/zulu-17.jdk/Contents/Home Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "10.15.7", arch: "x86_64", family: "mac" on Darwin hornet.home 19.6.0 Darwin Kernel Version 19.6.0: Tue Jun 21 21:18:39 PDT 2022; root:xnu-6153.141.66~1/RELEASE_X86_64 x86_64 Details of changes since 3.2.1 are in the release notes: https://dist.apache.org/repos/dist/dev/commons/jexl/3.3-RC2/RELEASE-NOTES.txt https://dist.apache.org/repos/dist/dev/commons/jexl/3.3-RC2/site/changes-report.html Site: https://dist.apache.org/repos/dist/dev/commons/jexl/3.3-RC2/site/index.html (note some *relative* links are broken and the 3.3 directories are not yet created - these will be OK once the site is deployed.) JApiCmp Report (compared to 3.2.1): https://dist.apache.org/repos/dist/dev/commons/jexl/3.3-RC2/site/japicmp.html RAT Report: https://dist.apache.org/repos/dist/dev/commons/jexl/3.3-RC2/site/rat-report.html KEYS: https://www.apache.org/dist/commons/KEYS Please review the release candidate and vote. This vote will clo
[VOTE] Release Apache Commons JEXL 3.3 based on RC1
We have fixed quite a few bugs and added some significant enhancements since Apache Commons JEXL 3.2.1 was released, so I would like to release Apache Commons JEXL 3.3. Apache Commons JEXL 3.3 RC1 is available for review here: https://dist.apache.org/repos/dist/dev/commons/jexl/3.3-RC1 (svn revision 60566) The Git tag commons-jexl-3.3-RC1 commit for this RC is 2eeaad9ce500507130e882a3996b856b41c01785 which you can browse here: https://gitbox.apache.org/repos/asf?p=commons-jexl.git;a=commit;h=2eeaad9ce500507130e882a3996b856b41c01785 You may checkout this tag using: git clone https://gitbox.apache.org/repos/asf/commons-jexl.git --branch commons-jexl-3.3-RC1 commons-jexl-3.3-RC1 Maven artifacts are here: https://repository.apache.org/content/repositories/orgapachecommons-1626/org/apache/commons/commons-jexl3/3.3/ These are the artifacts and their hashes: #Release SHA-512s #Mon Mar 13 16:50:50 CET 2023 commons-jexl-3.3-bin.tar.gz=b9c933666f8b6ca6c39b0ebac2b6a3ac55966a868b7789a690f59ceb4440c979561576a355de1f3d3cad7188055432086a6aed99deab435836dc582610396b65 commons-jexl-3.3-bin.zip=ac204b2b3e60536e5405a2f97a5ad9379be83162d1860a2c02e5a8d14adb4142137c28a795d2d67b4467f220cf18e9833ec260a3281065cd129e76c990d63a22 commons-jexl-3.3-src.tar.gz=a9883aa526a70635ef81505fcbc67e1d52615373e1585806b5db1a523047b4ebae1cb433cddfc3e69ce06c100215d0ad64e5e14ed6a2d58ef5223f0ed655b469 commons-jexl-3.3-src.zip=6c44d8bdc50e1f5894c6eea4e63d2428425907e8a3c0dbe9b483ed76cd60fc54b9354b824113fc27f6f5448b0d0e46458cfe7ea46813284272a77356de2271fb commons-jexl3-3.3-bom.json=17ba80d97479f8470a6a4e5993757fbacc0fddebec91fc1172146eb9bee539dae992977593a774b99e418034ef2a6cb86832174fa092b4f3546d9eb874e0a783 commons-jexl3-3.3-bom.xml=3190d9be86e4d1d7f5a2d5becdafa89df2decb9c09408c8420b6a078ec8c0b7b763a9821b6b3be2ec7e78c5736aaae0f0bb5b61a73532682f259fa7ef833556b commons-jexl3-3.3-javadoc.jar=d0edb2184d6983f6b9a9230dd6fa1c36d85a654373b845328327ecdb9d81f934511038d215d079488132dc77fd5d69f5da073259324c539b183724374221b40f commons-jexl3-3.3-sources.jar=85fc74e163cd507396ea3985c721c51d398138c1419ddbad69fa4fc598070f74abdb6e73478af1b8dc4be7a035bf43dcaf5314f9d403d714a5bfe0144772ac8f commons-jexl3-3.3-test-sources.jar=7eb8e4c5d0fae0a3e7a7b056f5fe596c868a16bf951d9c1309f4fa62c3f8ef6dec832934cecfff9d86c09a6d71012744e05307aff59af01d59d534078f90e9d0 commons-jexl3-3.3-tests.jar=eced3f404df0739a30101364d08ee19b33b99fe09e63f72cabc45928d215be1c598575218ebede598ab10a1a73f5d6c5b64515af295b4d001d3cee3d99c8e6a6 org.apache.commons_commons-jexl3-3.3.spdx.json=9b15944e44245422fa33faa18dc608c42383041f4657a1c3bf17fd38d80d2a0e8efd208dedb41140dc8273e4fe8a93c1e4a8bbc95b4103d1587cff523db0fd59 I have tested this with ***'mvn clean install site'*** using: Apache Maven 3.8.1 (05c21c65bdfed0f71a2f2ada8b84da59348c4c5d) Maven home: /Users/henri.biestro/Java/apache-maven-3.8.1 Java version: 1.8.0_345, vendor: Azul Systems, Inc., runtime: /Library/Java/JavaVirtualMachines/zulu-8.jdk/Contents/Home/jre Default locale: en_FR, platform encoding: UTF-8 OS name: "mac os x", version: "13.2.1", arch: "aarch64", family: "mac" Darwin l-hbiestro.home 22.3.0 Darwin Kernel Version 22.3.0: Mon Jan 30 20:38:37 PST 2023; root:xnu-8792.81.3~2/RELEASE_ARM64_T6000 arm64 And Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63) Maven home: /Users/henri/Java/apache-maven-3.8.6 Java version: 17.0.6, vendor: Azul Systems, Inc., runtime: /Library/Java/JavaVirtualMachines/zulu-17.jdk/Contents/Home Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "10.15.7", arch: "x86_64", family: "mac" Darwin hornet.home 19.6.0 Darwin Kernel Version 19.6.0: Tue Jun 21 21:18:39 PDT 2022; root:xnu-6153.141.66~1/RELEASE_X86_64 x86_64 Details of changes since 3.2.1 are in the release notes: https://dist.apache.org/repos/dist/dev/commons/jexl/3.3-RC1/RELEASE-NOTES.txt https://dist.apache.org/repos/dist/dev/commons/jexl/3.3-RC1/site/changes-report.html Site: https://dist.apache.org/repos/dist/dev/commons/jexl/3.3-RC1/site/index.html (note some *relative* links are broken and the 3.3 directories are not yet created - these will be OK once the site is deployed.) *** CLIRR Report (compared to 3.2.1): https://dist.apache.org/repos/dist/dev/commons/jexl/3.3-RC1/site/clirr-report.html *** JApiCmp Report (compared to 3.2.1): https://dist.apache.org/repos/dist/dev/commons/jexl/3.3-RC1/site/japicmp.html RAT Report: https://dist.apache.org/repos/dist/dev/commons/jexl/3.3-RC1/site/rat-report.html KEYS: https://www.apache.org/dist/commons/KEYS Please review the release candidate and vote. This vote will close no sooner than 72 hours from now. [ ] +1 Release these artifacts [ ] +0 OK, but... [ ] -0 OK, but really should fix... [ ] -1 I oppose this release because... Thank you, Henri Biestro, Release Manager (using key 4E066E0459CD109B) For following is intended as a helper and refresher for reviewers. Validating a release candidate ==
[ JEXL ] Getting ready to release 3.3
Dear all; I intend on starting the release of JEXL 3.3 with a landing (ideally) in early March.. If you've any feedback on features, bugs, etc, that may impact that release, please reach out now. Cheers
JEXL Security
Hello Commons; JEXL-381 is an attempt at making JEXL's default more secure or at least less 'permeable' wrt to the application/platform/JVM/file-system/host that runs it. Based on JexlPermissions - a crude security visibility manager -, this restricts the *default* behavior of what is visible to JEXL scripts to the basics (lang, math, text, collection,...). This does prevent a future crude test of some kind leading to a CVE stating that JEXL poses a security risk since it can create processes or read the whole file-system (cf JEXL-223). I'd like opinions on this idea - assuming it is not a bad one - and how to best expose it. Although JEXL 3.3 is compatible with JEXL 3.2, the runtime behavior might break due to these new default security restrictions. The net-cost is that current users (people actually using JEXL for its intended purpose) will have to actively decide how much permeability they need if they want to upgrade to JEXL 3.3 and retain functionality. They will probably gain at least some insight about their platform/product security. Note that the basic mitigation - being as permeable as JEXL 3.2 - costs only a line of code.. Ideas on how to best warn/expose/explain this to users and any element pertaining to this subject is welcome. :-) Thanks Henrib
