Re: OFBiz releases EOL (End Of Life) announcement [was Re: [ofbiz-site] branch master updated: More information about security and EOL (End Of Life)]

2022-01-04 Thread Michael Brohl 

+1

with a few additions: I think that the project should have a planned 
roadmap with more or less fixed release dates/cycles and a clear 
pre-planned EOL plan.


We should also specify what EOL means for us and if there is a step 
between. I think of making bugfixes/backports during main support and 
only doing security fixes in a phase after that. EOL would then mean 
ultimately no fixes at all.


For new release branches, we should als TRY to plan which features, big 
changes or deprecations we want to put in and work towards those goals 
(thinking about major framework changes etc. as we started to discuss 
recently).


We should also think about another release number scheme. The inclusion 
of the year/month the branch was created makes the first stable release 
look outdated as we normally have a stabilization time of 2-3 years 
(which we also could change). Maybe that's a discussion for past-22.x


Thanks,

Michael Brohl

ecomify GmbH - www.ecomify.de


Am 04.01.22 um 16:04 schrieb Jacques Le Roux:

Hi All,

I'd like to discuss about OFBiz releases EOL (End Of Life) announcement.

For instance R17.12 is EOL with 17.12.08. I suggest to make it clear 
on site (if that's not already enough, eg*), to send an email to user 
ML and maybe talk about it in social-media and the blog.


Maybe we could also have a special site page for EOL dates and version 
of our releases? And some words in 
https://ofbiz.apache.org/security.html...


* https://ofbiz.apache.org/release-notes-17.12.08.html (maybe the de 
facto standard term EOL (End Of Life) is missing?)


Opinions?

Jacques

Le 04/01/2022 à 11:52, Jacques Le Roux a écrit :

I agree Jacopo,

Will you handle it?

I made those tiny changes after an answer Mark J. Cox made to Mark 
Thomas in a discussion I read on security-disc...@community.apache.org :


   MT:  <>

   MC: >

There are at least 340+ TLPs*. So I guess it becomes worrying for the 
ASF.


I don't think we are concerned by those worries. So was just a small 
effort in this direction.
I think though that we should discuss about how to handle EOL 
announcements.


* 
https://blogs.apache.org/foundation/entry/apache-software-foundation-security-report1


Jacques

Le 04/01/2022 à 10:45, Jacopo Cappellato a écrit :
Thank you Jacques for adding the statement: however I think it is  > 
time to remove the entire section of 17.12.08 since we have enough > 
releases out of 18.12 already. The release 17.12.08 will always be > 

available in the archive. > > Jacopo

Re: [VOTE] [RESULT] Apache OFBiz 18.12.05 (second attempt)

2022-01-04 Thread Jacopo Cappellato 
great, thanks!

Jacopo

On Tue, Jan 4, 2022 at 5:16 PM Jacques Le Roux
 wrote:
>
> It's up to date:
>
> *< uses a global content distribution network (CDN) which collects new
> releases almost as soon as you post them. The files therefore become 
> available for download almost immediately. You probably don't need to wait
> more than fifteen minutes before announcing a release.>>
>
> Le 04/01/2022 à 15:56, Jacques Le Roux a écrit :
> > I have asked, Greg answered:
> >
> >< >The experiment is related to usage statistics.>>
> >
> > So it's official, it's now 15 mins :) I have tried stats. twice (once in 
> > Nov. one today) it does not work or is really, really, really slow...
> >
> > I have asked on members if we should not update 
> > https://infra.apache.org/release-publishing.html#faqs
> >
> > Jacques
> >
> > Le 04/01/2022 à 12:29, Jacopo Cappellato a écrit :
> >> Thank you Jacques, it is indeed good news.
> >> However, I think we should stick to the current workflow, at least
> >> until the Infra updates their recommendations here:
> >>
> >> https://infra.apache.org/release-publishing.html#faqs
> >>
> >> Thanks,
> >>
> >> Jacopo
> >>
> >>
> >> On Tue, Jan 4, 2022 at 12:16 PM Jacques Le Roux
> >>   wrote:
> >>> Hi Jacopo,
> >>>
> >>> 2 months ago the ASF moved from a mirrors architecture to a CDNs 
> >>> architecture.
> >>>
> >>> It's described 
> >>> athttps://fossforce.com/2021/10/apache-foundation-moves-from-mirrors-to-a-cdn-to-distribute-software/
> >>>
> >>> In the related members thread* (only accessible to ASF members) Daniel 
> >>> Gruno said**:
> >>>
> >>>  < >>> commit to svn.>>
> >>>
> >>> I guess it's the same for Git.
> >>>
> >>> *https://lists.apache.org/thread/4k6t1702xtctylozt9jzhtq6nqgvs2p2
> >>> **https://lists.apache.org/thread/gfoprg8215sdpx8kwjcpv0z74lfyvmq5
> >>>
> >>> Sounds like a nice change, hopefully it will stay.
> >>>
> >>> Jacques
> >>>
> >>> Le 03/01/2022 à 09:47, Jacopo Cappellato a écrit :
>  Thank you, the vote is successful (3 binding votes).
> 
>  I am going to publish the release, wait 24 hours to let the release files
>  propagate through the download mirror network and finally announce the
>  release and update our site.
> 
>  Jacopo
> 
>  On Sun, Jan 2, 2022 at 12:29 PM Jacopo Cappellato <
>  jacopo.cappell...@gmail.com> wrote:
> 
> > This is the second vote thread to release a new bug fix release for the
> > release18.12 branch. This new release, "Apache OFBiz 18.12.05"
> > supersedes all the previous releases from the same branch.
> >
> > The release files can be downloaded from here:
> > https://dist.apache.org/repos/dist/dev/ofbiz/
> >
> > and are:
> > * apache-ofbiz-18.12.05.zip
> > * KEYS: text file with keys
> > * apache-ofbiz-18.12.05.zip.asc: the detached signature file
> > * apache-ofbiz-18.12.05.zip.sha512: checksum file
> >
> > Please download and test the zip file and its signatures (for
> > instructions on testing the signatures see [*]).
> >
> > Vote:
> >
> > [ +1] release as Apache OFBiz 18.12.05
> > [ -1] do not release
> >
> > For more details about this process please read [**].
> > [*]
> > https://cwiki.apache.org/confluence/display/OFBIZ/Release+Management+Guide+for+OFBiz#ReleaseManagementGuideforOFBiz-Votingonarelease
> > [**]http://www.apache.org/foundation/voting.html
> >

Re: [VOTE] [RESULT] Apache OFBiz 18.12.05 (second attempt)

2022-01-04 Thread Jacques Le Roux 

It's up to date:

   *<>

Le 04/01/2022 à 15:56, Jacques Le Roux a écrit :

I have asked, Greg answered:

   <>

So it's official, it's now 15 mins :) I have tried stats. twice (once in Nov. 
one today) it does not work or is really, really, really slow...

I have asked on members if we should not update 
https://infra.apache.org/release-publishing.html#faqs

Jacques

Le 04/01/2022 à 12:29, Jacopo Cappellato a écrit :

Thank you Jacques, it is indeed good news.
However, I think we should stick to the current workflow, at least
until the Infra updates their recommendations here:

https://infra.apache.org/release-publishing.html#faqs

Thanks,

Jacopo


On Tue, Jan 4, 2022 at 12:16 PM Jacques Le Roux
  wrote:

Hi Jacopo,

2 months ago the ASF moved from a mirrors architecture to a CDNs architecture.

It's described 
athttps://fossforce.com/2021/10/apache-foundation-moves-from-mirrors-to-a-cdn-to-distribute-software/

In the related members thread* (only accessible to ASF members) Daniel Gruno 
said**:

 <>

I guess it's the same for Git.

*https://lists.apache.org/thread/4k6t1702xtctylozt9jzhtq6nqgvs2p2
**https://lists.apache.org/thread/gfoprg8215sdpx8kwjcpv0z74lfyvmq5

Sounds like a nice change, hopefully it will stay.

Jacques

Le 03/01/2022 à 09:47, Jacopo Cappellato a écrit :

Thank you, the vote is successful (3 binding votes).

I am going to publish the release, wait 24 hours to let the release files
propagate through the download mirror network and finally announce the
release and update our site.

Jacopo

On Sun, Jan 2, 2022 at 12:29 PM Jacopo Cappellato <
jacopo.cappell...@gmail.com> wrote:


This is the second vote thread to release a new bug fix release for the
release18.12 branch. This new release, "Apache OFBiz 18.12.05"
supersedes all the previous releases from the same branch.

The release files can be downloaded from here:
https://dist.apache.org/repos/dist/dev/ofbiz/

and are:
* apache-ofbiz-18.12.05.zip
* KEYS: text file with keys
* apache-ofbiz-18.12.05.zip.asc: the detached signature file
* apache-ofbiz-18.12.05.zip.sha512: checksum file

Please download and test the zip file and its signatures (for
instructions on testing the signatures see [*]).

Vote:

[ +1] release as Apache OFBiz 18.12.05
[ -1] do not release

For more details about this process please read [**].
[*]
https://cwiki.apache.org/confluence/display/OFBIZ/Release+Management+Guide+for+OFBiz#ReleaseManagementGuideforOFBiz-Votingonarelease
[**]http://www.apache.org/foundation/voting.html

OFBiz releases EOL (End Of Life) announcement [was Re: [ofbiz-site] branch master updated: More information about security and EOL (End Of Life)]

2022-01-04 Thread Jacques Le Roux 

Hi All,

I'd like to discuss about OFBiz releases EOL (End Of Life) announcement.

For instance R17.12 is EOL with 17.12.08. I suggest to make it clear on site (if that's not already enough, eg*), to send an email to user ML and 
maybe talk about it in social-media and the blog.


Maybe we could also have a special site page for EOL dates and version of our 
releases? And some words in https://ofbiz.apache.org/security.html...

* https://ofbiz.apache.org/release-notes-17.12.08.html (maybe the de facto 
standard term EOL (End Of Life) is missing?)

Opinions?

Jacques

Le 04/01/2022 à 11:52, Jacques Le Roux a écrit :

I agree Jacopo,

Will you handle it?

I made those tiny changes after an answer Mark J. Cox made to Mark Thomas in a 
discussion I read on security-disc...@community.apache.org :

   MT:  <>

   MC: <>

There are at least 340+ TLPs*. So I guess it becomes worrying for the ASF.

I don't think we are concerned by those worries. So was just a small effort in 
this direction.
I think though that we should discuss about how to handle EOL announcements.

* 
https://blogs.apache.org/foundation/entry/apache-software-foundation-security-report1

Jacques

Le 04/01/2022 à 10:45, Jacopo Cappellato a écrit :
Thank you Jacques for adding the statement: however I think it is  > time to remove the entire section of 17.12.08 since we have enough > releases 
out of 18.12 already. The release 17.12.08 will always be > 

available in the archive. > > Jacopo

Re: [VOTE] [RESULT] Apache OFBiz 18.12.05 (second attempt)

2022-01-04 Thread Jacques Le Roux 

I have asked, Greg answered:

   <>

So it's official, it's now 15 mins :) I have tried stats. twice (once in Nov. 
one today) it does not work or is really, really, really slow...

I have asked on members if we should not update 
https://infra.apache.org/release-publishing.html#faqs

Jacques

Le 04/01/2022 à 12:29, Jacopo Cappellato a écrit :

Thank you Jacques, it is indeed good news.
However, I think we should stick to the current workflow, at least
until the Infra updates their recommendations here:

https://infra.apache.org/release-publishing.html#faqs

Thanks,

Jacopo


On Tue, Jan 4, 2022 at 12:16 PM Jacques Le Roux
  wrote:

Hi Jacopo,

2 months ago the ASF moved from a mirrors architecture to a CDNs architecture.

It's described 
athttps://fossforce.com/2021/10/apache-foundation-moves-from-mirrors-to-a-cdn-to-distribute-software/

In the related members thread* (only accessible to ASF members) Daniel Gruno 
said**:

 <>

I guess it's the same for Git.

*https://lists.apache.org/thread/4k6t1702xtctylozt9jzhtq6nqgvs2p2
**https://lists.apache.org/thread/gfoprg8215sdpx8kwjcpv0z74lfyvmq5

Sounds like a nice change, hopefully it will stay.

Jacques

Le 03/01/2022 à 09:47, Jacopo Cappellato a écrit :

Thank you, the vote is successful (3 binding votes).

I am going to publish the release, wait 24 hours to let the release files
propagate through the download mirror network and finally announce the
release and update our site.

Jacopo

On Sun, Jan 2, 2022 at 12:29 PM Jacopo Cappellato <
jacopo.cappell...@gmail.com> wrote:


This is the second vote thread to release a new bug fix release for the
release18.12 branch. This new release, "Apache OFBiz 18.12.05"
supersedes all the previous releases from the same branch.

The release files can be downloaded from here:
https://dist.apache.org/repos/dist/dev/ofbiz/

and are:
* apache-ofbiz-18.12.05.zip
* KEYS: text file with keys
* apache-ofbiz-18.12.05.zip.asc: the detached signature file
* apache-ofbiz-18.12.05.zip.sha512: checksum file

Please download and test the zip file and its signatures (for
instructions on testing the signatures see [*]).

Vote:

[ +1] release as Apache OFBiz 18.12.05
[ -1] do not release

For more details about this process please read [**].
[*]
https://cwiki.apache.org/confluence/display/OFBIZ/Release+Management+Guide+for+OFBiz#ReleaseManagementGuideforOFBiz-Votingonarelease
[**]http://www.apache.org/foundation/voting.html

Re: Apache Foundation Moves From Mirrors to a CDN to Distribute Software

2022-01-04 Thread Greg Stein 
Jacques: you should never crosspost from a *private* mailing list, to a
public mailing list.

The move to a CDN is done/final.
The experiment is related to usage statistics.

-Greg


On Tue, Jan 4, 2022 at 6:56 AM Jacques Le Roux 
wrote:

> Hi,
>
> Is this still an experiment?
>
> Daniel said
>
> < svn.>>
>
> That's quite a change!
>
> Thanks
>
> Jacques
>
> Le 04/11/2021 à 07:47, Greg Stein a écrit :
>
> On Wed, Nov 3, 2021 at 5:43 AM Roman Shaposhnik 
> wrote:
>
>> On Tue, Oct 26, 2021 at 11:51 PM Daniel Gruno 
>> wrote:
>> >
>> > On 26/10/2021 20.54, Jarek Potiuk wrote:
>> > > Also interested :). I think it would be great to have a way to access
>> > > the stats for all projects (even publicly).
>> >
>> > We have a very simple private service at:
>> > https://logging1-he-de.apache.org/stats/  (requires ASF auth)
>>
>> This is pretty awesome! Gotta ask: what are the plans to actively make
>> this known to the project PMCs? I am sure every single one of them
>> will be very curious to dig into this.
>>
>
> No plans at all. It is simply an experiment.
>
> Cheers,
> Greg
> InfraAdmin, ASF
>
>
>

Re: Apache Foundation Moves From Mirrors to a CDN to Distribute Software

2022-01-04 Thread Jacques Le Roux 

Hi,

Is this still an experiment?

Daniel said

   <>

That's quite a change!

Thanks

Jacques

Le 04/11/2021 à 07:47, Greg Stein a écrit :

On Wed, Nov 3, 2021 at 5:43 AM Roman Shaposhnik  wrote:

On Tue, Oct 26, 2021 at 11:51 PM Daniel Gruno  wrote:
>
> On 26/10/2021 20.54, Jarek Potiuk wrote:
> > Also interested :). I think it would be great to have a way to access
> > the stats for all projects (even publicly).
>
> We have a very simple private service at:
> https://logging1-he-de.apache.org/stats/ (requires ASF auth)

This is pretty awesome! Gotta ask: what are the plans to actively make
this known to the project PMCs? I am sure every single one of them
will be very curious to dig into this.


No plans at all. It is simply an experiment.

Cheers,
Greg
InfraAdmin, ASF

Re: [ofbiz-site] branch master updated: More information about security and EOL (End Of Life)

2022-01-04 Thread Jacopo Cappellato 
Thank you Jacques,

I have now published the change.

Jacopo


On Tue, Jan 4, 2022 at 11:53 AM Jacques Le Roux
 wrote:
>
> I agree Jacopo,
>
> Will you handle it?
>
> I made those tiny changes after an answer Mark J. Cox made to Mark Thomas in 
> a discussion I read on security-disc...@community.apache.org :
>
> MT:  < regularly really are healthy. Could they realistically respond to a
> security vulnerability in a reasonable time frame? If not, we need to
> move them to the attic.>>
>
> MC: < users so
> they know the status of what they're using.  There are quite a number of
> examples where a project has responded to a vulnerability reporter that
> some version is EOL but it's not been clear enough on their pages, nor any
> real announcement ever having being made.  We need a consistent policy on
> what to do about vulnerabilities that come up in EOL versions, and when to
> allocate them CVE names ('there's an unfixed issue in X") in order to help
> users with scanning tools also notice when they're using out of date and
> now insecure projects.>>
>
> There are at least 340+ TLPs*. So I guess it becomes worrying for the ASF.
>
> I don't think we are concerned by those worries. So was just a small effort 
> in this direction.
> I think though that we should discuss about how to handle EOL announcements.
>
> * 
> https://blogs.apache.org/foundation/entry/apache-software-foundation-security-report1
>
> Jacques
>
> Le 04/01/2022 à 10:45, Jacopo Cappellato a écrit :
> > Thank you Jacques for adding the statement: however I think it is  > time 
> > to remove the entire section of 17.12.08 since we have enough > releases 
> > out of 18.12 already. The release 17.12.08 will always be >
> available in the archive. > > Jacopo

Re: [VOTE] [RESULT] Apache OFBiz 18.12.05 (second attempt)

2022-01-04 Thread Jacopo Cappellato 
Thank you Jacques, it is indeed good news.
However, I think we should stick to the current workflow, at least
until the Infra updates their recommendations here:

https://infra.apache.org/release-publishing.html#faqs

Thanks,

Jacopo


On Tue, Jan 4, 2022 at 12:16 PM Jacques Le Roux
 wrote:
>
> Hi Jacopo,
>
> 2 months ago the ASF moved from a mirrors architecture to a CDNs architecture.
>
> It's described at 
> https://fossforce.com/2021/10/apache-foundation-moves-from-mirrors-to-a-cdn-to-distribute-software/
>
> In the related members thread* (only accessible to ASF members) Daniel Gruno 
> said**:
>
> < to svn.>>
>
> I guess it's the same for Git.
>
> * https://lists.apache.org/thread/4k6t1702xtctylozt9jzhtq6nqgvs2p2
> ** https://lists.apache.org/thread/gfoprg8215sdpx8kwjcpv0z74lfyvmq5
>
> Sounds like a nice change, hopefully it will stay.
>
> Jacques
>
> Le 03/01/2022 à 09:47, Jacopo Cappellato a écrit :
> > Thank you, the vote is successful (3 binding votes).
> >
> > I am going to publish the release, wait 24 hours to let the release files
> > propagate through the download mirror network and finally announce the
> > release and update our site.
> >
> > Jacopo
> >
> > On Sun, Jan 2, 2022 at 12:29 PM Jacopo Cappellato <
> > jacopo.cappell...@gmail.com> wrote:
> >
> >> This is the second vote thread to release a new bug fix release for the
> >> release18.12 branch. This new release, "Apache OFBiz 18.12.05"
> >> supersedes all the previous releases from the same branch.
> >>
> >> The release files can be downloaded from here:
> >> https://dist.apache.org/repos/dist/dev/ofbiz/
> >>
> >> and are:
> >> * apache-ofbiz-18.12.05.zip
> >> * KEYS: text file with keys
> >> * apache-ofbiz-18.12.05.zip.asc: the detached signature file
> >> * apache-ofbiz-18.12.05.zip.sha512: checksum file
> >>
> >> Please download and test the zip file and its signatures (for
> >> instructions on testing the signatures see [*]).
> >>
> >> Vote:
> >>
> >> [ +1] release as Apache OFBiz 18.12.05
> >> [ -1] do not release
> >>
> >> For more details about this process please read [**].
> >> [*]
> >> https://cwiki.apache.org/confluence/display/OFBIZ/Release+Management+Guide+for+OFBiz#ReleaseManagementGuideforOFBiz-Votingonarelease
> >> [**]http://www.apache.org/foundation/voting.html
> >>

Re: [VOTE] [RESULT] Apache OFBiz 18.12.05 (second attempt)

2022-01-04 Thread Jacques Le Roux 

Hi Jacopo,

2 months ago the ASF moved from a mirrors architecture to a CDNs architecture.

It's described at 
https://fossforce.com/2021/10/apache-foundation-moves-from-mirrors-to-a-cdn-to-distribute-software/

In the related members thread* (only accessible to ASF members) Daniel Gruno 
said**:

   <>

I guess it's the same for Git.

* https://lists.apache.org/thread/4k6t1702xtctylozt9jzhtq6nqgvs2p2
** https://lists.apache.org/thread/gfoprg8215sdpx8kwjcpv0z74lfyvmq5

Sounds like a nice change, hopefully it will stay.

Jacques

Le 03/01/2022 à 09:47, Jacopo Cappellato a écrit :

Thank you, the vote is successful (3 binding votes).

I am going to publish the release, wait 24 hours to let the release files
propagate through the download mirror network and finally announce the
release and update our site.

Jacopo

On Sun, Jan 2, 2022 at 12:29 PM Jacopo Cappellato <
jacopo.cappell...@gmail.com> wrote:


This is the second vote thread to release a new bug fix release for the
release18.12 branch. This new release, "Apache OFBiz 18.12.05"
supersedes all the previous releases from the same branch.

The release files can be downloaded from here:
https://dist.apache.org/repos/dist/dev/ofbiz/

and are:
* apache-ofbiz-18.12.05.zip
* KEYS: text file with keys
* apache-ofbiz-18.12.05.zip.asc: the detached signature file
* apache-ofbiz-18.12.05.zip.sha512: checksum file

Please download and test the zip file and its signatures (for
instructions on testing the signatures see [*]).

Vote:

[ +1] release as Apache OFBiz 18.12.05
[ -1] do not release

For more details about this process please read [**].
[*]
https://cwiki.apache.org/confluence/display/OFBIZ/Release+Management+Guide+for+OFBiz#ReleaseManagementGuideforOFBiz-Votingonarelease
[**]http://www.apache.org/foundation/voting.html

Re: [ofbiz-site] branch master updated: More information about security and EOL (End Of Life)

2022-01-04 Thread Jacques Le Roux 

I agree Jacopo,

Will you handle it?

I made those tiny changes after an answer Mark J. Cox made to Mark Thomas in a 
discussion I read on security-disc...@community.apache.org :

   MT:  <>

   MC: <>

There are at least 340+ TLPs*. So I guess it becomes worrying for the ASF.

I don't think we are concerned by those worries. So was just a small effort in 
this direction.
I think though that we should discuss about how to handle EOL announcements.

* 
https://blogs.apache.org/foundation/entry/apache-software-foundation-security-report1

Jacques

Le 04/01/2022 à 10:45, Jacopo Cappellato a écrit :
Thank you Jacques for adding the statement: however I think it is  > time to remove the entire section of 17.12.08 since we have enough > releases out of 18.12 already. The release 17.12.08 will always be > 

available in the archive. > > Jacopo

Re: [ofbiz-site] branch master updated: More information about security and EOL (End Of Life)

2022-01-04 Thread Jacopo Cappellato 
Thank you Jacques for adding the statement: however I think it is time
to remove the entire section of 17.12.08 since we have enough releases
out of 18.12 already. The release 17.12.08 will always be available in
the archive.

Jacopo

On Sun, Jan 2, 2022 at 6:55 PM  wrote:
>
> This is an automated email from the ASF dual-hosted git repository.
>
> jleroux pushed a commit to branch master
> in repository https://gitbox.apache.org/repos/asf/ofbiz-site.git
>
>
> The following commit(s) were added to refs/heads/master by this push:
>  new a69cf9f  More information about security and EOL (End Of Life)
> a69cf9f is described below
>
> commit a69cf9f4cdeb1b23e3b1db30ada47b52aa7f3dd0
> Author: Jacques Le Roux 
> AuthorDate: Sun Jan 2 18:55:24 2022 +0100
>
> More information about security and EOL (End Of Life)
> ---
>  download.html  | 2 +-
>  security.html  | 2 +-
>  template/page/download.tpl.php | 2 +-
>  template/page/security.tpl.php | 2 +-
>  4 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/download.html b/download.html
> index be0b541..51a7d62 100644
> --- a/download.html
> +++ b/download.html
> @@ -198,7 +198,7 @@
>
>  Apache OFBiz 17.12.08
>  
> - Released on August 2021, this is the eighth and final 
> release of the 17.12 series, that has been stabilized since December 2017.
> + Released on August 2021, this is the eighth and final 
> release of the 17.12 series, that has been stabilized since December 2017. 
> That means that the release17.12 branch has reached its End Of Life (EOL) and 
> is no longer supported from a security perspective
>   href="https://www.apache.org/dyn/closer.lua/ofbiz/apache-ofbiz-17.12.08.zip; 
> target="external" >Download OFBiz 17.12.08
>   href="https://downloads.apache.org/ofbiz/apache-ofbiz-17.12.08.zip.asc; 
> target="external">[PGP]
>   href="https://downloads.apache.org/ofbiz/apache-ofbiz-17.12.08.zip.sha512; 
> target="external">[SHA512]
> diff --git a/security.html b/security.html
> index 12efce9..0a05ab9 100644
> --- a/security.html
> +++ b/security.html
> @@ -136,7 +136,7 @@
>  Note that we no longer create CVEs for post-auth attacks done 
> using demo credentials, notably using the admin user.
>   https://s.apache.org/dsj2p;> Rather create 
> bugs reports in our issue tracker (Jira) for that.
>
> -The main reason why we no longer create CVEs for post-auth 
> attacks done using demo credentials is because
> +The main reason we no longer create CVEs for post-auth 
> attacks done using demo credentials is because
>   href="https://ci.apache.org/projects/ofbiz/site/trunk/readme/html5/README.html#security;>
>  we highly suggest to OFBiz users to not use credentials demo in 
> production
>   and we expect OFBiz users to do so. We also reject post-auth 
> vulnerabilities because we have a solid CSRF defense.
>
> diff --git a/template/page/download.tpl.php b/template/page/download.tpl.php
> index d4ec4d5..892cc2f 100644
> --- a/template/page/download.tpl.php
> +++ b/template/page/download.tpl.php
> @@ -87,7 +87,7 @@
>
>  Apache OFBiz 17.12.08
>  
> - Released on August 2021, this is the eighth and final 
> release of the 17.12 series, that has been stabilized since December 2017.
> + Released on August 2021, this is the eighth and final 
> release of the 17.12 series, that has been stabilized since December 2017. 
> That means that the release17.12 branch has reached its End Of Life (EOL) and 
> is no longer supported from a security perspective
>   href="https://www.apache.org/dyn/closer.lua/ofbiz/apache-ofbiz-17.12.08.zip; 
> target="external" >Download OFBiz 17.12.08
>   href="https://downloads.apache.org/ofbiz/apache-ofbiz-17.12.08.zip.asc; 
> target="external">[PGP]
>   href="https://downloads.apache.org/ofbiz/apache-ofbiz-17.12.08.zip.sha512; 
> target="external">[SHA512]
> diff --git a/template/page/security.tpl.php b/template/page/security.tpl.php
> index 532a9f7..c6ee66a 100644
> --- a/template/page/security.tpl.php
> +++ b/template/page/security.tpl.php
> @@ -25,7 +25,7 @@
>  Note that we no longer create CVEs for post-auth attacks done 
> using demo credentials, notably using the admin user.
>   https://s.apache.org/dsj2p;> Rather create 
> bugs reports in our issue tracker (Jira) for that.
>
> -The main reason why we no longer create CVEs for post-auth 
> attacks done using demo credentials is because
> +The main reason we no longer create CVEs for post-auth 
> attacks done using demo credentials is because
>   href="https://ci.apache.org/projects/ofbiz/site/trunk/readme/html5/README.html#security;>
>  we highly suggest to OFBiz users to not use credentials demo in 
> production
>   and we expect

[ANNOUNCE] Apache OFBiz 18.12.05 released

2022-01-04 Thread Jacopo Cappellato 
The Apache OFBiz community is pleased to announce the new release "Apache
OFBiz 18.12.05".

Apache OFBiz® is an open source product for the automation of enterprise
processes that includes framework components and business applications.

http://ofbiz.apache.org/

"Apache OFBiz 18.12.05" is the fifth release of the 18.12 series.

For details of the changes introduced with this new version
please refer to http://ofbiz.apache.org/release-notes-18.12.05.html

The history of security related fixes included in each release is
available here:
https://ofbiz.apache.org/security.html

The release files can be downloaded following the instructions in the OFBiz
download page:

http://ofbiz.apache.org/download.html