Re: Returned post for annou...@apache.org

2021-02-10 Thread Stefan Sperling 
On Wed, Feb 10, 2021 at 11:03:39PM -0500, Nathan Hartman wrote:
> On Wed, Feb 10, 2021 at 7:51 PM Private List Moderation <
> mod-priv...@gsuite.cloud.apache.org> wrote:
> > When I checked the download page, there were no links for versions 1.10.7
> > or 1.14.1.
> > i.e. the 2 announce mails were telling people to download versions that
> > were not on the download page.
> >
> > As such, I felt I had to reject the announce email.
> >
> > It looks as though the page has since been updated.
> >
> 
> 
> That was a race condition.

Worse, it's a chicken-and-egg problem which is documented here:
http://subversion.apache.org/docs/community-guide/releasing.html#releasing-release
"""
NOTE: We announce the release before updating the website since the
website update links to the release announcement sent to the announce@
mailing list.
"""

Notwithstanding that, yes, I did actually forget to update the download
page immediately after posting the announcements. dsahlberg kindly reminded
me of this. It still don't see how this is a reason for blocking a legitimate
release annoucement. Instead of rejecting the annoucement outright you could
have mailed us on dev@ with a question like "This looks incomplete. Are you
sure you want to post this annoucement?". That would have been helpful, but
moderation rejection is not helpful.

Not everyone relies on the download pages to find our releases.
At the moment I sent the announcement at least one distribution (Suse Linux)
already had RPMs with the security fix ready to go because we had sent security
pre-notifications in private about a week earlier.

Cheers,
Stefan

Re: Returned post for annou...@apache.org

2021-02-10 Thread Branko Čibej 

On 11.02.2021 01:51, Private List Moderation wrote:
On Wed, 10 Feb 2021 at 22:26, Erik Huelsmann > wrote:


How can a link be more important than an announcement for a fix of an
*unauthenticated* remote DoS ?


When I checked the download page, there were no links for versions 
1.10.7 or 1.14.1.
i.e. the 2 announce mails were telling people to download versions 
that were not on the download page.


As such, I felt I had to reject the announce email.


You know very well that the proper escalation path is to notify dev@, in 
a separate mail, about the omission. Just like any other bug report.


As Stefan already said, the purpose of moderation is to prevent spam, 
not to meddle in the PMC's business. And certainly not to anonymously 
enforce your conception of policy, without discussion. Blocking the 
announcement of a remote-DOS fix on a trivial technicality is way 
outside a moderator's writ.


-- Brane

Re: Returned post for annou...@apache.org

2021-02-10 Thread Nathan Hartman 
On Wed, Feb 10, 2021 at 7:51 PM Private List Moderation <
mod-priv...@gsuite.cloud.apache.org> wrote:

> On Wed, 10 Feb 2021 at 22:26, Erik Huelsmann  wrote:
>
>> How can a link be more important than an announcement for a fix of an
>> *unauthenticated* remote DoS ?
>>
>>
> When I checked the download page, there were no links for versions 1.10.7
> or 1.14.1.
> i.e. the 2 announce mails were telling people to download versions that
> were not on the download page.
>
> As such, I felt I had to reject the announce email.
>
> It looks as though the page has since been updated.
>


That was a race condition.

As the issue is fixed, would you please allow the message through now? Do
we need to re-send it?

Thank you,
Nathan Hartman
V.P., Subversion

Re: Returned post for annou...@apache.org

2021-02-10 Thread Private List Moderation 
On Wed, 10 Feb 2021 at 22:26, Erik Huelsmann  wrote:

> How can a link be more important than an announcement for a fix of an
> *unauthenticated* remote DoS ?
>
>
When I checked the download page, there were no links for versions 1.10.7
or 1.14.1.
i.e. the 2 announce mails were telling people to download versions that
were not on the download page.

As such, I felt I had to reject the announce email.

It looks as though the page has since been updated.

Same for the KEYS file???
>
>
I never said that was equally important.

Don't you think that's way out of proportion?
>

> Erik.
>
> On Wed, Feb 10, 2021 at 4:50 PM Private List Moderation
>  wrote:
> >
> > I don't see how the missing links can be regarded as trivial.
> > This obviously needs to be fixed before the announce can be accepted.
> >
> > At the same time, I asked for the KEYS file link to be standardised.
> > There is already a KEYS file at the standard location - why not link to
> that instead?
> >
> >
> > On Wed, 10 Feb 2021 at 15:35, Stefan Sperling  wrote:
> >>
> >> Sebb, blocking our release announcements over trivialities like this
> >> really is not a nice thing to do. Last time it happened in May 2020.
> >> It was already discussed back then and raised with the announce@
> >> moderation team.
> >>
> >> The Subversion PMC came to the conclusion that our handling of
> >> the KEYS files is adequate for our purposes:
> >> https://svn.haxx.se/dev/archive-2020-05/0156.shtml
> >>
> >> Please raise the issue on our dev@subversion.a.o list if it bothers
> you.
> >> The moderation mechanism is supposed to prevent spam. Using it to
> enforce
> >> release workflow policies amounts to misuse of your moderation
> privileges.
> >>
> >> Regards,
> >> Stefan
> >>
> >> On Wed, Feb 10, 2021 at 03:20:41PM -, announce-ow...@apache.org
> wrote:
> >> >
> >> > Hi! This is the ezmlm program. I'm managing the
> >> > annou...@apache.org mailing list.
> >> >
> >> > I'm working for my owner, who can be reached
> >> > at announce-ow...@apache.org.
> >> >
> >> > I'm sorry, your message (enclosed) was not accepted by the moderator.
> >> > If the moderator has made any comments, they are shown below.
> >> >
> >> > >  >
> >> > Sorry, but the announce cannot be accepted.
> >> > The linked download page does not contain links for the version in the
> >> > email.
> >> >
> >> > Also, the standard name for the KEYS file is KEYS - no prefix, no
> suffix.
> >> > Please correct the download page, check it, and submit a corrected
> announce
> >> > mail.
> >> >
> >> > Thanks,
> >> > Sebb.
> >> > <  <
> >> >
> >>
> >> > Date: Wed, 10 Feb 2021 14:37:00 +0100
> >> > From: Stefan Sperling 
> >> > To: annou...@subversion.apache.org, us...@subversion.apache.org,
> >> >  dev@subversion.apache.org, annou...@apache.org
> >> > Cc: secur...@apache.org, oss-secur...@lists.openwall.com,
> >> >  bugt...@securityfocus.com
> >> > Subject: [SECURITY][ANNOUNCE] Apache Subversion 1.10.7 released
> >> > Message-ID: 
> >> > Reply-To: us...@subversion.apache.org
> >> > Content-Type: text/plain; charset=utf-8
> >> >
> >> > I'm happy to announce the release of Apache Subversion 1.10.7.
> >> > Please choose the mirror closest to you by visiting:
> >> >
> >> > https://subversion.apache.org/download.cgi#supported-releases
> >> >
> >> > This is a stable bugfix and security release of the Apache Subversion
> >> > open source version control system.
> >> >
> >> > THIS RELEASE CONTAINS AN IMPORTANT SECURITY FIX:
> >> >
> >> >   CVE-2020-17525
> >> >   "Remote unauthenticated denial-of-service in Subversion
> mod_authz_svn"
> >> >
> >> > The full security advisory for CVE-2020-17525 is available at:
> >> >   https://subversion.apache.org/security/CVE-2020-17525-advisory.txt
> >> >
> >> > A brief summary of this advisory follows:
> >> >
> >> >   Subversion's mod_authz_svn module will crash if the server is using
> >> >   in-repository authz rules with the AuthzSVNReposRelativeAccessFile
> >> >   option and a client sends a request for a non-existing repository
> URL.
> >> >
> >> >   This can lead to disruption for users of the service.
> >> >
> >> >   We recommend all users to upgrade to the 1.10.7 or 1.14.1 release
> >> >   of the Subversion mod_dav_svn server.
> >> >
> >> >   As a workaround, the use of in-repository authz rules files with
> >> >   the AuthzSVNReposRelativeAccessFile can be avoided by switching
> >> >   to an alternative configuration which fetches an authz rules file
> >> >   from the server's filesystem, rather than from an SVN repository.
> >> >
> >> >   This issue was reported by Thomas Åkesson.
> >> >
> >> > SHA-512 checksums are available at:
> >> >
> >> >
> https://www.apache.org/dist/subversion/subversion-1.10.7.tar.bz2.sha512
> >> >
> https://www.apache.org/dist/subversion/subversion-1.10.7.tar.gz.sha512
> >> >
> https://www.apache.org/dist/subversion/subversion-1.10.7.zip.sha512
> >> >
> >> > PGP Signatures are available

Re: Returned post for annou...@apache.org

2021-02-10 Thread Erik Huelsmann 
How can a link be more important than an announcement for a fix of an
*unauthenticated* remote DoS ?

Same for the KEYS file???

Don't you think that's way out of proportion?


Erik.

On Wed, Feb 10, 2021 at 4:50 PM Private List Moderation
 wrote:
>
> I don't see how the missing links can be regarded as trivial.
> This obviously needs to be fixed before the announce can be accepted.
>
> At the same time, I asked for the KEYS file link to be standardised.
> There is already a KEYS file at the standard location - why not link to that 
> instead?
>
>
> On Wed, 10 Feb 2021 at 15:35, Stefan Sperling  wrote:
>>
>> Sebb, blocking our release announcements over trivialities like this
>> really is not a nice thing to do. Last time it happened in May 2020.
>> It was already discussed back then and raised with the announce@
>> moderation team.
>>
>> The Subversion PMC came to the conclusion that our handling of
>> the KEYS files is adequate for our purposes:
>> https://svn.haxx.se/dev/archive-2020-05/0156.shtml
>>
>> Please raise the issue on our dev@subversion.a.o list if it bothers you.
>> The moderation mechanism is supposed to prevent spam. Using it to enforce
>> release workflow policies amounts to misuse of your moderation privileges.
>>
>> Regards,
>> Stefan
>>
>> On Wed, Feb 10, 2021 at 03:20:41PM -, announce-ow...@apache.org wrote:
>> >
>> > Hi! This is the ezmlm program. I'm managing the
>> > annou...@apache.org mailing list.
>> >
>> > I'm working for my owner, who can be reached
>> > at announce-ow...@apache.org.
>> >
>> > I'm sorry, your message (enclosed) was not accepted by the moderator.
>> > If the moderator has made any comments, they are shown below.
>> >
>> > >  >
>> > Sorry, but the announce cannot be accepted.
>> > The linked download page does not contain links for the version in the
>> > email.
>> >
>> > Also, the standard name for the KEYS file is KEYS - no prefix, no suffix.
>> > Please correct the download page, check it, and submit a corrected announce
>> > mail.
>> >
>> > Thanks,
>> > Sebb.
>> > <  <
>> >
>>
>> > Date: Wed, 10 Feb 2021 14:37:00 +0100
>> > From: Stefan Sperling 
>> > To: annou...@subversion.apache.org, us...@subversion.apache.org,
>> >  dev@subversion.apache.org, annou...@apache.org
>> > Cc: secur...@apache.org, oss-secur...@lists.openwall.com,
>> >  bugt...@securityfocus.com
>> > Subject: [SECURITY][ANNOUNCE] Apache Subversion 1.10.7 released
>> > Message-ID: 
>> > Reply-To: us...@subversion.apache.org
>> > Content-Type: text/plain; charset=utf-8
>> >
>> > I'm happy to announce the release of Apache Subversion 1.10.7.
>> > Please choose the mirror closest to you by visiting:
>> >
>> > https://subversion.apache.org/download.cgi#supported-releases
>> >
>> > This is a stable bugfix and security release of the Apache Subversion
>> > open source version control system.
>> >
>> > THIS RELEASE CONTAINS AN IMPORTANT SECURITY FIX:
>> >
>> >   CVE-2020-17525
>> >   "Remote unauthenticated denial-of-service in Subversion mod_authz_svn"
>> >
>> > The full security advisory for CVE-2020-17525 is available at:
>> >   https://subversion.apache.org/security/CVE-2020-17525-advisory.txt
>> >
>> > A brief summary of this advisory follows:
>> >
>> >   Subversion's mod_authz_svn module will crash if the server is using
>> >   in-repository authz rules with the AuthzSVNReposRelativeAccessFile
>> >   option and a client sends a request for a non-existing repository URL.
>> >
>> >   This can lead to disruption for users of the service.
>> >
>> >   We recommend all users to upgrade to the 1.10.7 or 1.14.1 release
>> >   of the Subversion mod_dav_svn server.
>> >
>> >   As a workaround, the use of in-repository authz rules files with
>> >   the AuthzSVNReposRelativeAccessFile can be avoided by switching
>> >   to an alternative configuration which fetches an authz rules file
>> >   from the server's filesystem, rather than from an SVN repository.
>> >
>> >   This issue was reported by Thomas Åkesson.
>> >
>> > SHA-512 checksums are available at:
>> >
>> > https://www.apache.org/dist/subversion/subversion-1.10.7.tar.bz2.sha512
>> > https://www.apache.org/dist/subversion/subversion-1.10.7.tar.gz.sha512
>> > https://www.apache.org/dist/subversion/subversion-1.10.7.zip.sha512
>> >
>> > PGP Signatures are available at:
>> >
>> > https://www.apache.org/dist/subversion/subversion-1.10.7.tar.bz2.asc
>> > https://www.apache.org/dist/subversion/subversion-1.10.7.tar.gz.asc
>> > https://www.apache.org/dist/subversion/subversion-1.10.7.zip.asc
>> >
>> > For this release, the following people have provided PGP signatures:
>> >
>> >Stefan Sperling [2048R/4F7DBAA99A59B973] with fingerprint:
>> > 8BC4 DAE0 C5A4 D65F 4044  0107 4F7D BAA9 9A59 B973
>> >Branko Čibej [4096R/1BCA6586A347943F] with fingerprint:
>> > BA3C 15B1 337C F0FB 222B  D41A 1BCA 6586 A347 943F
>> >Johan Corveleyn [4096R/B59CE6D6010C8AAD]

Re: svn commit: r1886389 - in /subversion/site/publish: ./ index.html

2021-02-10 Thread Daniel Sahlberg 
Den ons 10 feb. 2021 21:42Stefan Sperling  skrev:

> Indeed. I had missed some of the necessary web site updates, going over the
> release process docs too quickly. I have done the missing updates just now.
> Hopefully everything is now in order.
>

Looks fine to me. Maybe with this the announcement at announce@a.o could go
though?

Thank you for your work to push the release!

/Daniel

>

Re: svn commit: r1886389 - in /subversion/site/publish: ./ index.html

2021-02-10 Thread Stefan Sperling 
On Wed, Feb 10, 2021 at 08:30:52PM +0100, Daniel Sahlberg wrote:
> *grabbing a commit in the pile*
> 
> Is it intentional that the download page still links to 1.14.0 (and 1.10.6)?
> 
> (I'm not familiar with the relase workflow and I realise this may be a soak
> for all mirrors to pick up the relase, just wanted to make sure it has not
> been forgotten).
> 
> Kind regards
> Daniel Sahlberg

Indeed. I had missed some of the necessary web site updates, going over the
release process docs too quickly. I have done the missing updates just now.
Hopefully everything is now in order.

Thank you!
Stefan

Re: svn commit: r1886389 - in /subversion/site/publish: ./ index.html

2021-02-10 Thread Daniel Sahlberg 
*grabbing a commit in the pile*

Is it intentional that the download page still links to 1.14.0 (and 1.10.6)?

(I'm not familiar with the relase workflow and I realise this may be a soak
for all mirrors to pick up the relase, just wanted to make sure it has not
been forgotten).

Kind regards
Daniel Sahlberg


Den ons 10 feb. 2021 kl 14:43 skrev :

> Author: stsp
> Date: Wed Feb 10 13:43:32 2021
> New Revision: 1886389
>
> URL: http://svn.apache.org/viewvc?rev=1886389=rev
> Log:
> * site/publish: merge from staging area
>
> Modified:
> subversion/site/publish/   (props changed)
> subversion/site/publish/index.html   (contents, props changed)
>
> Propchange: subversion/site/publish/
>
> --
>   Merged /subversion/site/staging:r1886387-1886388
>
> Modified: subversion/site/publish/index.html
> URL:
> http://svn.apache.org/viewvc/subversion/site/publish/index.html?rev=1886389=1886388=1886389=diff
>
> ==
> --- subversion/site/publish/index.html (original)
> +++ subversion/site/publish/index.html Wed Feb 10 13:43:32 2021
> @@ -66,6 +66,27 @@
>
>  
>
> +
> +2021-02-10  Apache Subversion Security Advisory
> + +   title="Link to this section">
> +
> +
> +The recent releases of Apache Subversion 1.14.1 and 1.10.7 contain
> + a fix for a security issue:  + href="/security/CVE-2020-17525-advisory.txt">CVE-2020-17525. This
> issue
> + affect Subversion 'mod_dav_svn' servers only. We encourage server
> operators
> + to upgrade to the latest appropriate version as soon as reasonable.
> +
> + Please see the  + href="https://lists.apache.org/list.html?annou...@subversion.apache.org;
> + >release announcements for more information about the releases.
> +
> +To get the latest release from the nearest mirror, please visit our
> + download page.
> +
> + 
> +
>  
>  2021-02-10  Apache Subversion 1.14.1 Released
>   
> Propchange: subversion/site/publish/index.html
>
> --
>   Merged /subversion/site/staging/index.html:r1886387-1886388
>
>
>

Re: Returned post for annou...@apache.org

2021-02-10 Thread Private List Moderation 
I don't see how the missing links can be regarded as trivial.
This obviously needs to be fixed before the announce can be accepted.

At the same time, I asked for the KEYS file link to be standardised.
There is already a KEYS file at the standard location - why not link to
that instead?


On Wed, 10 Feb 2021 at 15:35, Stefan Sperling  wrote:

> Sebb, blocking our release announcements over trivialities like this
> really is not a nice thing to do. Last time it happened in May 2020.
> It was already discussed back then and raised with the announce@
> moderation team.
>
> The Subversion PMC came to the conclusion that our handling of
> the KEYS files is adequate for our purposes:
> https://svn.haxx.se/dev/archive-2020-05/0156.shtml
>
> Please raise the issue on our dev@subversion.a.o list if it bothers you.
> The moderation mechanism is supposed to prevent spam. Using it to enforce
> release workflow policies amounts to misuse of your moderation privileges.
>
> Regards,
> Stefan
>
> On Wed, Feb 10, 2021 at 03:20:41PM -, announce-ow...@apache.org wrote:
> >
> > Hi! This is the ezmlm program. I'm managing the
> > annou...@apache.org mailing list.
> >
> > I'm working for my owner, who can be reached
> > at announce-ow...@apache.org.
> >
> > I'm sorry, your message (enclosed) was not accepted by the moderator.
> > If the moderator has made any comments, they are shown below.
> >
> > >  >
> > Sorry, but the announce cannot be accepted.
> > The linked download page does not contain links for the version in the
> > email.
> >
> > Also, the standard name for the KEYS file is KEYS - no prefix, no suffix.
> > Please correct the download page, check it, and submit a corrected
> announce
> > mail.
> >
> > Thanks,
> > Sebb.
> > <  <
> >
>
> > Date: Wed, 10 Feb 2021 14:37:00 +0100
> > From: Stefan Sperling 
> > To: annou...@subversion.apache.org, us...@subversion.apache.org,
> >  dev@subversion.apache.org, annou...@apache.org
> > Cc: secur...@apache.org, oss-secur...@lists.openwall.com,
> >  bugt...@securityfocus.com
> > Subject: [SECURITY][ANNOUNCE] Apache Subversion 1.10.7 released
> > Message-ID: 
> > Reply-To: us...@subversion.apache.org
> > Content-Type: text/plain; charset=utf-8
> >
> > I'm happy to announce the release of Apache Subversion 1.10.7.
> > Please choose the mirror closest to you by visiting:
> >
> > https://subversion.apache.org/download.cgi#supported-releases
> >
> > This is a stable bugfix and security release of the Apache Subversion
> > open source version control system.
> >
> > THIS RELEASE CONTAINS AN IMPORTANT SECURITY FIX:
> >
> >   CVE-2020-17525
> >   "Remote unauthenticated denial-of-service in Subversion mod_authz_svn"
> >
> > The full security advisory for CVE-2020-17525 is available at:
> >   https://subversion.apache.org/security/CVE-2020-17525-advisory.txt
> >
> > A brief summary of this advisory follows:
> >
> >   Subversion's mod_authz_svn module will crash if the server is using
> >   in-repository authz rules with the AuthzSVNReposRelativeAccessFile
> >   option and a client sends a request for a non-existing repository URL.
> >
> >   This can lead to disruption for users of the service.
> >
> >   We recommend all users to upgrade to the 1.10.7 or 1.14.1 release
> >   of the Subversion mod_dav_svn server.
> >
> >   As a workaround, the use of in-repository authz rules files with
> >   the AuthzSVNReposRelativeAccessFile can be avoided by switching
> >   to an alternative configuration which fetches an authz rules file
> >   from the server's filesystem, rather than from an SVN repository.
> >
> >   This issue was reported by Thomas Åkesson.
> >
> > SHA-512 checksums are available at:
> >
> >
> https://www.apache.org/dist/subversion/subversion-1.10.7.tar.bz2.sha512
> >
> https://www.apache.org/dist/subversion/subversion-1.10.7.tar.gz.sha512
> > https://www.apache.org/dist/subversion/subversion-1.10.7.zip.sha512
> >
> > PGP Signatures are available at:
> >
> > https://www.apache.org/dist/subversion/subversion-1.10.7.tar.bz2.asc
> > https://www.apache.org/dist/subversion/subversion-1.10.7.tar.gz.asc
> > https://www.apache.org/dist/subversion/subversion-1.10.7.zip.asc
> >
> > For this release, the following people have provided PGP signatures:
> >
> >Stefan Sperling [2048R/4F7DBAA99A59B973] with fingerprint:
> > 8BC4 DAE0 C5A4 D65F 4044  0107 4F7D BAA9 9A59 B973
> >Branko Čibej [4096R/1BCA6586A347943F] with fingerprint:
> > BA3C 15B1 337C F0FB 222B  D41A 1BCA 6586 A347 943F
> >Johan Corveleyn [4096R/B59CE6D6010C8AAD] with fingerprint:
> > 8AA2 C10E EAAD 44F9 6972  7AEA B59C E6D6 010C 8AAD
> >
> > These public keys are available at:
> >
> > https://www.apache.org/dist/subversion/subversion-1.10.7.KEYS
> >
> > Release notes for the 1.10.x release series may be found at:
> >
> > https://subversion.apache.org/docs/release-notes/1.10.html
> >
> > You can find the list of changes

Re: Returned post for annou...@apache.org

2021-02-10 Thread Stefan Sperling 
Sebb, blocking our release announcements over trivialities like this
really is not a nice thing to do. Last time it happened in May 2020.
It was already discussed back then and raised with the announce@
moderation team.

The Subversion PMC came to the conclusion that our handling of
the KEYS files is adequate for our purposes:
https://svn.haxx.se/dev/archive-2020-05/0156.shtml

Please raise the issue on our dev@subversion.a.o list if it bothers you.
The moderation mechanism is supposed to prevent spam. Using it to enforce
release workflow policies amounts to misuse of your moderation privileges.

Regards,
Stefan

On Wed, Feb 10, 2021 at 03:20:41PM -, announce-ow...@apache.org wrote:
> 
> Hi! This is the ezmlm program. I'm managing the
> annou...@apache.org mailing list.
> 
> I'm working for my owner, who can be reached
> at announce-ow...@apache.org.
> 
> I'm sorry, your message (enclosed) was not accepted by the moderator.
> If the moderator has made any comments, they are shown below.
> 
> >  >
> Sorry, but the announce cannot be accepted.
> The linked download page does not contain links for the version in the
> email.
> 
> Also, the standard name for the KEYS file is KEYS - no prefix, no suffix.
> Please correct the download page, check it, and submit a corrected announce
> mail.
> 
> Thanks,
> Sebb.
> <  <
> 

> Date: Wed, 10 Feb 2021 14:37:00 +0100
> From: Stefan Sperling 
> To: annou...@subversion.apache.org, us...@subversion.apache.org,
>  dev@subversion.apache.org, annou...@apache.org
> Cc: secur...@apache.org, oss-secur...@lists.openwall.com,
>  bugt...@securityfocus.com
> Subject: [SECURITY][ANNOUNCE] Apache Subversion 1.10.7 released
> Message-ID: 
> Reply-To: us...@subversion.apache.org
> Content-Type: text/plain; charset=utf-8
> 
> I'm happy to announce the release of Apache Subversion 1.10.7.
> Please choose the mirror closest to you by visiting:
> 
> https://subversion.apache.org/download.cgi#supported-releases
> 
> This is a stable bugfix and security release of the Apache Subversion
> open source version control system.
> 
> THIS RELEASE CONTAINS AN IMPORTANT SECURITY FIX:
> 
>   CVE-2020-17525
>   "Remote unauthenticated denial-of-service in Subversion mod_authz_svn"
> 
> The full security advisory for CVE-2020-17525 is available at:
>   https://subversion.apache.org/security/CVE-2020-17525-advisory.txt
> 
> A brief summary of this advisory follows:
> 
>   Subversion's mod_authz_svn module will crash if the server is using
>   in-repository authz rules with the AuthzSVNReposRelativeAccessFile
>   option and a client sends a request for a non-existing repository URL.
> 
>   This can lead to disruption for users of the service.
> 
>   We recommend all users to upgrade to the 1.10.7 or 1.14.1 release
>   of the Subversion mod_dav_svn server.
> 
>   As a workaround, the use of in-repository authz rules files with
>   the AuthzSVNReposRelativeAccessFile can be avoided by switching
>   to an alternative configuration which fetches an authz rules file
>   from the server's filesystem, rather than from an SVN repository.
> 
>   This issue was reported by Thomas Åkesson.
> 
> SHA-512 checksums are available at:
> 
> https://www.apache.org/dist/subversion/subversion-1.10.7.tar.bz2.sha512
> https://www.apache.org/dist/subversion/subversion-1.10.7.tar.gz.sha512
> https://www.apache.org/dist/subversion/subversion-1.10.7.zip.sha512
> 
> PGP Signatures are available at:
> 
> https://www.apache.org/dist/subversion/subversion-1.10.7.tar.bz2.asc
> https://www.apache.org/dist/subversion/subversion-1.10.7.tar.gz.asc
> https://www.apache.org/dist/subversion/subversion-1.10.7.zip.asc
> 
> For this release, the following people have provided PGP signatures:
> 
>Stefan Sperling [2048R/4F7DBAA99A59B973] with fingerprint:
> 8BC4 DAE0 C5A4 D65F 4044  0107 4F7D BAA9 9A59 B973
>Branko Čibej [4096R/1BCA6586A347943F] with fingerprint:
> BA3C 15B1 337C F0FB 222B  D41A 1BCA 6586 A347 943F
>Johan Corveleyn [4096R/B59CE6D6010C8AAD] with fingerprint:
> 8AA2 C10E EAAD 44F9 6972  7AEA B59C E6D6 010C 8AAD
> 
> These public keys are available at:
> 
> https://www.apache.org/dist/subversion/subversion-1.10.7.KEYS
> 
> Release notes for the 1.10.x release series may be found at:
> 
> https://subversion.apache.org/docs/release-notes/1.10.html
> 
> You can find the list of changes between 1.10.7 and earlier versions at:
> 
> https://svn.apache.org/repos/asf/subversion/tags/1.10.7/CHANGES
> 
> Questions, comments, and bug reports to us...@subversion.apache.org.
> 
> Thanks,
> - The Subversion Team
> 
> --
> To unsubscribe, please see:
> 
> https://subversion.apache.org/mailing-lists.html#unsubscribing
>

[announce-ow...@apache.org: Returned post for annou...@apache.org]

2021-02-10 Thread Stefan Sperling 
Same thing as last time. Shrug.
I suppose next time I will just drop announce@ from Cc...


- Forwarded message from announce-ow...@apache.org -

Date: 10 Feb 2021 15:20:01 -
From: announce-ow...@apache.org
To: s...@apache.org
Subject: Returned post for annou...@apache.org
Message-ID: <1612970401.10142.ez...@apache.org>
Content-Type: multipart/mixed; boundary=ibhjpejjlbghgodohoih
X-Spam-Score: (-7.502) SPF_HELO_PASS,SPF_PASS,USER_IN_DEF_SPF_WL


Hi! This is the ezmlm program. I'm managing the
annou...@apache.org mailing list.

I'm working for my owner, who can be reached
at announce-ow...@apache.org.

I'm sorry, your message (enclosed) was not accepted by the moderator.
If the moderator has made any comments, they are shown below.

>  >
Sorry, but the announce cannot be accepted.
The linked download page does not contain links for the version in the
email.

Also, the standard name for the KEYS file is KEYS - no prefix, no suffix.
Please correct the download page, check it, and submit a corrected announce
mail.

Thanks,
Sebb.
<  <


Date: Wed, 10 Feb 2021 14:36:33 +0100
From: Stefan Sperling 
To: annou...@subversion.apache.org, us...@subversion.apache.org,
 dev@subversion.apache.org, annou...@apache.org
Cc: secur...@apache.org, oss-secur...@lists.openwall.com,
 bugt...@securityfocus.com
Subject: [SECURITY][ANNOUNCE] Apache Subversion 1.14.1 released
Message-ID: 
Reply-To: us...@subversion.apache.org
Content-Type: text/plain; charset=utf-8

I'm happy to announce the release of Apache Subversion 1.14.1.
Please choose the mirror closest to you by visiting:

https://subversion.apache.org/download.cgi#recommended-release

This is a stable bugfix and security release of the Apache Subversion
open source version control system.

THIS RELEASE CONTAINS AN IMPORTANT SECURITY FIX:

  CVE-2020-17525
  "Remote unauthenticated denial-of-service in Subversion mod_authz_svn"

The full security advisory for CVE-2020-17525 is available at:
  https://subversion.apache.org/security/CVE-2020-17525-advisory.txt

A brief summary of this advisory follows:

  Subversion's mod_authz_svn module will crash if the server is using
  in-repository authz rules with the AuthzSVNReposRelativeAccessFile
  option and a client sends a request for a non-existing repository URL.

  This can lead to disruption for users of the service.

  We recommend all users to upgrade to the 1.10.7 or 1.14.1 release
  of the Subversion mod_dav_svn server.

  As a workaround, the use of in-repository authz rules files with
  the AuthzSVNReposRelativeAccessFile can be avoided by switching
  to an alternative configuration which fetches an authz rules file
  from the server's filesystem, rather than from an SVN repository.

  This issue was reported by Thomas Åkesson.

SHA-512 checksums are available at:

https://www.apache.org/dist/subversion/subversion-1.14.1.tar.bz2.sha512
https://www.apache.org/dist/subversion/subversion-1.14.1.tar.gz.sha512
https://www.apache.org/dist/subversion/subversion-1.14.1.zip.sha512

PGP Signatures are available at:

https://www.apache.org/dist/subversion/subversion-1.14.1.tar.bz2.asc
https://www.apache.org/dist/subversion/subversion-1.14.1.tar.gz.asc
https://www.apache.org/dist/subversion/subversion-1.14.1.zip.asc

For this release, the following people have provided PGP signatures:

   Stefan Sperling [2048R/4F7DBAA99A59B973] with fingerprint:
8BC4 DAE0 C5A4 D65F 4044  0107 4F7D BAA9 9A59 B973
   Branko Čibej [4096R/1BCA6586A347943F] with fingerprint:
BA3C 15B1 337C F0FB 222B  D41A 1BCA 6586 A347 943F
   Johan Corveleyn [4096R/B59CE6D6010C8AAD] with fingerprint:
8AA2 C10E EAAD 44F9 6972  7AEA B59C E6D6 010C 8AAD

These public keys are available at:

https://www.apache.org/dist/subversion/subversion-1.14.1.KEYS

Release notes for the 1.14.x release series may be found at:

https://subversion.apache.org/docs/release-notes/1.14.html

You can find the list of changes between 1.14.1 and earlier versions at:

https://svn.apache.org/repos/asf/subversion/tags/1.14.1/CHANGES

Questions, comments, and bug reports to us...@subversion.apache.org.

Thanks,
- The Subversion Team

--
To unsubscribe, please see:

https://subversion.apache.org/mailing-lists.html#unsubscribing



- End forwarded message -

Re: svn commit: r45955 - /dev/subversion/ /release/subversion/

2021-02-10 Thread Johan Corveleyn 
On Wed, Feb 10, 2021 at 2:23 PM Stefan Sperling  wrote:
>
> On Wed, Feb 10, 2021 at 02:16:31PM +0100, Johan Corveleyn wrote:
> > On Wed, Feb 10, 2021 at 12:27 PM  wrote:
> > >
> > > Author: stsp
> > > Date: Wed Feb 10 11:27:48 2021
> > > New Revision: 45955
> > >
> > > Log:
> > > Publish Subversion-1.14.1.
> >
> > Hi Stefan,
> >
> > Don't we need at least 3 votes? Or did you mean to count also your own
> > (implicit perhaps, as RM), in addition to Brane's and mine? If so, I'm
> > inclined to think that you should also explicitly state your "+1 for
> > release" on the dev@ vote thread (including your test details,
> > platform, etc ... as usual). Otherwise it would be a bit unclear
> > (especially since we rarely counted the RM's vote as an extra release
> > vote, certainly not implicitly).
>
> Yes, I counted my own vote towards the total of 3.
> We need 3 PMC members to bless a release. I can add my votes to the thread.

+1

> I did not want to sit on the security fix any longer.
> The embargo elapsed today and distributions are expecting a fix to show up.

Ack, thanks.

-- 
Johan

[SECURITY][ANNOUNCE] Apache Subversion 1.10.7 released

2021-02-10 Thread Stefan Sperling 
I'm happy to announce the release of Apache Subversion 1.10.7.
Please choose the mirror closest to you by visiting:

https://subversion.apache.org/download.cgi#supported-releases

This is a stable bugfix and security release of the Apache Subversion
open source version control system.

THIS RELEASE CONTAINS AN IMPORTANT SECURITY FIX:

  CVE-2020-17525
  "Remote unauthenticated denial-of-service in Subversion mod_authz_svn"

The full security advisory for CVE-2020-17525 is available at:
  https://subversion.apache.org/security/CVE-2020-17525-advisory.txt

A brief summary of this advisory follows:

  Subversion's mod_authz_svn module will crash if the server is using
  in-repository authz rules with the AuthzSVNReposRelativeAccessFile
  option and a client sends a request for a non-existing repository URL.

  This can lead to disruption for users of the service.

  We recommend all users to upgrade to the 1.10.7 or 1.14.1 release
  of the Subversion mod_dav_svn server.

  As a workaround, the use of in-repository authz rules files with
  the AuthzSVNReposRelativeAccessFile can be avoided by switching
  to an alternative configuration which fetches an authz rules file
  from the server's filesystem, rather than from an SVN repository.

  This issue was reported by Thomas Åkesson.

SHA-512 checksums are available at:

https://www.apache.org/dist/subversion/subversion-1.10.7.tar.bz2.sha512
https://www.apache.org/dist/subversion/subversion-1.10.7.tar.gz.sha512
https://www.apache.org/dist/subversion/subversion-1.10.7.zip.sha512

PGP Signatures are available at:

https://www.apache.org/dist/subversion/subversion-1.10.7.tar.bz2.asc
https://www.apache.org/dist/subversion/subversion-1.10.7.tar.gz.asc
https://www.apache.org/dist/subversion/subversion-1.10.7.zip.asc

For this release, the following people have provided PGP signatures:

   Stefan Sperling [2048R/4F7DBAA99A59B973] with fingerprint:
8BC4 DAE0 C5A4 D65F 4044  0107 4F7D BAA9 9A59 B973
   Branko Čibej [4096R/1BCA6586A347943F] with fingerprint:
BA3C 15B1 337C F0FB 222B  D41A 1BCA 6586 A347 943F
   Johan Corveleyn [4096R/B59CE6D6010C8AAD] with fingerprint:
8AA2 C10E EAAD 44F9 6972  7AEA B59C E6D6 010C 8AAD

These public keys are available at:

https://www.apache.org/dist/subversion/subversion-1.10.7.KEYS

Release notes for the 1.10.x release series may be found at:

https://subversion.apache.org/docs/release-notes/1.10.html

You can find the list of changes between 1.10.7 and earlier versions at:

https://svn.apache.org/repos/asf/subversion/tags/1.10.7/CHANGES

Questions, comments, and bug reports to us...@subversion.apache.org.

Thanks,
- The Subversion Team

--
To unsubscribe, please see:

https://subversion.apache.org/mailing-lists.html#unsubscribing

[SECURITY][ANNOUNCE] Apache Subversion 1.14.1 released

2021-02-10 Thread Stefan Sperling 
I'm happy to announce the release of Apache Subversion 1.14.1.
Please choose the mirror closest to you by visiting:

https://subversion.apache.org/download.cgi#recommended-release

This is a stable bugfix and security release of the Apache Subversion
open source version control system.

THIS RELEASE CONTAINS AN IMPORTANT SECURITY FIX:

  CVE-2020-17525
  "Remote unauthenticated denial-of-service in Subversion mod_authz_svn"

The full security advisory for CVE-2020-17525 is available at:
  https://subversion.apache.org/security/CVE-2020-17525-advisory.txt

A brief summary of this advisory follows:

  Subversion's mod_authz_svn module will crash if the server is using
  in-repository authz rules with the AuthzSVNReposRelativeAccessFile
  option and a client sends a request for a non-existing repository URL.

  This can lead to disruption for users of the service.

  We recommend all users to upgrade to the 1.10.7 or 1.14.1 release
  of the Subversion mod_dav_svn server.

  As a workaround, the use of in-repository authz rules files with
  the AuthzSVNReposRelativeAccessFile can be avoided by switching
  to an alternative configuration which fetches an authz rules file
  from the server's filesystem, rather than from an SVN repository.

  This issue was reported by Thomas Åkesson.

SHA-512 checksums are available at:

https://www.apache.org/dist/subversion/subversion-1.14.1.tar.bz2.sha512
https://www.apache.org/dist/subversion/subversion-1.14.1.tar.gz.sha512
https://www.apache.org/dist/subversion/subversion-1.14.1.zip.sha512

PGP Signatures are available at:

https://www.apache.org/dist/subversion/subversion-1.14.1.tar.bz2.asc
https://www.apache.org/dist/subversion/subversion-1.14.1.tar.gz.asc
https://www.apache.org/dist/subversion/subversion-1.14.1.zip.asc

For this release, the following people have provided PGP signatures:

   Stefan Sperling [2048R/4F7DBAA99A59B973] with fingerprint:
8BC4 DAE0 C5A4 D65F 4044  0107 4F7D BAA9 9A59 B973
   Branko Čibej [4096R/1BCA6586A347943F] with fingerprint:
BA3C 15B1 337C F0FB 222B  D41A 1BCA 6586 A347 943F
   Johan Corveleyn [4096R/B59CE6D6010C8AAD] with fingerprint:
8AA2 C10E EAAD 44F9 6972  7AEA B59C E6D6 010C 8AAD

These public keys are available at:

https://www.apache.org/dist/subversion/subversion-1.14.1.KEYS

Release notes for the 1.14.x release series may be found at:

https://subversion.apache.org/docs/release-notes/1.14.html

You can find the list of changes between 1.14.1 and earlier versions at:

https://svn.apache.org/repos/asf/subversion/tags/1.14.1/CHANGES

Questions, comments, and bug reports to us...@subversion.apache.org.

Thanks,
- The Subversion Team

--
To unsubscribe, please see:

https://subversion.apache.org/mailing-lists.html#unsubscribing

Re: Subversion 1.10.7 up for testing/signing

2021-02-10 Thread Stefan Sperling 
On Thu, Feb 04, 2021 at 01:57:16PM +0100, Stefan Sperling wrote:
> The 1.10.7 release artifacts are now available for testing/signing.
> Please get the tarballs from
>   https://dist.apache.org/repos/dist/dev/subversion
> and add your signatures there.

Summary: +1 to release

Tested: [bdb | fsfs] x [ra_local | ra_svn | ra_serf]
swig bindings
javahl bindings

Test results: All passed.

Platform: OpenBSD 6.8 amd64

Dependencies:
bdb:4.7.25
GNU-iconv:  1.15
apr:1.7.0
apr-util:   1.6.1
httpd:  2.4.37
serf:   1.3.9
cyrus-sasl: 2.1.25
sqlite: 3160200
lz4:1.7.5
libssl: LibreSSL 3.2.2
swig:   3.0.12
python: 3.7.5
perl:   5.30.3
ruby:   2.4.4
java:   11.0.8

Signatures:

subversion-1.10.7.tar.gz
-BEGIN PGP SIGNATURE-

iQEcBAABAgAGBQJgG+xhAAoJEE99uqmaWblzjX4H/1Iox2ltx4RjqmIMlXhdteLk
/IXcAlM3nU3bab+JiwYP/Ego3tGpmWqYP0Rp7vVvpwOYYM8U1uWtSvPED9+txZA2
XdkTAiE7QdO85pLfgTxy+W3zHoGytKqK0n8doVq2w3MoloV+KhlN320j7VOU4q74
h3EAMLPHiBxp9kKc2Xe/KqCYJiWuM4p4JiCiJI5jjUVc4/XrPQ4BhKK2XAAAMh7d
wZ+KheaamMrSBxuIubaGW/QJuOlHui5zIVJYsDoPIEKpUZGAytuWWAp56DmLM9CN
1gL0r+lwmSeIkSqMQaNLtxHVIo8uU2la6N0ZZqwElH/ugeSo19LKKi2ovzoRyaI=
=JqBj
-END PGP SIGNATURE-

subversion-1.10.7.tar.bz2
-BEGIN PGP SIGNATURE-

iQEcBAABAgAGBQJgG+xlAAoJEE99uqmaWblzpkEIAKanhKsDRXbVEbwL9imQRJNj
uL8q9hBrxDkWkXUpEJ2MaqcLj31mcz+REKmPrmYogpdLR829wRZ2VHcWEntacK06
4YWCXDyCCI5J2pCo1/iB6SdkS+F6NrPikZWN2QqOr+oRBccLBZwrNd8bfS0HMbT5
hQmh5U9UXYtCZNXL7qmgbLQ4PZMPDOZ0PMVnsGEhFozHwF/qMX14YOJpujruaRnB
xyoOAqShBSI1tzJXD200iQe19f9op/RZlYMuyEPG9zb9mdTzXsr9c28Dgv2BlJkQ
8ta0gzVON67tJGhTMi47VIizbPPyssEHOIT4CV+H9P9Ul4pPogkqwnMCrwyUcpE=
=CJxJ
-END PGP SIGNATURE-

Re: Subversion 1.14.1 up for testing/signing

2021-02-10 Thread Stefan Sperling 
On Thu, Feb 04, 2021 at 01:56:21PM +0100, Stefan Sperling wrote:
> The 1.14.1 release artifacts are now available for testing/signing.
> Please get the tarballs from
>   https://dist.apache.org/repos/dist/dev/subversion
> and add your signatures there.
> 
> Thanks!

Summary: +1 to release

Tested: [bdb | fsfs] x [ra_local | ra_svn | ra_serf]
swig bindings
javahl bindings

Test results: All passed.

Platform: OpenBSD 6.8 amd64

Dependencies:
bdb:4.7.25
GNU-iconv:  1.15
apr:1.7.0
apr-util:   1.6.1
httpd:  2.4.37
serf:   1.3.9
cyrus-sasl: 2.1.25
sqlite: 3160200
lz4:1.7.5
libssl: LibreSSL 3.2.2
swig:   3.0.12
python: 3.7.5
perl:   5.30.3
ruby:   2.4.4
java:   11.0.8

Signatures:

subversion-1.14.1.tar.gz
-BEGIN PGP SIGNATURE-

iQEcBAABAgAGBQJgG+hsAAoJEE99uqmaWblzSbsH/3ZnrbDqsgCZeCtYSCxqBcSA
ESvlG450cbD0dTC2CimUJOwbGADm0kb1kh7LuXjXxf5XSrHLBAdh0D8FUCKpUdT1
6B06eyLehBWMQFaFnxiX1wkIj0LOZvbGkysw7zQOFu30JaqOBdMvckUbpJnb/Z4T
Oalf8ueClGONA2UB+BOiAUPYqvwcUKdPZvsSumOLV0O7SnwuqsPRrDdb9al/WWTt
bbU46t79ni0hvSToiDXgmS29BxF7JmQeG5oajS59QX+ygo6ikexqN0Ai9UxVAc5b
AEhVW4255TdRcOGhKHIgnhb3lHiY92y3feNqy3UsJQs+cB3j5vyDHlatkh3er8U=
=rIAK
-END PGP SIGNATURE-

subversion-1.14.1.tar.bz2
-BEGIN PGP SIGNATURE-

iQEcBAABAgAGBQJgG+hvAAoJEE99uqmaWblz4yUIAMCqnFGchPMrWNhrRLOb3oi+
vzk64LJ1h2X3MzstqIzRGb3ja3VmPcx2kQ4MmmHLc7XzXL7rMVRgPJB9NzKhs+dp
nvnTq0wS4KLjOzIiG3ump41T1qofi5ui5fbgeVEyU4py/fBDVeR0XokZ0k8HAZCj
oM166uprcSr0RfeQqnlSNEFUgIMq1hxTOa879N4aoMsFoLaMx18gjFL1RUyaz/0R
eH+EMkBk2wgGkzCWdOZlJeyp0YI6Lx4k/bHO8WXLci97tpw9t9UUtQAXTrKudShP
fP9BQqUv0uHdUAF3ZiYga6VKQicynuXev4du2vVqLoQ+BgMQXPwnbgA/FtSpeOA=
=z3Ba
-END PGP SIGNATURE-

Re: Subversion 1.10.7 up for testing/signing

2021-02-10 Thread Branko Čibej 

Summary:

+1 to release (Unix)

Verified:

  - Tarball contents and signatures
  - check ((fsfs, bdb) × (local, svnserve, dav))
  - check-swig-py
  - check-swig-pl

Not verified:

  - check-all-javahl (for lack of a compatible JDK)
  - check-swig-rb (for lack of will to fight macOS)

Known issues:

  - 'make check-swig-py' requires 'make install install-swig-py' when
 building with the system-installed Python.
  - 'make check-swig-rb' requires 'make install install-swig-rb' when
 building with the system-installed Ruby.

New issues:

  - Configure thinks the system-installed Ruby is broken and can't create
binaries. This is some kind of weird interaction with Xcode command-line
tools. The hack I used for a previous release doesn't work any more;
hence, did not test the Ruby bindings.

Platform

macOS Catalina 10.15.7

Standard dependencies:
  Apple clang version 12.0.0 (clang-1200.0.32.29)
  ruby 2.6.3p62 (2019-04-16 revision 67580)
  Cyrus SASL 2.1.26
  Python 2.7.16

Dependencies from Homebrew:
  APR 1.7.0
  APR-Util 1.6.1
  httpd 2.4.46
  SQLite 3.34.0
  Serf 1.3.9
  OpenSSL 1.1.1i
  zlib 1.2.11
  LZ4 1.9.3
  utf8proc 2.6.1
  BDB 18.1.32
  Perl 5.32.1

GPG signatures committed to the dist/dev/subversion repository.