Re: YASJR (Yet Another Struts Justification Request)
Perhaps as a little demonstration that even the Microsoft logo is no guarantee of hack-free code, you can show them that hack in MS Word 97 where the little men run around and the monster eats them. Comes from some key combination when you're showing the about-screen. Unfortunately I can't remember the key combination. Maybe someone else does. Adam On 03/04/2000 04:40 AM Andrew Hill wrote: snip How can I guarantee that there are no hacks, bombs, etc. in the Struts code or any OS code for that matter? /snip Elementary my dear Watson! As struts is open source you have full access to the code. You can examine it microscopically in minute detail to assure yourself that it is all ok. (And nothing it does is rocket science so dont be shy!) Try doing THAT with .net :-P snip What is the process the Struts team uses to control a rogue contributor? /snip I believe they threaten to remove their beer on Friday ;- -Original Message- From: Gregory F. March [mailto:[EMAIL PROTECTED] Sent: Thursday, 11 September 2003 04:09 To: [EMAIL PROTECTED] Subject: YASJR (Yet Another Struts Justification Request) I seem to have successfully pushed Struts in my company (a big Wall St. bank). However, today, I was asked the following question: How can I guarantee that there are no hacks, bombs, etc. in the Struts code or any OS code for that matter? My immediate response was, how can you guarantee it for any code? However, being a large bank with literally trillions of dollars a day passing though our systems, I can definitely understand their concern. At a minimum, we will obtain the source code and at least do a minimal code walk-through and then compile our own binaries. What other guarantees can I make to my management? What is the process the Struts team uses to control a rogue contributor? Thanks, /greg -- Gregory F. March-=-http://www.gfm.net:81/~march-=-AIM:GfmNet - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- struts 1.1 + tomcat 4.1.27 + java 1.4.2 Linux 2.4.20 RH9 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: YASJR (Yet Another Struts Justification Request)
--- Gregory F. March [EMAIL PROTECTED] wrote: I seem to have successfully pushed Struts in my company (a big Wall St. bank). However, today, I was asked the following question: How can I guarantee that there are no hacks, bombs, etc. in the Struts code or any OS code for that matter? My immediate response was, how can you guarantee it for any code? However, being a large bank with literally trillions of dollars a day passing though our systems, I can definitely understand their concern. At a minimum, we will obtain the source code and at least do a minimal code walk-through and then compile our own binaries. What other guarantees can I make to my management? What is the process the Struts team uses to control a rogue contributor? There are rather few committers than can change the code base (roughly 10-15 people). All commits are mailed to struts-dev for the team to review. Even if Struts were secretly hacked, it isn't all that much code to review anyways (about 14,000 lines of non-test/example code). You could narrow your code review to only the packages you'll actually be using. You will always have access to the source to do security reviews unlike proprietary commercial software :-). David Thanks, /greg -- Gregory F. March-=-http://www.gfm.net:81/~march-=- AIM:GfmNet - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: YASJR (Yet Another Struts Justification Request)
--- David Graham [EMAIL PROTECTED] wrote: --- Gregory F. March [EMAIL PROTECTED] wrote: I seem to have successfully pushed Struts in my company (a big Wall St. bank). However, today, I was asked the following question: How can I guarantee that there are no hacks, bombs, etc. in the Struts code or any OS code for that matter? My immediate response was, how can you guarantee it for any code? However, being a large bank with literally trillions of dollars a day passing though our systems, I can definitely understand their concern. At a minimum, we will obtain the source code and at least do a minimal code walk-through and then compile our own binaries. What other guarantees can I make to my management? What is the process the Struts team uses to control a rogue contributor? There are rather few committers than can change the code base (roughly 10-15 people). All commits are mailed to struts-dev for the team to review. Even if Struts were secretly hacked, it isn't all that much code to review anyways (about 14,000 lines of non-test/example code). Actually, that line count may be incorrect. I was using an Eclipse plugin for the metrics but the numbers don't seem to add up. The point is that it's a *relatively* small amount of code. You could narrow your code review to only the packages you'll actually be using. You will always have access to the source to do security reviews unlike proprietary commercial software :-). David Thanks, /greg -- Gregory F. March-=-http://www.gfm.net:81/~march-=- AIM:GfmNet - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: YASJR (Yet Another Struts Justification Request)
This is almost a Linux vs Windows: which is more secure/ the one that has millions of user eyes on the code! In commercial code, a bomb is very easy and possible. In OS, unlikely. I would also bet that given any industry (banks for ex), Struts is the most popular in production use. I know a few large banks using Struts I am sure that they did due process. But if PHB does not want to use it, they don't want to use it. Maybe sit in a legal review to negotiate a proprietary framework license suits them, with no?? access to source. .V - may the source be with you Gregory F. March wrote: I seem to have successfully pushed Struts in my company (a big Wall St. bank). However, today, I was asked the following question: How can I guarantee that there are no hacks, bombs, etc. in the Struts code or any OS code for that matter? My immediate response was, how can you guarantee it for any code? However, being a large bank with literally trillions of dollars a day passing though our systems, I can definitely understand their concern. At a minimum, we will obtain the source code and at least do a minimal code walk-through and then compile our own binaries. What other guarantees can I make to my management? What is the process the Struts team uses to control a rogue contributor? Thanks, /greg -- Gregory F. March-=-http://www.gfm.net:81/~march-=-AIM:GfmNet - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[OT] RE: YASJR (Yet Another Struts Justification Request)
Offer them kool aid. It will make them feel better. Write 'Struts Good' in the bottom of the cups though. Now they associate the good taste of kool aid with Struts! -Tim -Original Message- From: Gregory F. March [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 10, 2003 4:09 PM To: [EMAIL PROTECTED] Subject: YASJR (Yet Another Struts Justification Request) I seem to have successfully pushed Struts in my company (a big Wall St. bank). However, today, I was asked the following question: How can I guarantee that there are no hacks, bombs, etc. in the Struts code or any OS code for that matter? My immediate response was, how can you guarantee it for any code? However, being a large bank with literally trillions of dollars a day passing though our systems, I can definitely understand their concern. At a minimum, we will obtain the source code and at least do a minimal code walk-through and then compile our own binaries. What other guarantees can I make to my management? What is the process the Struts team uses to control a rogue contributor? Thanks, /greg -- Gregory F. March-=-http://www.gfm.net:81/~march-=-AIM:GfmNet - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] RE: YASJR (Yet Another Struts Justification Request)
Unless you get the Kool-aid from Jim Jones; in which case they would associate the taste of Kool-aid with being dead. ;-) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: YASJR (Yet Another Struts Justification Request)
YES, We at Citibank use Struts extensively and i know that our auditors did the review and gave the good feed back. We all love this framwork. But, Currently i'am running in to small production problem because of the JDK change in Weblogic SP4 and i have no one to help me out resolving it, rather i'am getting some workaround ways from the groups which i cannot do 'cos i have almost 80 modules to change and almost 1000 properties to be changed. Can struts guru's look at the problem i posted 2 days back with the Subject Struts 1.0 problem. Thanks Naveen -Original Message- From: cekvenich.vic [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 10, 2003 2:45 PM To: struts-user; cekvenich.vic Subject: Re: YASJR (Yet Another Struts Justification Request) This is almost a Linux vs Windows: which is more secure/ the one that has millions of user eyes on the code! In commercial code, a bomb is very easy and possible. In OS, unlikely. I would also bet that given any industry (banks for ex), Struts is the most popular in production use. I know a few large banks using Struts I am sure that they did due process. But if PHB does not want to use it, they don't want to use it. Maybe sit in a legal review to negotiate a proprietary framework license suits them, with no?? access to source. .V - may the source be with you Gregory F. March wrote: I seem to have successfully pushed Struts in my company (a big Wall St. bank). However, today, I was asked the following question: How can I guarantee that there are no hacks, bombs, etc. in the Struts code or any OS code for that matter? My immediate response was, how can you guarantee it for any code? However, being a large bank with literally trillions of dollars a day passing though our systems, I can definitely understand their concern. At a minimum, we will obtain the source code and at least do a minimal code walk-through and then compile our own binaries. What other guarantees can I make to my management? What is the process the Struts team uses to control a rogue contributor? Thanks, /greg -- Gregory F. March-=-http://www.gfm.net:81/~march-=-AIM:GfmNet - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: YASJR (Yet Another Struts Justification Request)
Congratulations and thanks for evangalising Struts to your organization. How can I guarantee that there are no hacks, bombs, etc. in the Struts code or any OS code for that matter? The clue is in the title - OPEN source :-) If open source has a weakness it certainly is not that anyone is hiding things in the code. If they're worried about rogue committers -- and I'd say we're probably all rogues ;-) -- you can monitor the struts-dev list and be notified of every single change to the codebase as it happens. I bet you can't get that level of reassurance from any commercial vendor. Out of interest, what web server is your bank running its website on? Apache, by any chance? :-) Steve - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: YASJR (Yet Another Struts Justification Request)
On Wed, 10 Sep 2003, Gregory F. March wrote: [snip] What other guarantees can I make to my management? What is the process the Struts team uses to control a rogue contributor? The only potential rogue contributor that could possibly affect things is someone who has commit access on the CVS repositories (there's roughly 20 people with commit access on Struts, about half of that number is active recently). Any contribution from anyone else has to be go through a committer before it actually becomes part of Struts. In addition, all commits of changes to the codebase by *any* committer are mailed to the STRUTS-DEV list, and are thus available for inspection by all of us. No surprises. A more strategic mechanism relates to how committers become committers in the first place -- by being voted in by the other committers on that project, after having demonstrated themselves to be both smart and trustworthy. All of the current committers went through this gauntlet, and I have a high degree of confidence that we don't have any closet rogues in our midst :-). For more info on how Apache projects (including Jakarta, which includes Struts) make decisions and do things, you might find the following stuff interesting: http://jakarta.apache.org/site/guidelines.html Thanks, /greg Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: YASJR (Yet Another Struts Justification Request)
On Sep 10, 2003, Steve Raeburn [EMAIL PROTECTED] wrote: |If they're worried about rogue committers -- and I'd say we're probably all |rogues ;-) -- you can monitor the struts-dev list and be notified of every |single change to the codebase as it happens. I bet you can't get that level |of reassurance from any commercial vendor. I am not aware of how the actual commits are done, but how does publicizing them on a development list stop anything? Someone still has to do the cvs command to commit the change and that is where the malicious person can infect the codebase. But, then again, maybe I'm missing something... |Out of interest, what web server is your bank running its website on? |Apache, by any chance? :-) Nope, WLS 6.1SP4. :-( Thanks for everyone's response! /greg -- Gregory F. March-=-http://www.gfm.net:81/~march-=-AIM:GfmNet - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] RE: YASJR (Yet Another Struts Justification Request)
LOL .V Chen, Gin wrote: Offer them kool aid. It will make them feel better. Write 'Struts Good' in the bottom of the cups though. Now they associate the good taste of kool aid with Struts! -Tim -Original Message- From: Gregory F. March [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 10, 2003 4:09 PM To: [EMAIL PROTECTED] Subject: YASJR (Yet Another Struts Justification Request) I seem to have successfully pushed Struts in my company (a big Wall St. bank). However, today, I was asked the following question: How can I guarantee that there are no hacks, bombs, etc. in the Struts code or any OS code for that matter? My immediate response was, how can you guarantee it for any code? However, being a large bank with literally trillions of dollars a day passing though our systems, I can definitely understand their concern. At a minimum, we will obtain the source code and at least do a minimal code walk-through and then compile our own binaries. What other guarantees can I make to my management? What is the process the Struts team uses to control a rogue contributor? Thanks, /greg -- Gregory F. March-=-http://www.gfm.net:81/~march-=-AIM:GfmNet - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: YASJR (Yet Another Struts Justification Request)
On Sep 10, 2003, Gregory F. March [EMAIL PROTECTED] wrote: |I am not aware of how the actual commits are done, but how does |publicizing them on a development list stop anything? Someone still has |to do the cvs command to commit the change and that is where the |malicious person can infect the codebase. But, then again, maybe I'm |missing something... It's kind of embarassing that I don't know this by now, but is there a list of the actual commiter's names? And, have any of them responded to this query? Thanks... it will help in the credibility of the responses to my management. Cheers! /greg -- Gregory F. March-=-http://www.gfm.net:81/~march-=-AIM:GfmNet - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: YASJR (Yet Another Struts Justification Request)
--- Gregory F. March [EMAIL PROTECTED] wrote: On Sep 10, 2003, Steve Raeburn [EMAIL PROTECTED] wrote: |If they're worried about rogue committers -- and I'd say we're probably all |rogues ;-) -- you can monitor the struts-dev list and be notified of every |single change to the codebase as it happens. I bet you can't get that level |of reassurance from any commercial vendor. I am not aware of how the actual commits are done, but how does publicizing them on a development list stop anything? Someone still has to do the cvs command to commit the change and that is where the malicious person can infect the codebase. But, then again, maybe I'm missing something... I read most of the commit messages just to keep up with what's going on and I know other committers read them as well. You have to make a secure connection over ssh to commit a change and that's after a karma gifted person gives you access rights to the codebase. All changes are logged in the cvs repository with the user ID of the committer. Any other ways to hack the code are outside the scope of the Struts team. If I was concerned about the security of the Struts code I would download the source for the 1.1 release and hack out the packages I don't need. For example, if you're not using Tiles or file upload functionality you could delete quite a few packages. You could also delete many of the taglib packages because they're covered by the JSTL. I would then search the remaining code for dangerous hacks. Of course, now you have to fix bugs yourself or try to keep up with the changes in the main Struts branch. Keep in mind that Struts relies on a number of Jakarta Commons packages so you'll probably need to audit them as well. I have never seen any intentionally malicious code in any Jakarta project that I've worked on. The only reason we volunteer on these projects is to help people. |Out of interest, what web server is your bank running its website on? |Apache, by any chance? :-) Nope, WLS 6.1SP4. :-( I'm just glad it's not IIS ;-). David Thanks for everyone's response! /greg -- Gregory F. March-=-http://www.gfm.net:81/~march-=- AIM:GfmNet - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: YASJR (Yet Another Struts Justification Request)
On Sep 11, 2003, Shane Mingins [EMAIL PROTECTED] wrote: |Have u seen http://jakarta.apache.org/struts/volunteers.html Have now, thanks! /greg -- Gregory F. March-=-http://www.gfm.net:81/~march-=-AIM:GfmNet - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: YASJR (Yet Another Struts Justification Request)
Nope, WLS 6.1SP4. :-( BEA uses Struts compatability as a selling point for WLS 8.1: Enterprise-class architecture - Implement standards-based applications leveraging Model-View-Controller (MVC) architecture and Struts framework http://kr.bea.com/products/workshop/features/features.shtml Enterprise class, no less. Tell 'em BEA said it was OK :-) Steve - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: YASJR (Yet Another Struts Justification Request)
On Wed, 10 Sep 2003, Gregory F. March wrote: Date: Wed, 10 Sep 2003 18:54:30 -0400 From: Gregory F. March [EMAIL PROTECTED] Reply-To: Struts Users Mailing List [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Subject: Re: YASJR (Yet Another Struts Justification Request) On Sep 10, 2003, Steve Raeburn [EMAIL PROTECTED] wrote: |If they're worried about rogue committers -- and I'd say we're probably all |rogues ;-) -- you can monitor the struts-dev list and be notified of every |single change to the codebase as it happens. I bet you can't get that level |of reassurance from any commercial vendor. I am not aware of how the actual commits are done, but how does publicizing them on a development list stop anything? Because undoing a commit is trivially simple. Someone still has to do the cvs command to commit the change and that is where the malicious person Still has to be someone with commit access, whom the rest of the developers find trustworthy or they never would have earned that right. can infect the codebase. But, then again, maybe I'm missing something... The key thing is you can't sneak anything in without being seen doing so (subscribe to the -dev list and you'll see us often argue about changes for non-security-related reasons as well, and sometimes vote them back out :-). One of the criteria for a release is that none of the committers has any issues with previously committed code that they are concerned about. Even when I'm too busy to do much work on Struts myself, I always scrutinize commits to the Struts repository -- WAY too much of my credibiilty in Java circles comes from Struts (people should be giving more credit to all other committers as well, without whose diligent efforts we still would be waiting for Godot^h^h^h^h^h Struts 1.1 :-) to risk letting anything slide by. Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: YASJR (Yet Another Struts Justification Request)
On Wed, 10 Sep 2003, Gregory F. March wrote: Date: Wed, 10 Sep 2003 20:02:47 -0400 From: Gregory F. March [EMAIL PROTECTED] Reply-To: Struts Users Mailing List [EMAIL PROTECTED] To: Struts Users Mailing List [EMAIL PROTECTED] Subject: Re: YASJR (Yet Another Struts Justification Request) On Sep 10, 2003, Gregory F. March [EMAIL PROTECTED] wrote: |I am not aware of how the actual commits are done, but how does |publicizing them on a development list stop anything? Someone still has |to do the cvs command to commit the change and that is where the |malicious person can infect the codebase. But, then again, maybe I'm |missing something... It's kind of embarassing that I don't know this by now, but is there a list of the actual commiter's names? http://jakarta.apache.org/struts/volunteers.html And, have any of them responded to this query? Yes. Besides me (who wrote Struts in the first place :-), you've seen responses from at least two other committers. Thanks... it will help in the credibility of the responses to my management. One of the things that has really surprised me about Struts was how early the financial services industry worldwide -- whom I've always pictured as being pretty conservative -- adopted Struts. I suspect a lot of this (especially in Europe) had to do with the high degree of emphasis placed on internationalization. But, of course, the development process that stands behind Struts has had to pass muster as well; in this industry and in many others. It's also very personally rewarding when a top level IT architect from a very well know financial services firm (sorry, I don't have explicit permission to reveal who, but you'd *definitely* recognize the name :-) come up to you at JavaOne and said they've just adopted Struts as their standard infractructure for the web applications. To say nothing of the fact that a large percentage of the development tools and IDEs in the J2EE space now have Struts support ... Cheers! /greg Craig - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: YASJR (Yet Another Struts Justification Request)
snip How can I guarantee that there are no hacks, bombs, etc. in the Struts code or any OS code for that matter? /snip Elementary my dear Watson! As struts is open source you have full access to the code. You can examine it microscopically in minute detail to assure yourself that it is all ok. (And nothing it does is rocket science so dont be shy!) Try doing THAT with .net :-P snip What is the process the Struts team uses to control a rogue contributor? /snip I believe they threaten to remove their beer on Friday ;- -Original Message- From: Gregory F. March [mailto:[EMAIL PROTECTED] Sent: Thursday, 11 September 2003 04:09 To: [EMAIL PROTECTED] Subject: YASJR (Yet Another Struts Justification Request) I seem to have successfully pushed Struts in my company (a big Wall St. bank). However, today, I was asked the following question: How can I guarantee that there are no hacks, bombs, etc. in the Struts code or any OS code for that matter? My immediate response was, how can you guarantee it for any code? However, being a large bank with literally trillions of dollars a day passing though our systems, I can definitely understand their concern. At a minimum, we will obtain the source code and at least do a minimal code walk-through and then compile our own binaries. What other guarantees can I make to my management? What is the process the Struts team uses to control a rogue contributor? Thanks, /greg -- Gregory F. March-=-http://www.gfm.net:81/~march-=-AIM:GfmNet - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: YASJR (Yet Another Struts Justification Request)
I seem to have successfully pushed Struts in my company (a big Wall St. bank). However, today, I was asked the following question: How can I guarantee that there are no hacks, bombs, etc. in the Struts code or any OS code for that matter? My immediate response was, how can you guarantee it for any code? However, being a large bank with literally trillions of dollars a day passing though our systems, I can definitely understand their concern. Well, the immediate answer is that you can do a security audit of the source code yourself. This option simply isn't available with closed source solutions: you are reliable upon happy-customer stories and product reviews in magazines, which are notoriously unreliable. The quality control procedures for OSS are fairly high, and are arguably better than those in the private world. At a minimum, we will obtain the source code and at least do a minimal code walk-through and then compile our own binaries. I would take that one step further and make the code you build you jars from the definintive code for your company, i.e. you would no longer download the Struts source from their CVS repository, but would rely on your own internal copy of the source. This would mean that you would have to fix any undisovered bugs in the source in house, which may or may not be able to be donated back into the Struts CVS tree, but you would have additional assurance against the introduction of new (intentional or not) security holes. What other guarantees can I make to my management? What is the process the Struts team uses to control a rogue contributor? There are no guarantees that can be made about security, despite what salespeople will tell you. The best you can do is to carefully examine and test the product. Further, you have to go through a fairly involved process to become a commiter, and your reputation will be important before you become one. Even after that all changes are reviewed by other committers before they are actually imported into the codebase. (CC'ing this to the struts-dev list for corrections. My understanding of the process for Struts development is itself a work in progress. :) -= J - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]