Return-Path: X-Original-To: apmail-cayenne-dev-archive@www.apache.org Delivered-To: apmail-cayenne-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D7D6410AC2 for ; Tue, 9 Jul 2013 13:21:09 +0000 (UTC) Received: (qmail 96196 invoked by uid 500); 9 Jul 2013 13:21:09 -0000 Delivered-To: apmail-cayenne-dev-archive@cayenne.apache.org Received: (qmail 96072 invoked by uid 500); 9 Jul 2013 13:21:09 -0000 Mailing-List: contact dev-help@cayenne.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cayenne.apache.org Delivered-To: mailing list dev@cayenne.apache.org Received: (qmail 96064 invoked by uid 99); 9 Jul 2013 13:21:09 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Jul 2013 13:21:09 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of mkienenb@gmail.com designates 74.125.82.45 as permitted sender) Received: from [74.125.82.45] (HELO mail-wg0-f45.google.com) (74.125.82.45) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 09 Jul 2013 13:21:05 +0000 Received: by mail-wg0-f45.google.com with SMTP id j13so4739609wgh.0 for ; Tue, 09 Jul 2013 06:20:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=IsRez9vh8JGoflsZEFpa9txwtpJm65/WArHSVZV2qV0=; b=GyC/ksvFu9A+GJrDeeVLE4N79VBLYwYVxLfnxyQKtqpDcLFIkik/oRFOQxk4ZR5KbG ELKkaBspB0t7xMnR00OiZfQhlrWrT+jjADeN7qFAhGn4REctVe9O8VCVT1z9KatBGxWo J/OdmmjMFYzslzTN9e+3/pA8/QLxAR9GoN6gFIbgDSaJqRPpaXc52F3TBq9r7tAYM80T Kqg+KmAFTIWt6RtuRoCSNQz+Q7ND6IlfgUGH8bYtXXFOUUE2FZQQFWF2QIwRdWlOu1RA IradK5xWDwfnW5wa3b37KOAmrS65+B7op1P2K/9LISrPuA3OZD935i8vHd71TxAmIZmv TIQg== X-Received: by 10.180.160.144 with SMTP id xk16mr31926801wib.62.1373376044153; Tue, 09 Jul 2013 06:20:44 -0700 (PDT) MIME-Version: 1.0 Received: by 10.227.196.75 with HTTP; Tue, 9 Jul 2013 06:20:24 -0700 (PDT) In-Reply-To: References: From: Mike Kienenberger Date: Tue, 9 Jul 2013 09:20:24 -0400 Message-ID: Subject: Re: javadoc security flaw To: dev@cayenne.apache.org Content-Type: text/plain; charset=ISO-8859-1 X-Virus-Checked: Checked by ClamAV on apache.org LUCENE's issue stated in the comments that the Oracle tool shouldn't be used (apparently it can be integrated with maven). It also stated that there was a simple way to duplicate the functionality using maven, but I didn't immediately see what that was: Here's the thread it had on that: https://jira.codehaus.org/browse/MJAVADOC-370?focusedCommentId=327185&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-327185 This seems to point to https://issues.apache.org/jira/browse/MPOM-46 as one solution later on in the comments Which seems to be a matter of updating the maven-javadoc-plugin version from 2.9 to 2.9.1. Maybe that's all we need as well? If not, I'm guessing you could diff the changes between versions 2.9 to 2.9.1 and find the solution in a maven environment? http://svn.apache.org/viewvc/maven/pom/trunk/asf/pom.xml?r1=1497692&r2=1497691&pathrev=1497692 --- maven/pom/trunk/asf/pom.xml 2013/06/28 09:11:27 1497691 +++ maven/pom/trunk/asf/pom.xml 2013/06/28 09:14:58 1497692 @@ -184,7 +184,7 @@ org.apache.maven.plugins maven-javadoc-plugin - 2.9 + 2.9.1 On Tue, Jul 9, 2013 at 9:12 AM, Mike Kienenberger wrote: >> On Jul 9, 2013, at 2:57 AM, Aristedes Maniatis wrote: >>> Did we change the javadoc build process to avoid the javadoc security flaw recently discovered? I patched the website javadocs, but I'm not sure if we also have to change something in our maven build process or upgrade some plugin. > > On Tue, Jul 9, 2013 at 2:12 AM, Andrus Adamchik wrote: >> Me neither. Probably some research is in order. Should we take this to a separate thread? > > Maybe you can copy what some other project has done. > > I saw a notice about it for tomcat but I believe it is built with ant. > > https://issues.apache.org/bugzilla/show_bug.cgi?id=55119 > > That notice pointed to Lucene, but it says it was built with ivy. > > https://issues.apache.org/jira/browse/LUCENE-5072 > > So I didn't find a pointer to a maven-based fix.