Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id ADBD8200C36 for ; Fri, 10 Mar 2017 15:47:43 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id AC660160B79; Fri, 10 Mar 2017 14:47:43 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 0361A160B69 for ; Fri, 10 Mar 2017 15:47:42 +0100 (CET) Received: (qmail 26505 invoked by uid 500); 10 Mar 2017 14:47:42 -0000 Mailing-List: contact dev-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@jackrabbit.apache.org Delivered-To: mailing list dev@jackrabbit.apache.org Received: (qmail 26486 invoked by uid 99); 10 Mar 2017 14:47:41 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 10 Mar 2017 14:47:41 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 4F620C1FC9 for ; Fri, 10 Mar 2017 14:47:41 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.297 X-Spam-Level: X-Spam-Status: No, score=-0.297 tagged_above=-999 required=6.31 tests=[KAM_NUMSUBJECT=0.5, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.096, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id StvhSyWYqPuw for ; Fri, 10 Mar 2017 14:47:40 +0000 (UTC) Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 930375F1F4 for ; Fri, 10 Mar 2017 14:47:39 +0000 (UTC) Received: from [192.168.1.34] ([5.10.171.186]) by mail.gmx.com (mrgmx101 [212.227.17.168]) with ESMTPSA (Nemesis) id 0MSZ6u-1cegLm3eBo-00RcL2 for ; Fri, 10 Mar 2017 15:47:38 +0100 Subject: Re: [VOTE] Release Apache Jackrabbit Filevault 3.1.36 To: dev@jackrabbit.apache.org References: <1f918ab5-651a-964b-0abc-830e1b727063@gmx.de> From: Julian Reschke Message-ID: <12b48dee-e763-8794-7f54-11eb676207e8@gmx.de> Date: Fri, 10 Mar 2017 15:47:38 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:8hx8z6Natck1pvOI1FDpsrRKs7Ch3DMPSwyrg5JArbqth1JEfoM xhrpQY+CSWVH1WqgTvUohHT40YTHIUUb9vEbbkcFJhUPJzSHcZzlHHuLousAwTzwFg4YJVq 6BQIwAG2AAgzFhc8TSDdjhz0f8hwn1iUDmbw9JUn57x9k7q+j4kiAJQdyJItI+9gOvFGHi8 53dhgyIdvHyPun5bLqv8Q== X-UI-Out-Filterresults: notjunk:1;V01:K0:Yz6L3Zp8qf8=:/AfebiYUUfaKvJz/Ycb8js 55+UksLbnCN3hTWerrCzcP8aBH+y0L5pnuPpai/5jOW6v/xNhoVIJ0uwSZmXncaCDH5PQ2XMs u1hIGqpCVI7YRqdL72p0dvpfOfE4vOaEiXFxd2zwX5jp6kTtLDtBNoNwU+COfmbkstIJkbbof CzWFObDag5JgB7NTkn1JzJuvFCarcF6w1hLAOOGa6P+8t/jE7r0uM8fU30o8kUHmNOFLBurTR mM07Bi4BFJxMG3AXdDY0q69Zl9PaQ7PPQcmOJePMuFmP4v3IAW9mKg2AGFMzXWSACRzun28Ih E75N3G0okdMKpRZ7wLm4vXQHdI/6WjWjDpxNPRHYzUC9i8ZhhmFj+L8hBZ5Nn7Szw/kgeLrGD DC4zX7WekgJrocOEC0KcR85PdK8BGQ+neN0USRsYcwJY/iFwE4WBr8udpqfZngDlb9OXN6g17 0/U76n8dlr4HI7zfAr0dgasi50tbZHXpskyc7VKJvbqdfzbwAPChNXybB0CpLM5ZUSQvfxvZ8 S2G2n4ESykB+RGc00juFZh9B/4tARWDQ37fLYNdrbqn+bNsPGFxsIPVrJ6btM9BE98WTJjwJQ FxLuhcRMloINqxXGxbT97TDj5JPvwqIL3uzWeCqV8L6Ic6O8NlWh0DMT2VTlhWZfikwGa6OFX rmD/Dp8h5GTFn9DIaefkiI7zHXWE8liPNSdZ7wMyaTlEHqWaknV9OrkssLWWX9PnFCATEC9Ka TZTKbBOXlKjC64NX2dAdo5vspoKXzflhjiJXg3a7Gk7nvTFgMxWQwWPPiawOeBfH3XODC5dQt C8YWJvU archived-at: Fri, 10 Mar 2017 14:47:43 -0000 On 2017-03-10 15:34, Tobias Bocanegra wrote: > Hi Julian, > the references to the "unstable" versions are unfortunate, but they > don't have impact of the operation. > also, all the test pass so far. the only user of commons-collections is > vault-cli, and I don't think that this is vulnerable to the serilization > vulnerability. That may be true, but it keeps the users of vault wondering whether everything is ok. It's simply better to use the correct version in the first place. > here's the list of bundled libraries in vault-cli: > > commons-cli-2.0-mahout.jar > commons-codec-1.10.jar > commons-collections-3.2.1.jar > commons-io-2.4.jar > commons-jci-fam-1.0.jar > commons-logging-1.0.3.jar > commons-logging-api-1.1.jar Unless I'm missing something obvious, we should use the latest library version that works for the Java version we need to support. > diffutils-1.2.1.jar > guava-15.0.jar > httpclient-4.5.2.jar > httpcore-4.4.4.jar > httpmime-4.5.2.jar httpclient and -mime are 4.5.3 in jackrabbit right now. > jackrabbit-api-2.13.7.jar > jackrabbit-jcr-client-2.13.7.jar > jackrabbit-jcr-commons-2.13.7.jar > jackrabbit-jcr2spi-2.13.7.jar > jackrabbit-spi-2.13.7.jar > jackrabbit-spi-commons-2.13.7.jar > jackrabbit-spi2dav-2.13.7.jar > jackrabbit-webdav-2.13.7.jar These should use a stable release. We can't tell people not to use these if we do so ourselves without a good reason. > however, if you think this is really a no go, > please indicate which versions you would use, and I will update them for > the next the release, if the vote fails. Yes, I consider this a showstopper. Unless there's an emergency you need to deal with, I'd cancel this release, update the dependencies, and cut a new one. > thanks. > regards, toby > > btw: there should be a mechanism to mark libraries as invalid/revoked so > that they can't be referenced by other projects. Yes - or at least generate fat warnings. Best regards, Julian