struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <>
Subject Re: Core & plugins
Date Mon, 11 Sep 2017 19:52:51 GMT
2017-09-11 20:46 GMT+02:00 Aleksandr Mashchenko <>:
> Right now most releases which hold security fixes hold new features as well.
> The point is to try to create a separate release for the security issue.
> Take a look like was released.

Preparing a security release and keeping the whole process in secret
is almost impossible. Also it gives a possibility for reverse
engineering the solution and develop an exploit before we will be able
release the new version. Also we cannot ask community to test the
solution which can lead into releasing an incomplete solution (see,, and,, :/ )

I'm not saying that this approach with 2.5.13 is right but there was a
test period which allowed others test the new version and they didn't
report any issues. That being said I took a risk and mixed a normal
release with a security release (based on few factors). Please also do
not connect Equifax breach with 2.5.13 and the REST plugin
vulnerability - there is no proof for that. I have read a report where
less than 1% of Struts 2 based apps in Japan use the REST plugin.

I would rather keep the 2.5.13 approach but extend a test network to
have a better coverage of the performed changes.

>> Things loosely coupled can have their own release cycles (e.g. Maven
>> archetypes).
> Speaking of which, we should release 2.5.x maven archetypes. The latest in
> the repo is 2.5.5.

Right but the version will be 2.5.6 (the archetypes live they own
release cycle now) or we can mark them as 3.0 or whatever we think it
should be :)

+ 48 606 323 122

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message