Re: [VOTE] Release Maven Help Plugin version 3.0.0

2018-03-09 Thread Hervé BOUTEMY 
+1

Regards,

Hervé

Le mercredi 7 mars 2018, 22:37:46 CET Michael Osipov a écrit :
> Hi,
> 
> We solved 34 issues:
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12317522
> rsion=12330788
> 
> There are still a couple of issues left in JIRA:
> https://issues.apache.org/jira/issues/?jql=project%20%3D%20MPH%20AND%20resol
> ution%20%3D%20Unresolved%20ORDER%20BY%20priority%20DESC%2C%20updated%20DESC
> 
> Staging repo:
> https://repository.apache.org/content/repositories/maven-1403/
> https://repository.apache.org/content/repositories/maven-1403/org/apache/mav
> en/plugins/maven-help-plugin/3.0.0/maven-help-plugin-3.0.0-source-release.zi
> p
> 
> Source release checksum(s):
> maven-help-plugin-3.0.0-source-release.zip sha1:
> 2dbd3dc017f246817de288c5962615cfd5cac18d
> 
> Staging site:
> http://maven.apache.org/plugins-archives/maven-help-plugin-LATEST/
> 
> Guide to testing staged releases:
> http://maven.apache.org/guides/development/guide-testing-releases.html
> 
> Vote open for 72 hours.
> 
> [ ] +1
> [ ] +0
> [ ] -1
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> For additional commands, e-mail: dev-h...@maven.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org

[VOTE] Release Apache Maven EAR Plugin version 3.0.0

2018-03-09 Thread Karl Heinz Marbaise 

Hi,

We solved 41 issues:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12317422=12330696

There are still a couple of issues left in JIRA:
https://issues.apache.org/jira/issues/?jql=project%20%3D%20MEAR%20AND%20resolution%20%3D%20Unresolved%20ORDER%20BY%20priority%20DESC%2C%20updated%20DESC

Staging repo:
https://repository.apache.org/content/repositories/maven-1405
https://repository.apache.org/content/repositories/maven-1405/org/apache/maven/plugins/maven-ear-plugin/3.0.0/maven-ear-plugin-3.0.0-source-release.zip

Source release checksum(s):
maven-ear-plugin-3.0.0-source-release.zip sha1: 
15e2275180f3980069849024693a562f66b48ca1


Staging site:
http://maven.apache.org/plugins-archives/maven-ear-plugin-LATEST/

Guide to testing staged releases:
https://maven.apache.org/guides/development/guide-testing-releases.html

Vote open for at least 72 hours.

[ ] +1
[ ] +0
[ ] -1

Kind regards
Karl Heinz Marbaise

-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org

Re: [VOTE] Release Maven Help Plugin version 3.0.0

2018-03-09 Thread Guillaume Boué 

+1


Le 07/03/2018 à 22:37, Michael Osipov a écrit :

Hi,

We solved 34 issues:
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12317522=12330788 



There are still a couple of issues left in JIRA:
https://issues.apache.org/jira/issues/?jql=project%20%3D%20MPH%20AND%20resolution%20%3D%20Unresolved%20ORDER%20BY%20priority%20DESC%2C%20updated%20DESC 



Staging repo:
https://repository.apache.org/content/repositories/maven-1403/
https://repository.apache.org/content/repositories/maven-1403/org/apache/maven/plugins/maven-help-plugin/3.0.0/maven-help-plugin-3.0.0-source-release.zip 



Source release checksum(s):
maven-help-plugin-3.0.0-source-release.zip sha1: 
2dbd3dc017f246817de288c5962615cfd5cac18d


Staging site:
http://maven.apache.org/plugins-archives/maven-help-plugin-LATEST/

Guide to testing staged releases:
http://maven.apache.org/guides/development/guide-testing-releases.html

Vote open for 72 hours.

[ ] +1
[ ] +0
[ ] -1

-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org




---
L'absence de virus dans ce courrier électronique a été vérifiée par le logiciel 
antivirus Avast.
https://www.avast.com/antivirus


-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org

Re: RFC: Maven to raise a notification if downloading vulnerable content

2018-03-09 Thread Paul Hammant 
Personally, I think vulnerable packages could be retained locally and was
subscribable. Dealing with it during a build would be a local operation.

Here's a repo of all Maven Meta data (I wrote some stuff in Python and
Herve redid it in Java) -> https://github.com/hboutemy/mcmm-yaml/

While vulnerability info could be woven into that repo with extra
attributes, it might be better that there were a separate repo that listed
vulnerbilities only. That Git repo would have the same structure but be
limited to information around artifacts vulns only, and only the root cause
vulns.

For example CVE-2017-15707 says the REST Plugin for Apache Struts 2.5 to
2.5.14 is vulnerable, but it is really certain versions of JSON-lib that is
vulnerabilities

https://github.com/hboutemy/mcmm-yaml/blob/master/org/apache/struts/struts2-core.yaml
https://github.com/hboutemy/mcmm-yaml/blob/master/net/sf/json-lib/json-lib.yaml

Thus a revised vulnerability plugin would check against the local Git repo
of vulns, AND have an option of doing a git-pull for the repo again of the
determination.

mvn vuln:report
mvn vuln:fail
mvn vuln:report -DupdateVulnDB
mvn vuln:fail -DupdateVulnDB

Being a git repo allows for mirrors. Also, git pull (especially for
--depth=1) is quick.  Interestingly this git repo could operate bare (no
working copy on the local) as you're not going to change the files in an
edit/commit/push cycle

-ph


On Tue, Mar 6, 2018 at 7:12 AM, Peter Muryshkin  wrote:

> Hi, all,
>
> currently you can run OWASP dependency check plugin against your projects.
>
> Though, this seems to make security more or less optional: unaware either
> lightheaded teams could miss this.
>
> What if a package repository would integrate with this dependency checking
> and issue a warning, say a special HTTP response code or a header?
>
> Then, Maven would raise the warning in the console log, like "this
> component is known to have CVE-XYZ! consider upgrading"
>
> What do you think?
>



-- 
Paul Hammant DevOps  Let me give your
enterprise a step by step plan to get out of the hell of crazy branching
models (ClearCase maybe?) and into the world of high-throughput CD on
DevOps foundations.

Re: [VOTE] Release Apache Maven Surefire Plugin version 2.20.1

2018-03-09 Thread Enrico Olivelli 
2018-03-09 9:55 GMT+01:00 Tibor Digana :

> Hi Enrico, Karl, Herve,
>
> We reported the issues [1] found during the Vote. They are fixed in
> branches [2] and CI builds [3].
> We can make a code review.
> Additionally, we fixed SUREFIRE-1490 which was in progress but we did not
> have spare time to include it in the Release 2.21.0. Now it is fixed in [4].
>



Thank you Tibor,
I did not have time to create issues yet and you already have resolved them
!!

I can confirm that I am now using 2.21.0 and I am really happy with it.

I have reviewed your commits and they looks good to me,
today I do not have time to test your fixes on my "real" projects but
surely I will do it next week, I guess we will not release 3.0.0M1
immediately

Cheers
Enrico



>
> [1]:
> https://issues.apache.org/jira/browse/SUREFIRE-1495
> https://issues.apache.org/jira/browse/SUREFIRE-1498
>
> [2]:
> https://git1-us-west.apache.org/repos/asf?p=maven-surefire.git;a=commit;h=
> c496ebf3b4518c25787d5eac9f54b2a220a59447
> https://git1-us-west.apache.org/repos/asf?p=maven-surefire.git;a=commit;h=
> af7ae9ef933873a038b2817d6430859f2a5bd1c7
>
> [3]:
> https://builds.apache.org/job/maven-wip/job/maven-surefire/
> job/SUREFIRE-1495/4/
> https://builds.apache.org/job/maven-wip/job/maven-surefire/
> job/SUREFIRE-1498/1/
>
> [4]:
> https://issues.apache.org/jira/browse/SUREFIRE-1490
> https://git1-us-west.apache.org/repos/asf?p=maven-surefire.git;a=commit;h=
> 6174be76f52ffc2873a18a5215f60767843d7479
> https://builds.apache.org/job/maven-wip/job/maven-surefire/
> job/SUREFIRE-1490/2/
>
> Cheers
> Tibor
>
>
> On Tue, Mar 6, 2018 at 5:33 PM, Tibor Digana 
> wrote:
>
>> Hello Gary, yes but my typo was corrected in the second e-mail.
>>
>> On Tue, Mar 6, 2018 at 5:16 PM, Gary Gregory 
>> wrote:
>>
>>> This thread has the wrong VERSION in its subject.
>>>
>>> Gary
>>>
>>> On Sat, Mar 3, 2018 at 4:42 AM, Tibor Digana 
>>> wrote:
>>>
>>> > Hi,
>>> >
>>> > We solved 33 issues:
>>> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?
>>> > projectId=12317927=12341630
>>> >
>>> > There are still a couple of issues left in JIRA:
>>> > https://issues.apache.org/jira/i#issues/?jql=project+%
>>> > 3D+SUREFIRE+AND+status+%3D+Open+ORDER+BY+priority+DESC
>>> >
>>> > Staging repo:
>>> > https://repository.apache.org/content/repositories/maven-1402/
>>> > https://repository.apache.org/content/repositories/maven-
>>> > 1402/org/apache/maven/surefire/surefire/2.21.0/surefire-2.21.0-source-
>>> > release.zip
>>> >
>>> > Source release checksum(s):
>>> > surefire-2.21.0-source-release.zip sha1:
>>> > 6927024eefa0b8c80dee70efa014f1f421d7844b
>>> >
>>> > Staging site:
>>> > http://maven.apache.org/surefire-archives/surefire-LATEST/
>>> >
>>> > Guide to testing staged releases:
>>> > http://maven.apache.org/guides/development/guide-testing-releases.html
>>> >
>>> > Vote open for 72 hours.
>>> >
>>> > [ ] +1
>>> > [ ] +0
>>> > [ ] -1
>>> >
>>> > Cheers
>>> > Tibor
>>> >
>>>
>>
>>
>

Re: [VOTE] Release Apache Maven Surefire Plugin version 2.20.1

2018-03-09 Thread Tibor Digana 
Hi Enrico, Karl, Herve,

We reported the issues [1] found during the Vote. They are fixed in
branches [2] and CI builds [3].
We can make a code review.
Additionally, we fixed SUREFIRE-1490 which was in progress but we did not
have spare time to include it in the Release 2.21.0. Now it is fixed in [4].

[1]:
https://issues.apache.org/jira/browse/SUREFIRE-1495
https://issues.apache.org/jira/browse/SUREFIRE-1498

[2]:
https://git1-us-west.apache.org/repos/asf?p=maven-surefire.git;a=commit;h=c496ebf3b4518c25787d5eac9f54b2a220a59447
https://git1-us-west.apache.org/repos/asf?p=maven-surefire.git;a=commit;h=af7ae9ef933873a038b2817d6430859f2a5bd1c7

[3]:
https://builds.apache.org/job/maven-wip/job/maven-surefire/job/SUREFIRE-1495/4/
https://builds.apache.org/job/maven-wip/job/maven-surefire/job/SUREFIRE-1498/1/

[4]:
https://issues.apache.org/jira/browse/SUREFIRE-1490
https://git1-us-west.apache.org/repos/asf?p=maven-surefire.git;a=commit;h=6174be76f52ffc2873a18a5215f60767843d7479
https://builds.apache.org/job/maven-wip/job/maven-surefire/job/SUREFIRE-1490/2/

Cheers
Tibor


On Tue, Mar 6, 2018 at 5:33 PM, Tibor Digana  wrote:

> Hello Gary, yes but my typo was corrected in the second e-mail.
>
> On Tue, Mar 6, 2018 at 5:16 PM, Gary Gregory 
> wrote:
>
>> This thread has the wrong VERSION in its subject.
>>
>> Gary
>>
>> On Sat, Mar 3, 2018 at 4:42 AM, Tibor Digana 
>> wrote:
>>
>> > Hi,
>> >
>> > We solved 33 issues:
>> > https://issues.apache.org/jira/secure/ReleaseNote.jspa?
>> > projectId=12317927=12341630
>> >
>> > There are still a couple of issues left in JIRA:
>> > https://issues.apache.org/jira/i#issues/?jql=project+%
>> > 3D+SUREFIRE+AND+status+%3D+Open+ORDER+BY+priority+DESC
>> >
>> > Staging repo:
>> > https://repository.apache.org/content/repositories/maven-1402/
>> > https://repository.apache.org/content/repositories/maven-
>> > 1402/org/apache/maven/surefire/surefire/2.21.0/surefire-2.21.0-source-
>> > release.zip
>> >
>> > Source release checksum(s):
>> > surefire-2.21.0-source-release.zip sha1:
>> > 6927024eefa0b8c80dee70efa014f1f421d7844b
>> >
>> > Staging site:
>> > http://maven.apache.org/surefire-archives/surefire-LATEST/
>> >
>> > Guide to testing staged releases:
>> > http://maven.apache.org/guides/development/guide-testing-releases.html
>> >
>> > Vote open for 72 hours.
>> >
>> > [ ] +1
>> > [ ] +0
>> > [ ] -1
>> >
>> > Cheers
>> > Tibor
>> >
>>
>
>