Results of the activemq-nms-openwire 2.1.0-rc1 release vote. The vote passes with 5 Binding Votes
Binding Votes: Jeff Genender Clebert Suconic Chris Porebski Arthur Naseef Michael André Pearce Non-Binding Votes: Bruce Dodson Thank you for all the contributions and everyone's time reviewing the release candidate and voting. I will proceed with publishing the release now. Chris On Tue, Mar 7, 2023 at 2:47 AM Clebert Suconic <clebert.suco...@gmail.com> wrote: > Is this still open ? +1 > On Mon, Mar 6, 2023 at 5:22 PM Arthur Naseef <a...@amlinv.com> wrote: > > > +1 > > > > I downloaded the sources and built on Windows 10. Also reviewed the > commit > > that adds the deny and allow lists. > > > > Art > > > > > > On Wed, Mar 1, 2023 at 8:12 AM <jgenen...@apache.org> wrote: > > > > > +1 > > > > > > Jeff > > > > > > > > > > On Mar 1, 2023, at 4:02 AM, Michael André Pearce < > > > michaelpea...@apache.org> wrote: > > > > > > > > Thanks Chris, much needed feature! > > > > > > > > +1 (binding) > > > > > > > > On 2023/02/26 11:09:15 Havret wrote: > > > >> Hi all, > > > >> > > > >> I have put together another release of activemq-nms-openwire. Please > > > review > > > >> it and vote accordingly. > > > >> > > > >> This release includes an important new feature that allows users to > > > specify > > > >> an allow/deny list of types for binary serialization. This can help > > > prevent > > > >> potential security vulnerabilities. > > > >> > > > >> The feature is implemented in the same way as in qpid-jms, using a > > > >> deserialization policy that controls which types can be trusted for > > > >> deserialization from an incoming NMS IObjectMessage containing > > > serialized > > > >> .NET Object content. By default, all types are trusted during > > > >> deserialization. However, the default Deserialization Policy object > > > >> provides URI options for specifying an allow list and a deny list of > > > .NET > > > >> classes or namespaces. > > > >> > > > >> The following options are available: > > > >> > > > >> - nms.deserializationPolicy.allowList: A comma-separated list of > > > >> classes/namespaces that are allowed during deserialization, unless > > they > > > are > > > >> overridden by the deny list. Names in this list are not pattern > > values; > > > the > > > >> exact class or namespace name must be configured (e.g. > > > >> "System.Collections.Queue" or "System.Collections"). Namespace > matches > > > >> include sub-namespaces. The default is to allow all. > > > >> - nms.deserializationPolicy.denyList: A comma-separated list of > > > >> classes/namespaces that are rejected during deserialization. Names > in > > > this > > > >> list are not pattern values; the exact class or namespace name must > be > > > >> configured (e.g. "System.Collections.Queue" or > "System.Collections"). > > > >> Namespace matches include sub-namespaces. The default is to reject > > none. > > > >> > > > >> This release contains the following change: > > > >> * > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935 > > > >> < > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935 > > > >* > > > >> > > > >> The files can be grabbed from: > > > >> > > > > > > https://dist.apache.org/repos/dist/dev/activemq/activemq-nms-openwire/2.1.0-rc1/ > > > >> > > > >> Regards, > > > >> Chris > > > >> > > > >> Here's mine +1 (binding) > > > >> > > > > > > > > > -- > Clebert Suconic >
