On 11/10/2015 10:52 PM, Gary Gregory wrote: > Hi all: > > -1 > > Sorry, the RAT failure needs to be handled one way or another: exclude the > files or add headers: > > Unapproved licenses: > > data/test/NullComparator.version2.obj1 > data/test/NullComparator.version2.obj2 > xdocs/style/project.css > > > I imagine the obj files can be excluded but the CSS file can just have a > header added, just like > https://svn.apache.org/repos/asf/commons/proper/daemon/trunk/src/docs/daemon.css > > It's just messy to rush this through without dotting the i's and so on.
yeah, I did not see the 2 NullComparator files as the problem appears only on Windows. The same happened for the Collections 4 release, and I forgot about it. @css: wtf, are you serious to vote with -1 because of that and complain about the RC being messy? I mean, I can handle it if there are real issues to be fixed, and I had planned to cancel the VOTE anyways to make some more adjustments but something like that is just ridiculous. Just take a look at some other published commons releases and count the number of RAT errors, even for source files. Thomas > > There is also the issue of the possibly wrong revision being tagged or > being used in the VOTE email thread. That can be fixed for RC2 as well. > > Gary > > On Mon, Nov 9, 2015 at 2:37 PM, Thomas Neidhart <thomas.neidh...@gmail.com> > wrote: > >> Hi all, >> >> in order to provide a work-around for the known remote code exploit via >> java de-serialization of malicious InvokerTransformer instances, I would >> like to start a vote to release Commons Collections 3.2.2 based on RC1. >> >> I would kindly ask people to review the RC especially wrt the following >> topics: >> >> * OSGI compatibility >> * reproducing the exploits and verifying that it provides protection >> * any kind of regression that this release might create with existing >> applications >> >> Notes: >> >> * the site will not be published, it just serves as a reference to >> access the various reports. After a successful vote, the current 4.X >> branch site will be updated with relevant information and published. >> >> * some tests might fail with various IBM JDK 6 JREs, these are known >> issues and have been worked-around in the 4.X branch but are not >> back-ported to this release. >> >> >> Collections 3.2.2 RC1 is available for review here: >> https://dist.apache.org/repos/dist/dev/commons/collections/ >> (svn revision 11092) >> >> Maven artifacts are here: >> >> >> https://repository.apache.org/content/repositories/orgapachecommons-1115/commons-collections/commons-collections/3.2.2/ >> >> Details of changes since 3.2.1 are in the release notes: >> >> >> https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt >> >> >> http://people.apache.org/builds/commons/collections/3.2.2/RC1/changes-report.html >> >> The tag is here: >> >> >> https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC1 >> (svn revision 1713561) >> >> Site: >> http://people.apache.org/builds/commons/collections/3.2.2/RC1/ >> >> Clirr Report (compared to 3.2.1): >> >> >> http://people.apache.org/builds/commons/collections/3.2.2/RC1/clirr-report.html >> >> RAT Report: >> >> >> http://people.apache.org/builds/commons/collections/3.2.2/RC1/rat-report.html >> >> KEYS: >> https://www.apache.org/dist/commons/KEYS >> >> Please review the release candidate and vote. >> >> This vote will close no sooner that 72 hours from now, i.e. after 2300 >> GMT 12-November 2015 >> >> [ ] +1 Release these artifacts >> [ ] +0 OK, but... >> [ ] -0 OK, but really should fix... >> [ ] -1 I oppose this release because... >> >> Thanks, >> >> Thomas >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> For additional commands, e-mail: dev-h...@commons.apache.org >> >> > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
