-1 I'm sorry, but the RAT check is still not right.
If you look at the POM: https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC2/pom.xml you will see: <exclude>src/test/resources/data/test/*</exclude> This folder does not exist. Which is why I see the following when I build: Unapproved licenses: data/test/NullComparator.version2.obj1 data/test/NullComparator.version2.obj2 and B data/test/NodeCachingLinkedList.fullCollection.version3.obj !????? data/test/NullComparator.version2.obj1 !????? data/test/NullComparator.version2.obj2 B data/test/PredicatedBag.emptyCollection.version3.1.obj Instead it should be: <exclude>data/test/*</exclude> and the RAT check is fine. Fixed in SVN. Thank you, Gary On Wed, Nov 11, 2015 at 8:27 AM, Thomas Neidhart <thomas.neidh...@gmail.com> wrote: > Hi all, > > in order to provide a work-around for the known remote code exploit via > java de-serialization of malicious InvokerTransformer instances, I would > like to start a vote to release Commons Collections 3.2.2 based on RC2. > > Notes: > > * the site will not be published, it just serves as a reference to > access the various reports. After a successful vote, the current 4.X > branch site will be updated with relevant information and published. > > * some tests might fail with various IBM JDK 6 JREs, these are known > issues and have been worked-around in the 4.X branch but are not > back-ported to this release. > > * Collections 3.2.2 can not be compiled with JDK 8 due to a name clash > with a newly introduced default method in the Map interface. > > * the collections-testframework.jar that has been published in previous > versions is not included in this release > > > Changes from RC1: > > * fixed RAT report > * fixed NOTICE file > * improve the security fix: it has been made symmetric in the sense > that also the serialization of an unsafe class is disabled by > default and will result in an exception > * changed the system property to re-enable serialization of unsafe > classes. It is now > "org.apache.commons.collections.enableUnsafeSerialization" > * all classes in the functor package which (based on current > knowledge) have to be considered unsafe cannot be serialized/ > de-serialized any more by default. This includes the following > classes: > > ** CloneTransformer > ** PrototypeFactory (inner classes > PrototypeCloneFactory and > PrototypeSerializationFactory) > ** InstantiateFactory > ** InstantiateTransformer > ** ForClosure > ** WhileClosure > ** InvokerTransformer > > > > Collections 3.2.2 RC2 is available for review here: > https://dist.apache.org/repos/dist/dev/commons/collections/ > (svn revision 11147) > > Maven artifacts are here: > > > https://repository.apache.org/content/repositories/orgapachecommons-1116/commons-collections/commons-collections/3.2.2/ > > Details of changes since 3.2.1 are in the release notes: > > > https://dist.apache.org/repos/dist/dev/commons/collections/RELEASE-NOTES.txt > > > http://people.apache.org/builds/commons/collections/3.2.2/RC2/changes-report.html > > The tag is here: > > > https://svn.apache.org/repos/asf/commons/proper/collections/tags/COLLECTIONS_3_2_2_RC2 > (svn revision 1713883) > > Site: > http://people.apache.org/builds/commons/collections/3.2.2/RC2/ > > Clirr Report (compared to 3.2.1): > > > http://people.apache.org/builds/commons/collections/3.2.2/RC2/clirr-report.html > > RAT Report: > > > http://people.apache.org/builds/commons/collections/3.2.2/RC2/rat-report.html > > KEYS: > https://www.apache.org/dist/commons/KEYS > > Please review the release candidate and vote. > > > Considering that this is a security related release and that RC1 did not > show any functional problems with the release, I plan to close this vote > in 24 from now, i.e. after 1800 GMT 12-November 2015 > > [ ] +1 Release these artifacts > [ ] +0 OK, but... > [ ] -0 OK, but really should fix... > [ ] -1 I oppose this release because... > > Thanks, > > Thomas > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > > -- E-Mail: garydgreg...@gmail.com | ggreg...@apache.org Java Persistence with Hibernate, Second Edition <http://www.manning.com/bauer3/> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/> Spring Batch in Action <http://www.manning.com/templier/> Blog: http://garygregory.wordpress.com Home: http://garygregory.com/ Tweet! http://twitter.com/GaryGregory
