David,
From: "David E Jones" <[email protected]>
Jacques,
Please keep in mind that everyone has a list of things they'd like to see done before the release. If we waited for all of it to
get done we would NEVER ever do any releases, especially because as one person's list made progress other people would add more
things to their list... and on and on and on it would go. Fortunately we have the trunk for those sorts of things, and it does
go on and on and on.
As we already discusses, it's not about specific features I'd like to be in this release but about *security*. I thought we already
agree that we will put them in the branche after it will be freezed. Did you change your mind ?
For the release branch, we have to draw the line somewhere, and we've been discussing this for months and delayed it a few weeks
ago and then delayed it again a couple of days ago... and THAT'S IT! We're not delaying this forever, otherwise we might as well
not even try to do it...
I don't want to delay anything, just be sure that at least security fixes and maybe related things like the location component://
stuff in controllers will be in the release. That's all I say below. BTW I did not find the time yet to look at the 3d point, but I
guess it's a security issue too.
Believe me, it's not whim (an new english word for me), security is an
important argument for users !
Jacques
-David
On Apr 16, 2009, at 1:32 AM, Jacques Le Roux wrote:
+1 for the branche with the points below taken into account...
Maybe I did not make it clear but each * just below refer to each * in my 1st
message.
Jacques
From: "Jacques Le Roux" <[email protected]>
Well tried digression :o)
* 1st point obviously a bug
* 2d too
* I'd like to discuss this point, do you agree we should do it too (I did not
look into code yet)
* Not a bug but IMPO should be in release 9.04 too
BTW I thought about your branch name propostion (200904). Could we not use a such name for our releases. Microsoft marketing
used 95 and 98 then 2000. Obviously 2009-04 or whatever form is less cryptice than 9.04. I know we, IT people, like crytic
things ;o) but making it clearer for eveyrone is all about marketing, isn'it ? The next release could be OFBiz 2009-04
Jacques
From: "David E Jones" <[email protected]>
Well, what do you think Jacques? Are each of these appropriate things to put in a release branch? Are any of them things that
you'd like done but that aren't really bug fixes (IMO a security hole is a bug fix of sorts)?
-David
On Apr 15, 2009, at 12:32 AM, Jacques Le Roux wrote:
Before voting I'd like to clarify some points. As we previously agreed we should not put anything but bugs fixes in a
freezed branches.
But I think that we need to finish the secured URLs job. For me this means to
:
* Fix the URL calling services in FTL files (I will open a Jira issue for this as soons as I will come with a tool to make
all references clear, we can't rely on chance here)
* Treat the secured URLs exception
https://issues.apache.org/jira/browse/OFBIZ-2272
* I suggested to process targets with params in forms : look for <<form(.*)target=(.*)\?(.*)=(.*)>> and
<<form.(*)\R(.*)target=(.*) \? (.*)=(.*)>>, what about this ?
* Not related to securing URL but as we already discussed, I'd like to test, and if OK, replace location="org.ofbiz. by
location="component:// in controllers
That's all I see for the moment. So my opinion is that we need to commit this changes in the new branche, before or after
its creation. Then I will vote.
Jacques
From: "David E Jones" <[email protected]>
Today is the day we have discussed for a while! A lot of improvements and fixes have gone in over the last few weeks, but
it is important to remember that the release branch is primarily time-based and is a "line in the sand" as it were to
begin the effort of stabilizing a specific code base so that end-users who want stability over features have that option.
Some things make it in, and other things don't make it, and that is true no matter when we draw the line (but we don't
want to delay it forever). What we have in place it a HUGE improvement over the release4.0 branch, and that is the most
important point to keep in mind.
Along with that there is a planned press release coordinated with the Apache Software Foundation Public Relations
Committee (that's a mouthful! no wonder we use acronyms like: ASF PRC) for tomorrow morning (Wed 15 April).
That said, the target date/time for the release branch is later tonight (and when I say tonight I mean according to USA
time, just to clarify). To follow the date pattern we have discussed and make it clearly a date I'm thinking of the
actual name for the branch directory to be "release200904" (and please feel free to comment on that if you think
something else is better).
However, that I will only do that IFF we have a positive vote for the
release, hence this message!
Please vote:
[+1] Create the release branch tonight, April 14th (it will be April 15th
for GMT-0)
[+0] Abstain
[-1] Do not create the release branch tonight
Please remember that everyone is free to (and encouraged to!) vote, but only
the PMC votes are binding.
Thanks to everyone who has made this possible with amazing contributions over the last 2 years, and a heightened activity
in recent weeks and months to make this a spectacular release.
-David
