OK, since we have no issues OOTB that can be done.
But IMO documenting the whole thing in our nososerial readme.txt is not enough.
We need to make that more prominent. Not sure how yet...
Jacques
Le 07/09/2016 à 20:09, Taher Alkhateeb a écrit :
Scratch that, actually only the -D arguments are ignored, we must remove
the -javaagent argument because it's not a classpath argument and would
crash the VM
But for consistency's sake, let's remove them all for now. So simply we
apply:
Index: build.gradle
===================================================================
--- build.gradle (revision 1759596)
+++ build.gradle (working copy)
@@ -31,11 +31,7 @@
ext.os = System.getProperty('os.name').toLowerCase()
// java settings
-def jvmArguments = ['-Xms128M', '-Xmx1024M',
-
"-javaagent:${rootDir}/tools/security/notsoserial/notsoserial-1.0-SNAPSHOT.jar",
-
"-Dnotsoserial.whitelist=${rootDir}/tools/security/notsoserial/empty.txt",
-
"-Dnotsoserial.dryrun=${rootDir}/tools/security/notsoserial/is-deserialized.txt",
-
"-Dnotsoserial.trace=${rootDir}/tools/security/notsoserial/deserialize-trace.txt"]
+def jvmArguments = ['-Xms128M', '-Xmx1024M']
ext.ofbizMainClass = 'org.apache.ofbiz.base.start.Start'
javadoc.failOnError = false
sourceCompatibility = '1.8'
On Wed, Sep 7, 2016 at 9:04 PM, Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:
OK Cool, if the JVM arguments are simply ignored, then I will proceed with
an addition in the readme and remove the jar, simple
Jacques
Le 07/09/2016 à 17:16, Jacopo Cappellato a écrit :
Thank you Jacques and Taher.
So it seems we can move on and temporarily remove the jar.
Jacopo
On Wed, Sep 7, 2016 at 5:11 PM, Taher Alkhateeb <
slidingfilame...@gmail.com>
wrote:
Hi Jacques,
First of all the ofbizSecure task is gone instead everything calls the
correct jvm arguments by default to fetch notsoserial.
The work to remove notsoserial is almost nothing. You just to remove a
few
jvm args and that's it. Even if you don't remove the jvm args nothing
happens because it will just ignore it as missing from the classpath.
Taher Alkhateeb
On Sep 7, 2016 5:48 PM, "Jacques Le Roux" <jacques.le.r...@les7arts.com>
wrote:
Huho, I was too fast on this. Currently the Gradle "ofbizSecure" tasks
depends on the notsoserial-1.0-SNAPSHOT.jar
So this would need more work and w/o answers from them I suspect they
will
not publish the jar.
Now it's a serious security but not OOTB. So I see 2 possibilities.
1. Ask the ASF for a derogation (after all it's a Java issue not an
OFBiz
one)
2. Do what I said before AND change the Gradle "ofbizSecure" tasks
Opinions?
Jacques
Le 07/09/2016 à 14:01, Jacques Le Roux a écrit :
Yes I see no problems with that. I just need to add directions for users
before. I'll then remove the jars... very soon...
Jacques
Le 07/09/2016 à 13:09, Jacopo Cappellato a écrit :
Jacques, any news from notsoserial?
If not, I think we can proceed by (temporarily) removing the jars
until
they will publish the jar.
Regards,
Jacopo
On Sat, Aug 20, 2016 at 11:12 AM, Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:
Yes that's what I proposed also, I will try that before the worse
solution
as Taher called them, would you help?
Jacques
Le 20/08/2016 à 08:32, Pierre Smits a écrit :
Hi Jacques,
Why not try to convince the people behind notsoserial to have them
push
the
library to maven central and/or jpublish? In stead of this community
doing
the work?
Best regards,
Pierre Smits
ORRTIZ.COM <http://www.orrtiz.com>
OFBiz based solutions & services
OFBiz Extensions Marketplace
http://oem.ofbizci.net/oci-2/
