I think we can proceed in the following way: 1) remove the jar and the dependent Gradle code and move on with the release branches and release publication workflow 2) continue the discussion about what, where, how we want to document about nososerial (e.g. a message in our download page would be enough)
An important aspect of the discussion at #2 would be to research how other ASF projects, based on Java, are doing about it: we could get some inspiration and ideas from them. Jacopo On Wed, Sep 7, 2016 at 10:37 PM, Jacques Le Roux < [email protected]> wrote: > OK, since we have no issues OOTB that can be done. > > But IMO documenting the whole thing in our nososerial readme.txt is not > enough. We need to make that more prominent. Not sure how yet... > > Jacques > > > > Le 07/09/2016 à 20:09, Taher Alkhateeb a écrit : > >> Scratch that, actually only the -D arguments are ignored, we must remove >> the -javaagent argument because it's not a classpath argument and would >> crash the VM >> >> But for consistency's sake, let's remove them all for now. So simply we >> apply: >> >> Index: build.gradle >> =================================================================== >> --- build.gradle (revision 1759596) >> +++ build.gradle (working copy) >> @@ -31,11 +31,7 @@ >> ext.os = System.getProperty('os.name').toLowerCase() >> >> // java settings >> -def jvmArguments = ['-Xms128M', '-Xmx1024M', >> - >> "-javaagent:${rootDir}/tools/security/notsoserial/notsoseria >> l-1.0-SNAPSHOT.jar", >> - >> "-Dnotsoserial.whitelist=${rootDir}/tools/security/notsoseri >> al/empty.txt", >> - >> "-Dnotsoserial.dryrun=${rootDir}/tools/security/notsoserial/ >> is-deserialized.txt", >> - >> "-Dnotsoserial.trace=${rootDir}/tools/security/notsoserial/ >> deserialize-trace.txt"] >> +def jvmArguments = ['-Xms128M', '-Xmx1024M'] >> ext.ofbizMainClass = 'org.apache.ofbiz.base.start.Start' >> javadoc.failOnError = false >> sourceCompatibility = '1.8' >> >> On Wed, Sep 7, 2016 at 9:04 PM, Jacques Le Roux < >> [email protected]> wrote: >> >> OK Cool, if the JVM arguments are simply ignored, then I will proceed with >>> an addition in the readme and remove the jar, simple >>> >>> Jacques >>> >>> >>> >>> Le 07/09/2016 à 17:16, Jacopo Cappellato a écrit : >>> >>> Thank you Jacques and Taher. >>>> >>>> So it seems we can move on and temporarily remove the jar. >>>> >>>> Jacopo >>>> >>>> >>>> On Wed, Sep 7, 2016 at 5:11 PM, Taher Alkhateeb < >>>> [email protected]> >>>> wrote: >>>> >>>> Hi Jacques, >>>> >>>>> First of all the ofbizSecure task is gone instead everything calls the >>>>> correct jvm arguments by default to fetch notsoserial. >>>>> >>>>> The work to remove notsoserial is almost nothing. You just to remove a >>>>> few >>>>> jvm args and that's it. Even if you don't remove the jvm args nothing >>>>> happens because it will just ignore it as missing from the classpath. >>>>> >>>>> Taher Alkhateeb >>>>> >>>>> On Sep 7, 2016 5:48 PM, "Jacques Le Roux" < >>>>> [email protected]> >>>>> wrote: >>>>> >>>>> Huho, I was too fast on this. Currently the Gradle "ofbizSecure" tasks >>>>> >>>>>> depends on the notsoserial-1.0-SNAPSHOT.jar >>>>>> >>>>>> So this would need more work and w/o answers from them I suspect they >>>>>> >>>>>> will >>>>> >>>>> not publish the jar. >>>>>> >>>>>> Now it's a serious security but not OOTB. So I see 2 possibilities. >>>>>> >>>>>> 1. Ask the ASF for a derogation (after all it's a Java issue not an >>>>>> OFBiz >>>>>> one) >>>>>> 2. Do what I said before AND change the Gradle "ofbizSecure" tasks >>>>>> >>>>>> Opinions? >>>>>> >>>>>> Jacques >>>>>> >>>>>> >>>>>> Le 07/09/2016 à 14:01, Jacques Le Roux a écrit : >>>>>> >>>>>> Yes I see no problems with that. I just need to add directions for >>>>>> users >>>>>> >>>>>>> before. I'll then remove the jars... very soon... >>>>>>> >>>>>>> Jacques >>>>>>> >>>>>>> >>>>>>> Le 07/09/2016 à 13:09, Jacopo Cappellato a écrit : >>>>>>> >>>>>>> Jacques, any news from notsoserial? >>>>>>> >>>>>>>> If not, I think we can proceed by (temporarily) removing the jars >>>>>>>> until >>>>>>>> they will publish the jar. >>>>>>>> >>>>>>>> Regards, >>>>>>>> >>>>>>>> Jacopo >>>>>>>> >>>>>>>> On Sat, Aug 20, 2016 at 11:12 AM, Jacques Le Roux < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>> Yes that's what I proposed also, I will try that before the worse >>>>>>>> >>>>>>>> solution >>>>>>>>> as Taher called them, would you help? >>>>>>>>> >>>>>>>>> Jacques >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Le 20/08/2016 à 08:32, Pierre Smits a écrit : >>>>>>>>> >>>>>>>>> Hi Jacques, >>>>>>>>> >>>>>>>>> Why not try to convince the people behind notsoserial to have them >>>>>>>>>> >>>>>>>>>> push >>>>>>>>> >>>>>>>> the >>>>>> >>>>>>> library to maven central and/or jpublish? In stead of this community >>>>>>>>>> doing >>>>>>>>>> the work? >>>>>>>>>> >>>>>>>>>> Best regards, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Pierre Smits >>>>>>>>>> >>>>>>>>>> ORRTIZ.COM <http://www.orrtiz.com> >>>>>>>>>> OFBiz based solutions & services >>>>>>>>>> >>>>>>>>>> OFBiz Extensions Marketplace >>>>>>>>>> http://oem.ofbizci.net/oci-2/ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >
