[jira] [Commented] (ZOOKEEPER-2360) Update commons collections version used by tests/releaseaudit

Thu, 04 Feb 2016 14:54:12 -0800 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2360?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15133223#comment-15133223
 ] 

Chris Nauroth commented on ZOOKEEPER-2360:
------------------------------------------

[~rgs], there has been a push across Apache projects to upgrade the 
commons-collections dependency.  It's a simple change, so I'd like to go ahead 
and put it into 3.4.8.  I'll plan on committing in an hour unless I hear 
objections.  Thanks!

> Update commons collections version used by tests/releaseaudit
> -------------------------------------------------------------
>
>                 Key: ZOOKEEPER-2360
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2360
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: build
>    Affects Versions: 3.4.7, 3.5.1
>            Reporter: Patrick Hunt
>            Assignee: Patrick Hunt
>            Priority: Blocker
>             Fix For: 3.4.8, 3.5.2
>
>         Attachments: ZOOKEEPER-2360-branch34.patch, ZOOKEEPER-2360.patch, 
> ZOOKEEPER-2360.patch
>
>
> I don't believe this affects us from a security perspective directly, however 
> it's something we should clean up in our next release.
> Afaict the only commons we use for shipping/production code is commons-cli. 
> Our two release branches, 3.4 and 3.5, neither of them use 
> commons-collections. I looked at the binary release artifact and it doesn't 
> include the commons collections jar.
> We do have a test that uses CollectionsUtils, but no shipping code. I 
> downloaded our 3.4 and 3.5 artifacts, this is all I see:
> phunt:~/Downloads/zd/5/zookeeper-3.5.1-alpha$ grep -R 
> "org.apache.commons.collections" .
> ./src/java/test/org/apache/zookeeper/RemoveWatchesTest.java:import 
> org.apache.commons.collections.CollectionUtils;
> phunt:~/Downloads/zd/5/zookeeper-3.5.1-alpha$
> Also in our ivy file we have
>     <dependency org="org.apache.rat" name="apache-rat-tasks"
>                 rev="0.10" conf="releaseaudit->default"/>
>     <dependency org="commons-lang" name="commons-lang"
>                 rev="2.6" conf="releaseaudit->default"/>
>     <dependency org="commons-collections" name="commons-collections"
>                 rev="3.2.1" conf="releaseaudit->default"/>
> So commons-collections is pulled in - but only for the release audit, which 
> is something we do as a build verification activity but not part of the 
> product itself.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to