Re: [VOTE] Release Apache Commons CLI 1.8.0 based on RC2
[ +1 ] Site, Javadoc, reports look good. Nit: site refers to version 1.7.0, so are the release notes and the JIRA report is not helpful. Using: mvn clean install site On: mvn -version Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63) Maven home: /Users/hbiestro/Java/apache-maven-3.8.6 Java version: 17.0.8, vendor: Oracle Corporation, runtime: /Library/Java/JavaVirtualMachines/jdk-17.jdk/Contents/Home Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "14.5", arch: "aarch64", family: "mac" - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons Compress 1.26.2 based on RC1
[ +1 ] Site looks good, javadoc looks good, reports Ok (nit jacoco missing). Tested using: mvn clean install site On: Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63) Maven home: /Users/hbiestro/Java/apache-maven-3.8.6 Java version: 17.0.8, vendor: Oracle Corporation, runtime: /Library/Java/JavaVirtualMachines/jdk-17.jdk/Contents/Home Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "14.5", arch: "aarch64", family: "Mac" - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons IO 2.16.0 based on RC1
[+1] Release Build ok, test ok, site looks ok, reports ok. Built using: mvn -version Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63) Maven home: /Users/hbiestro/Java/apache-maven-3.8.6 Java version: 1.8.0_352, vendor: Azul Systems, Inc., runtime: /Library/Java/JavaVirtualMachines/zulu-8.jdk/Contents/Home/jre Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "14.4", arch: "aarch64", family: "mac" hbiestro@D3CC9YTYXF-Henri-Biestro commons-io-2.16.0-RC1 % Cheers Henri - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons Logging 1.3.1 based on RC2
[ +1 ] build & tests ok; - nits: site refers to 1.4.0, checkstyle warnings, no coverage report Built with: Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63) Maven home: /Users/hbiestro/Java/apache-maven-3.8.6 Java version: 1.8.0_352, vendor: Azul Systems, Inc., runtime: /Library/Java/JavaVirtualMachines/zulu-8.jdk/Contents/Home/jre Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "14.4", arch: "aarch64", family: "mac" Cheers Henri - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons Codec 1.16.1 based on RC1
[ +1 ] Release Build ok, tests ok, site looks good, report looks good (great coverage btw), a japicmp report would be nice to have. Built using: Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63) Maven home: /Users/hbiestro/Java/apache-maven-3.8.6 Java version: 1.8.0_352, vendor: Azul Systems, Inc., runtime: /Library/Java/JavaVirtualMachines/zulu-8.jdk/Contents/Home/jre Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "14.3", arch: "aarch64", family: "Mac" On: 23.3.0 Darwin Kernel Version 23.3.0: Wed Dec 20 21:30:44 PST 2023; root:xnu-10002.81.5~7/RELEASE_ARM64_T6000 arm64 - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Fwd: [GH] (commons-jexl): Workflow run "Java CI" failed!
My bad, sorry. Next time I happen to break the build though, give me more than 3 minutes before you jump the gun! :-) More seriously, I *always* check the actions after a commit and never let it in failure state more than necessary for a fix. And you can always ping me on Slack if you're worried. Cheers Henrib On 2024/01/23 10:40:20 Gary Gregory wrote: > Please see below and fix ;-) > > Gary > > -- Forwarded message - > From: GitBox > Date: Tue, Jan 23, 2024, 5:37 AM > Subject: [GH] (commons-jexl): Workflow run "Java CI" failed! > To: > > > > The GitHub Actions job "Java CI" on commons-jexl.git has failed. > Run started by GitHub user asfgit (triggered by asfgit). > > Head commit for run: > ca55aa8e9ad4265e4a764ac3c7eab8f057bd5e1c / henrib > JEXL-398: re-allow dot-ed expression for map keys; > - fix array/set/map builders to use extended flag; > - re-allow [,...] as valid empty syntax; > > Report URL: https://github.com/apache/commons-jexl/actions/runs/7624431684 > > With regards, > GitHub Actions via GitBox > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons BCEL 6.8.1 based on RC1
[ +1 ] Release Checked with: mvn clean install site -s "$HOME/.m2/commons-settings.xml" Tests, site, reports are ok (Coverage could use some love). Built with: Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63) Maven home: /Users/hbiestro/Java/apache-maven-3.8.6 Java version: 1.8.0_352, vendor: Azul Systems, Inc., runtime: /Library/Java/JavaVirtualMachines/zulu-8.jdk/Contents/Home/jre Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "14.2.1", arch: "aarch64", family: "mac" On: Darwin D3CC9YTYXF-Henri-Biestro 23.2.0 Darwin Kernel Version 23.2.0: Wed Nov 15 21:53:18 PST 2023; root:xnu-10002.61.3~2/RELEASE_ARM64_T6000 arm64 - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons Email 1.6.0 based on RC1
[+1] Release Running; mvn clean install site -s "$HOME/.m2/commons-settings.xml" Build, test, site, Javadoc ok. On reports, it seems checkstyle is reporting odd/wrong warnings. Using: Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63) Maven home: /Users/hbiestro/Java/apache-maven-3.8.6 Java version: 17.0.8, vendor: Oracle Corporation, runtime: /Library/Java/JavaVirtualMachines/jdk-17.jdk/Contents/Home Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "14.2.1", arch: "aarch64", family: "Mac" And: Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63) Maven home: /Users/hbiestro/Java/apache-maven-3.8.6 Java version: 1.8.0_352, vendor: Azul Systems, Inc., runtime: /Library/Java/JavaVirtualMachines/zulu-8.jdk/Contents/Home/jre Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "14.2.1", arch: "aarch64", family: "Mac" On: 23.2.0 Darwin Kernel Version 23.2.0: Wed Nov 15 21:53:18 PST 2023; root:xnu-10002.61.3~2/RELEASE_ARM64_T6000 arm64 - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons BCEL 6.8.0 based on RC1
[ +1 ] Built locally using: mvn -s "$HOME/.m2/commons-settings.xml" -P jacoco -P japicmp clean package site On: Darwin henrib-MBP16 23.1.0 Darwin Kernel Version 23.1.0: Mon Oct 9 21:27:24 PDT 2023; root:xnu-10002.41.9~6/RELEASE_ARM64_T6000 arm64 With: OpenJDK Runtime Environment (Zulu 8.66.0.15-CA-macos-aarch64) (build 1.8.0_352-b08) OpenJDK 64-Bit Server VM (Zulu 8.66.0.15-CA-macos-aarch64) (build 25.352-b08, mixed mode) Compile, tests and generates site. Not precluding release but release notes are *not* 6.8.0 but still 6.7 and test coverage is a tad low (hopefully, it goes up with versions...). - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons Validator 1.8.0 based on RC1
[ +1 ] Built using: mvn -s "$HOME/.m2/commons-settings.xml" -P jacoco -P japicmp clean package site On: Darwin henrib-MBP16 23.1.0 Darwin Kernel Version 23.1.0: Mon Oct 9 21:27:24 PDT 2023; root:xnu-10002.41.9~6/RELEASE_ARM64_T6000 arm64 With: OpenJDK Runtime Environment (Zulu 8.66.0.15-CA-macos-aarch64) (build 1.8.0_352-b08) Build, tests and site are ok. Nothing to stop releasing but coverage is not great for some (one liner) methods; Javadoc could link to replacement instead of just stating their name; release-notes are crude. - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [JEXL] JexlFeatures exposes internal flag representation
Good to know, thanks for pointing this out. Reduced flags public exposure in JEXL per last commit. Henrib - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [JEXL] intended thread safety of JexlFeatures and JexlPermissions
Your are correct, the engine (and the parser) do use its own JexlFeatures copies (expressionFeatures/scriptFeatures members) that are never modified after creation. An equivalent rule applies for JexlOptions btw, copied for isolation for each evaluation. Those classes, by themselves, even if they are not thread-safe, never cause a thread-safety threat since they are always private unmodified copies used during evaluation. But this does not protect against the possibility of 'thread-adverse' reserved-wordset or namespace-predicate implementations used to construct the JexlFeature instances. IMHO, trying to protect against those potential mistakes would only restrict the possibilities of valid usages. Henrib - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [JEXL] intended thread safety of JexlFeatures and JexlPermissions
JexlPermissions concrete classes are but since this is an interface, anyone could create a non-thread safe instance and use it. The same way a JexlFeatures could be corrupted by being constructed with a non-thread safe namespace predicate (making side-effects etc). And for JexlFeatures, using a concurrent set for reserved names (although a strange idea) could be a valid usage (counting the number of times a var name is declared for instance). Back to your question, both of them are *expected* to be thread-safe if you want to use the same JexlEngine and JexlScript across threads. There is no way to ensure this and I suppose altering documentation would not ease your worry. On 2023/10/20 16:26:30 sebb wrote: > Are instances of the classes JexlFeatures and JexlPermissions intended > to be thread-safe? > > I have seen mention that they can be shared between threads. > > However JexlFeatures is does not appear to be thread-safe (has mutable > fields which are not safely published). Not looked at JexlPermissions > in detail. > > Sebb > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons Net 3.10.0 based on RC1
Builds ok, tests ok, site ok: [+1] Nitpick: no coverage report in site (using mvn site), Spotbugs report a tad verbose hbiestro@hbiestro-MBP16 commons-net-3.10.0-RC1 % uname -a Darwin hbiestro-MBP16 22.6.0 Darwin Kernel Version 22.6.0: Fri Sep 15 13:41:28 PDT 2023; root:xnu-8796.141.3.700.8~1/RELEASE_ARM64_T6000 arm64 hbiestro@hbiestro-MBP16 commons-net-3.10.0-RC1 % mvn -v Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63) Maven home: /Users/hbiestro/Java/apache-maven-3.8.6 Java version: 1.8.0_352, vendor: Azul Systems, Inc., runtime: /Library/Java/JavaVirtualMachines/zulu-8.jdk/Contents/Home/jre Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "13.6", arch: "aarch64", family: "mac" - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons JCS 3.2 based on rc1 (2nd round with fixed links)
[+1] Build and tests ok. Small things that could be addressed in the future; test coverage and check-style reports would be nice. Release notes could use some love, some old JIRA should be assigned a 'fixed version' so as not to appear in front. Tested using jdk8: uname -a && mvn -version Darwin hbiestro-MBP16 22.6.0 Darwin Kernel Version 22.6.0: Wed Jul 5 22:22:05 PDT 2023; root:xnu-8796.141.3~6/RELEASE_ARM64_T6000 arm64 Apache Maven 3.9.4 (dfbb324ad4a7c8fb0bf182e6d91b0ae20e3d2dd9) Maven home: /Users/hbiestro/Java/apache-maven-3.9.4 Java version: 1.8.0_352, vendor: Azul Systems, Inc., runtime: /Library/Java/JavaVirtualMachines/zulu-8.jdk/Contents/Home/jre Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "13.5.1", arch: "aarch64", family: "Mac" And jdk17: uname -a && mvn -version Darwin hbiestro-MBP16 22.6.0 Darwin Kernel Version 22.6.0: Wed Jul 5 22:22:05 PDT 2023; root:xnu-8796.141.3~6/RELEASE_ARM64_T6000 arm64 Apache Maven 3.9.4 (dfbb324ad4a7c8fb0bf182e6d91b0ae20e3d2dd9) Maven home: /Users/hbiestro/Java/apache-maven-3.9.4 Java version: 17.0.8, vendor: Oracle Corporation, runtime: /Library/Java/JavaVirtualMachines/jdk-17.jdk/Contents/Home Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "13.5.1", arch: "aarch64", family: "Mac" Cheers - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons DbUtils 1.8.1 based on RC1
Vote [ +1 ] Site builds correctly (jdk8), reports are ok. Tidbits: some Checkstyle and Javadoc (jdk17) errors could be addressed Check build using: mvn -s "$HOME/.m2/commons-settings.xml" With: Apache Maven 3.9.4 (dfbb324ad4a7c8fb0bf182e6d91b0ae20e3d2dd9) Maven home: /Users/hbiestro/Java/apache-maven-3.9.4 Java version: 1.8.0_352, vendor: Azul Systems, Inc., runtime: /Library/Java/JavaVirtualMachines/zulu-8.jdk/Contents/Home/jre Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "13.5.1", arch: "aarch64", family: "mac" Darwin hbiestro-MBP16 22.6.0 Darwin Kernel Version 22.6.0: Wed Jul 5 22:22:05 PDT 2023; root:xnu-8796.141.3~6/RELEASE_ARM64_T6000 arm64 and Apache Maven 3.9.4 (dfbb324ad4a7c8fb0bf182e6d91b0ae20e3d2dd9) Maven home: /Users/hbiestro/Java/apache-maven-3.9.4 Java version: 17.0.8, vendor: Oracle Corporation, runtime: /Library/Java/JavaVirtualMachines/jdk-17.jdk/Contents/Home Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "13.5.1", arch: "aarch64", family: "mac" Darwin hbiestro-MBP16 22.6.0 Darwin Kernel Version 22.6.0: Wed Jul 5 22:22:05 PDT 2023; root:xnu-8796.141.3~6/RELEASE_ARM64_T6000 arm64 - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons Compress 1.24.0 based on RC1
My [+1] vote. After a long trial & error process, got it to compile and test thanks Gary for the patience and help); Tidbits on the release, a few warnings could be quiesced and the release notes seem short. Tested using: mvn -s "$HOME/.m2/commons-settings.xml" -V clean package site with: Apache Maven 3.9.4 (dfbb324ad4a7c8fb0bf182e6d91b0ae20e3d2dd9) Maven home: /Users/hbiestro/Java/apache-maven-3.9.4 Java version: 17.0.8, vendor: Oracle Corporation, runtime: /Library/Java/JavaVirtualMachines/jdk-17.jdk/Contents/Home Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "13.5.1", arch: "aarch64", family: "Mac" and: Apache Maven 3.9.4 (dfbb324ad4a7c8fb0bf182e6d91b0ae20e3d2dd9) Maven home: /Users/hbiestro/Java/apache-maven-3.9.4 Java version: 1.8.0_352, vendor: Azul Systems, Inc., runtime: /Library/Java/JavaVirtualMachines/zulu-8.jdk/Contents/Home/jre Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "13.5.1", arch: "aarch64", family: "Mac" Tests go through, sites builds, reports are clean. - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons Compress 1.24.0 based on RC1
Some tests fail on a Mac ( Darwin hbiestro-MBP16 22.5.0 Darwin Kernel Version 22.5.0: Thu Jun 8 22:22:20 PDT 2023; root:xnu-8796.121.3~7/RELEASE_ARM64_T6000 arm64) wether I try and run with jdk8 or jdk17. OpenJDK Runtime Environment (Zulu 8.66.0.15-CA-macos-aarch64) (build 1.8.0_352-b08) or (OpenJDK Runtime Environment Zulu17.42+19-CA (build 17.0.7+7-LTS). Error on Osgi related to Felix/Pax: [ERROR] Errors: [ERROR] OsgiITest.canLoadBundle » ArtifactResolution Error resolving artifact org.ops4j.pax.exam:pax-exam-inject:jar:4.13.5 [ERROR] OsgiITest.properlyDetectsRunningInsideOsgiEnv » Unable to lock bundle cache: java.nio.channels.OverlappingFileLockException Tried playing with versions of plugin to no avail... Also noticed a few varargs warnings in tests source. (like [WARNING] /Users/hbiestro/Java/apache-commons/compress/commons-compress-1.24.0-RC1/src/test/java/org/apache/commons/compress/utils/MultiReadOnlySeekableByteChannelTest.java:[229,98] non-varargs call of varargs method with inexact argument type for last parameter; cast to java.io.File for a varargs call) And a very long test (intended or not?) at: [INFO] Running org.apache.commons.compress.archivers.sevenz.SevenZFileTest [INFO] Tests run: 40, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 22.89 s -- in org.apache.commons.compress.archivers.sevenz.SevenZFileTest - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons DBCP 2.10.0 based on RC1
[ +1] Release these artifacts Built on: 22.5.0 Darwin Kernel Version 22.5.0: Thu Jun 8 22:22:20 PDT 2023; root:xnu-8796.121.3~7/RELEASE_ARM64_T6000 arm64 With: openjdk version "1.8.0_352" OpenJDK Runtime Environment (Zulu 8.66.0.15-CA-macos-aarch64) (build 1.8.0_352-b08) OpenJDK 64-Bit Server VM (Zulu 8.66.0.15-CA-macos-aarch64) (build 25.352-b08, mixed mode) Running: mvn clean install; mvn site; Build and tests ok, site is ok; no warnings of any kind in reports (japicmp, pmd, checkstyle, spotbugs). - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [JEXL] Detecting infinite loops in JEXL Scripts
Ho: You should look at using JexlPermission which are probably easier and more powerful than the JexlSandbox to enforce application security. For loops, since there is no obvious guaranteed way to ensure they finish, the possible route is to let scripts run in threads and cancel them if they run for too long. (see ScriptCallableTest#testFuture). Cheers On 2023/08/07 10:59:58 Aditya Kumar1 wrote: > Hi, > > I am planning to use JEXL library in my SaaS based product to run > JavaScripts/JexlScripts(I understand, Jexl is not exactly java script). > > Since, security is one of the most important requirements for any SaaS based > product, I am going to use Jexl Sandbox and Jexl Features to secure my > application. I see that in Jexl features, we have a way to turn off the loops > but for my requirement, I need to enable loops in the scripts. > > Is there a way detect infinite loops incase someone write's such an > expression which turn into infinite loop during evaluation? Also, someone can > also try to sabotage our application by running infinite loops. Is there a > way to detect and avoid such a security issue? > > PS: I would really appreciate if you could let me know any other security > aspects which I need to consider while using JEXL library. > > Thanks, > Aditya > > > — > Aditya Kumar1 > Technology Architect > Precisely.com > > ATTENTION: -The information contained in this message (including any > files transmitted with this message) may contain proprietary, trade secret or > other confidential and/or legally privileged information. Any pricing > information contained in this message or in any files transmitted with this > message is always confidential and cannot be shared with any third parties > without prior written approval from Precisely. This message is intended to be > read only by the individual or entity to whom it is addressed or by their > designee. If the reader of this message is not the intended recipient, you > are on notice that any use, disclosure, copying or distribution of this > message, in any form, is strictly prohibited. If you have received this > message in error, please immediately notify the sender and/or Precisely and > destroy all copies of this message in your possession, custody or control. - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Exposing my own/wrapper functions using JEXL
Of course we do. It seems the landing page / detailed example is still not steering users towards the Javadoc which anyhow is not the best media to explain 'how to' (imho). Transforming/extracting 'how to's from the unit tests could be the cheapest way to improve on this area. (As in: how do I integrate my own classes/packages? -or- how do I ensure scripts are readonly and don't modify data?). On 2023/08/07 10:08:59 Gary Gregory wrote: > Do we need better documentation on the site? > > Gary > > On Mon, Aug 7, 2023, 5:45 AM Henri Biestro wrote: > > > Hi; > > JEXL 3.3. has increased default security by restricting permissions to a > > very narrow set of allowed classes. In your case, you need to allow JEXL to > > introspect your package by configuring your permissions. Have a look at > > JexlPermissions javadoc for more explanations. > > On JEXL 3.3, with Java 17, If your test class resides in the 'org.example' > > package, the following code does run without errors. > > ... > > Map funcs = new HashMap(); > > funcs.put("math", new MyMath()); > > JexlPermissions permissions = JexlPermissions.parse("org.example.*"); > > JexlEngine jexl = new > > JexlBuilder().permissions(permissions).namespaces(funcs).create(); > > JexlContext jc = new MapContext(); > > jc.set("pi", Math.PI); > > JexlExpression e = jexl.createExpression("math:cos(pi)"); > > Object result = e.evaluate(jc); > > System.out.println("Result: " + result); > > ... > > > > Cheers > > > > On 2023/08/06 06:54:05 Aditya Kumar1 wrote: > > > Hi, > > > > > > I was trying to expose my own functions using JEXL library. I am trying > > the below example. > > > > > > > > > public static class MyMath { > > > public double cos(final double x) { > > > return Math.cos(x); > > > } > > > } > > > > > > public static void testCustomFunction2() { > > > > > > try { > > > Map funcs = new HashMap(); > > > funcs.put("math", new MyMath()); > > > JexlEngine jexl = new > > JexlBuilder().namespaces(funcs).create(); > > > JexlContext jc = new MapContext(); > > > jc.set("pi", Math.PI); > > > JexlExpression e = jexl.createExpression("math:cos(pi)"); > > > Object result = e.evaluate(jc); > > > System.out.println("Result: " + result); > > > } > > > catch (JexlException e) { > > > Throwable original = e.getCause(); > > > System.out.println(e.getMessage()); > > > original.printStackTrace(); > > > //do something with the original > > > } > > > } > > > > > > which is given at below link: > > > > > https://commons.apache.org/proper/commons-jexl/apidocs/org/apache/commons/jexl3/package-summary.html#usage > > > > > > When I run the above code, I get below exception. > > > > > > org.example.Main.testCustomFunction2:93@1:9 unsolvable function/method > > 'cos(Float)' > > > Exception in thread "main" java.lang.NullPointerException > > >at org.example.Main.testCustomFunction2(Main.java:100) > > >at org.example.Main.main(Main.java:33) > > > > > > Can someone, please help me with this? I think, this is a supported way > > to use custom functions or exposing my own/wrapper functions. I am using > > Java 11 to run the above example. > > > > > > Thanks, > > > Aditya > > > > > > > > > > > > — > > > Aditya Kumar1 > > > Technology Architect > > > Precisely.com > > > > > > ATTENTION: -The information contained in this message (including > > any files transmitted with this message) may contain proprietary, trade > > secret or other confidential and/or legally privileged information. Any > > pricing information contained in this message or in any files transmitted > > with this message is always confidential and cannot be shared with any > > third parties without prior written approval from Precisely. This message > > is intended to be read only by the individual or entity to whom it is > > addressed or by their designee. If the reader of this message is not the > > intended recipient, you are on notice that any use, disclosure, copying or > > distribution of this message, in any form, is strictly prohibited. If you > > have received this message in error, please immediately notify the sender > > and/or Precisely and destroy all copies of this message in your possession, > > custody or control. > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Exposing my own/wrapper functions using JEXL
Hi; JEXL 3.3. has increased default security by restricting permissions to a very narrow set of allowed classes. In your case, you need to allow JEXL to introspect your package by configuring your permissions. Have a look at JexlPermissions javadoc for more explanations. On JEXL 3.3, with Java 17, If your test class resides in the 'org.example' package, the following code does run without errors. ... Map funcs = new HashMap(); funcs.put("math", new MyMath()); JexlPermissions permissions = JexlPermissions.parse("org.example.*"); JexlEngine jexl = new JexlBuilder().permissions(permissions).namespaces(funcs).create(); JexlContext jc = new MapContext(); jc.set("pi", Math.PI); JexlExpression e = jexl.createExpression("math:cos(pi)"); Object result = e.evaluate(jc); System.out.println("Result: " + result); ... Cheers On 2023/08/06 06:54:05 Aditya Kumar1 wrote: > Hi, > > I was trying to expose my own functions using JEXL library. I am trying the > below example. > > > public static class MyMath { > public double cos(final double x) { > return Math.cos(x); > } > } > > public static void testCustomFunction2() { > > try { > Map funcs = new HashMap(); > funcs.put("math", new MyMath()); > JexlEngine jexl = new JexlBuilder().namespaces(funcs).create(); > JexlContext jc = new MapContext(); > jc.set("pi", Math.PI); > JexlExpression e = jexl.createExpression("math:cos(pi)"); > Object result = e.evaluate(jc); > System.out.println("Result: " + result); > } > catch (JexlException e) { > Throwable original = e.getCause(); > System.out.println(e.getMessage()); > original.printStackTrace(); > //do something with the original > } > } > > which is given at below link: > https://commons.apache.org/proper/commons-jexl/apidocs/org/apache/commons/jexl3/package-summary.html#usage > > When I run the above code, I get below exception. > > org.example.Main.testCustomFunction2:93@1:9 unsolvable function/method > 'cos(Float)' > Exception in thread "main" java.lang.NullPointerException >at org.example.Main.testCustomFunction2(Main.java:100) >at org.example.Main.main(Main.java:33) > > Can someone, please help me with this? I think, this is a supported way to > use custom functions or exposing my own/wrapper functions. I am using Java 11 > to run the above example. > > Thanks, > Aditya > > > > — > Aditya Kumar1 > Technology Architect > Precisely.com > > ATTENTION: -The information contained in this message (including any > files transmitted with this message) may contain proprietary, trade secret or > other confidential and/or legally privileged information. Any pricing > information contained in this message or in any files transmitted with this > message is always confidential and cannot be shared with any third parties > without prior written approval from Precisely. This message is intended to be > read only by the individual or entity to whom it is addressed or by their > designee. If the reader of this message is not the intended recipient, you > are on notice that any use, disclosure, copying or distribution of this > message, in any form, is strictly prohibited. If you have received this > message in error, please immediately notify the sender and/or Precisely and > destroy all copies of this message in your possession, custody or control. - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [JEXL] Full Java module descriptor support
Hello Andres; Interesting idea. A PR using Moditect conditioned on jdk profile (so we can continue targeting java 8 without module info?) could be a first step to gauge feasibility. Cheers, Henrib - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [JEXL] Compatibility bug?
Done. :-) - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [JEXL] Compatibility bug?
Merged it. - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [JEXL] Compatibility bug?
Hi; Default permissions have changed with JEXL 3.3 to help with application security. I created the PR that restores the tests ( https://github.com/apache/commons-scxml/pull/123 ). Henri - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons Configuration 2.9.0 based on RC1
+1 Checked src & bin signatures, site reports. Apache Maven 3.8.1 (05c21c65bdfed0f71a2f2ada8b84da59348c4c5d) Maven home: /Users/henri.biestro/Java/apache-maven-3.8.1 Java version: 1.8.0_345, vendor: Azul Systems, Inc., runtime: /Library/Java/JavaVirtualMachines/zulu-8.jdk/Contents/Home/jre Default locale: en_FR, platform encoding: UTF-8 OS name: "mac os x", version: "13.2.1", arch: "aarch64", family: "Mac" Darwin l-hbiestro.home 22.3.0 Darwin Kernel Version 22.3.0: Mon Jan 30 20:38:37 PST 2023; root:xnu-8792.81.3~2/RELEASE_ARM64_T6000 arm64 - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
[ANNOUNCEMENT] Apache Commons JEXL 3.3
The Apache Commons JEXL team is happy to announce the release of version 3.3. JEXL is a library intended to facilitate the implementation of dynamic and scripting features in applications and frameworks written in Java. This is a feature and bug-fix release. Site: https://commons.apache.org/proper/commons-jexl/ Changes: https://commons.apache.org/proper/commons-jexl/changes-report.html Download it from: https://commons.apache.org/proper/commons-jexl/download_jexl.cgi Henri Biestro, for the Apache Commons JEXL team
[VOTE][RESULT] Release Apache Commons JEXL 3.3 based on RC2
This VOTE passes with the following binding +1 votes: - Bruno Kinoshita - Gary Gregory - Henri Biestro
Re: [VOTE] Release Apache Commons JEXL 3.3 based on RC2
Thanks Bruno :-) JEXL still needs another vote. - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons Compress 1.23.0 based on RC1
+1 Build from tag using: Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63) Maven home: /Users/henri/Java/apache-maven-3.8.6 Java version: 1.8.0_362, vendor: Azul Systems, Inc., runtime: /Library/Java/JavaVirtualMachines/zulu-8.jdk/Contents/Home/jre Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "10.15.7", arch: "x86_64", family: "mac" on: Darwin hornet.home 19.6.0 Darwin Kernel Version 19.6.0: Tue Jun 21 21:18:39 PDT 2022; root:xnu-6153.141.66~1/RELEASE_X86_64 x86_64 Cheers Henrib - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
[VOTE] Release Apache Commons JEXL 3.3 based on RC2
t-report.html KEYS: https://www.apache.org/dist/commons/KEYS Please review the release candidate and vote. This vote will close no sooner than 72 hours from now. [ ] +1 Release these artifacts [ ] +0 OK, but... [ ] -0 OK, but really should fix... [ ] -1 I oppose this release because... Thank you, Henri Biestro, Release Manager (using key 4E066E0459CD109B) For following is intended as a helper and refresher for reviewers. Validating a release candidate == These guidelines are NOT complete. Requirements: Git, Java, Maven. You can validate a release from a release candidate (RC) tag as follows. 1) Clone and checkout the RC tag git clone https://gitbox.apache.org/repos/asf/commons-jexl.git --branch commons-jexl-3.3-RC2 commons-jexl-3.3-RC2 cd commons-jexl-3.3-RC2 2) Check Apache licenses This step is not required if the site includes a RAT report page which you then must check. mvn apache-rat:check 3) Check binary compatibility Older components still use Apache Clirr: This step is not required if the site includes a Clirr report page which you then must check. mvn clirr:check Newer components use JApiCmp with the japicmp Maven Profile: This step is not required if the site includes a JApiCmp report page which you then must check. mvn install -DskipTests -P japicmp japicmp:cmp 4) Build the package mvn -V clean package You can record the Maven and Java version produced by -V in your VOTE reply. To gather OS information from a command line: Windows: ver Linux: uname -a 5) Build the site for a single module project Note: Some plugins require the components to be installed instead of packaged. mvn site Check the site reports in: - Windows: target\site\index.html - Linux: target/site/index.html 6) Build the site for a multi-module project mvn site mvn site:stage Check the site reports in: - Windows: target\site\index.html - Linux: target/site/index.html
[CANCEL][VOTE] Release Apache Commons JEXL 3.3 based on RC1
Late tests reopened JEXL-393 and discovered a regression (JEXL-394). RC2 will be proposed momentarily. Sorry.
Re: [VOTE] Release Apache Commons JEXL 3.3 based on RC1
Unfortunately, more testing revealed a regression and a bug. RC1 fails, RC2 will be proposed momentarily. - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons JEXL 3.3 based on RC1
Noted, sorry for the broken Clirr report link. Clirr has been replaced by Japicmp in JEXL. Henri On 2023/03/13 17:15:43 Gary Gregory wrote: > Henri, > > The starred items in the template are meant to be edited by the RM. For > example, you provide a link to a non-existent CLIRR report. > > Gary > > > On Mon, Mar 13, 2023, 13:01 Henri Biestro (Apache) > wrote: > > > We have fixed quite a few bugs and added some significant enhancements > > since Apache Commons JEXL 3.2.1 was released, so I would like to release > > Apache Commons JEXL 3.3. > > > > Apache Commons JEXL 3.3 RC1 is available for review here: > > https://dist.apache.org/repos/dist/dev/commons/jexl/3.3-RC1 (svn > > revision 60566) > > > > The Git tag commons-jexl-3.3-RC1 commit for this RC is > > 2eeaad9ce500507130e882a3996b856b41c01785 which you can browse here: > > > > > > https://gitbox.apache.org/repos/asf?p=commons-jexl.git;a=commit;h=2eeaad9ce500507130e882a3996b856b41c01785 > > You may checkout this tag using: > > git clone https://gitbox.apache.org/repos/asf/commons-jexl.git > > --branch > > commons-jexl-3.3-RC1 commons-jexl-3.3-RC1 > > > > Maven artifacts are here: > > > > > > https://repository.apache.org/content/repositories/orgapachecommons-1626/org/apache/commons/commons-jexl3/3.3/ > > > > These are the artifacts and their hashes: > > > > #Release SHA-512s > > #Mon Mar 13 16:50:50 CET 2023 > > > > commons-jexl-3.3-bin.tar.gz=b9c933666f8b6ca6c39b0ebac2b6a3ac55966a868b7789a690f59ceb4440c979561576a355de1f3d3cad7188055432086a6aed99deab435836dc582610396b65 > > > > commons-jexl-3.3-bin.zip=ac204b2b3e60536e5405a2f97a5ad9379be83162d1860a2c02e5a8d14adb4142137c28a795d2d67b4467f220cf18e9833ec260a3281065cd129e76c990d63a22 > > > > commons-jexl-3.3-src.tar.gz=a9883aa526a70635ef81505fcbc67e1d52615373e1585806b5db1a523047b4ebae1cb433cddfc3e69ce06c100215d0ad64e5e14ed6a2d58ef5223f0ed655b469 > > > > commons-jexl-3.3-src.zip=6c44d8bdc50e1f5894c6eea4e63d2428425907e8a3c0dbe9b483ed76cd60fc54b9354b824113fc27f6f5448b0d0e46458cfe7ea46813284272a77356de2271fb > > > > commons-jexl3-3.3-bom.json=17ba80d97479f8470a6a4e5993757fbacc0fddebec91fc1172146eb9bee539dae992977593a774b99e418034ef2a6cb86832174fa092b4f3546d9eb874e0a783 > > > > commons-jexl3-3.3-bom.xml=3190d9be86e4d1d7f5a2d5becdafa89df2decb9c09408c8420b6a078ec8c0b7b763a9821b6b3be2ec7e78c5736aaae0f0bb5b61a73532682f259fa7ef833556b > > > > commons-jexl3-3.3-javadoc.jar=d0edb2184d6983f6b9a9230dd6fa1c36d85a654373b845328327ecdb9d81f934511038d215d079488132dc77fd5d69f5da073259324c539b183724374221b40f > > > > commons-jexl3-3.3-sources.jar=85fc74e163cd507396ea3985c721c51d398138c1419ddbad69fa4fc598070f74abdb6e73478af1b8dc4be7a035bf43dcaf5314f9d403d714a5bfe0144772ac8f > > > > commons-jexl3-3.3-test-sources.jar=7eb8e4c5d0fae0a3e7a7b056f5fe596c868a16bf951d9c1309f4fa62c3f8ef6dec832934cecfff9d86c09a6d71012744e05307aff59af01d59d534078f90e9d0 > > > > commons-jexl3-3.3-tests.jar=eced3f404df0739a30101364d08ee19b33b99fe09e63f72cabc45928d215be1c598575218ebede598ab10a1a73f5d6c5b64515af295b4d001d3cee3d99c8e6a6 > > > > org.apache.commons_commons-jexl3-3.3.spdx.json=9b15944e44245422fa33faa18dc608c42383041f4657a1c3bf17fd38d80d2a0e8efd208dedb41140dc8273e4fe8a93c1e4a8bbc95b4103d1587cff523db0fd59 > > > > > > > > I have tested this with ***'mvn clean install site'*** using: > > > > Apache Maven 3.8.1 (05c21c65bdfed0f71a2f2ada8b84da59348c4c5d) > > Maven home: /Users/henri.biestro/Java/apache-maven-3.8.1 > > Java version: 1.8.0_345, vendor: Azul Systems, Inc., runtime: > > /Library/Java/JavaVirtualMachines/zulu-8.jdk/Contents/Home/jre > > Default locale: en_FR, platform encoding: UTF-8 > > OS name: "mac os x", version: "13.2.1", arch: "aarch64", family: "mac" > > > > Darwin l-hbiestro.home 22.3.0 Darwin Kernel Version 22.3.0: Mon Jan 30 > > 20:38:37 PST 2023; root:xnu-8792.81.3~2/RELEASE_ARM64_T6000 arm64 > > > > And > > > > Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63) > > Maven home: /Users/henri/Java/apache-maven-3.8.6 > > Java version: 17.0.6, vendor: Azul Systems, Inc., runtime: > > /Library/Java/JavaVirtualMachines/zulu-17.jdk/Contents/Home > > Default locale: en_US, platform encoding: UTF-8 > > OS name: "mac os x", version: "10.15.7", arch: "x86_64", family: "mac" > > > > Darwin hornet.home 19.6.0 Darwin Kernel Version 19.6.0: Tue Jun 21 21:18:39 > > PDT 2022; root:xnu-6153.141.66~1/RELEASE_X86_64 x86_64 > > > > > > Details of changes s
[VOTE] Release Apache Commons JEXL 3.3 based on RC1
We have fixed quite a few bugs and added some significant enhancements since Apache Commons JEXL 3.2.1 was released, so I would like to release Apache Commons JEXL 3.3. Apache Commons JEXL 3.3 RC1 is available for review here: https://dist.apache.org/repos/dist/dev/commons/jexl/3.3-RC1 (svn revision 60566) The Git tag commons-jexl-3.3-RC1 commit for this RC is 2eeaad9ce500507130e882a3996b856b41c01785 which you can browse here: https://gitbox.apache.org/repos/asf?p=commons-jexl.git;a=commit;h=2eeaad9ce500507130e882a3996b856b41c01785 You may checkout this tag using: git clone https://gitbox.apache.org/repos/asf/commons-jexl.git --branch commons-jexl-3.3-RC1 commons-jexl-3.3-RC1 Maven artifacts are here: https://repository.apache.org/content/repositories/orgapachecommons-1626/org/apache/commons/commons-jexl3/3.3/ These are the artifacts and their hashes: #Release SHA-512s #Mon Mar 13 16:50:50 CET 2023 commons-jexl-3.3-bin.tar.gz=b9c933666f8b6ca6c39b0ebac2b6a3ac55966a868b7789a690f59ceb4440c979561576a355de1f3d3cad7188055432086a6aed99deab435836dc582610396b65 commons-jexl-3.3-bin.zip=ac204b2b3e60536e5405a2f97a5ad9379be83162d1860a2c02e5a8d14adb4142137c28a795d2d67b4467f220cf18e9833ec260a3281065cd129e76c990d63a22 commons-jexl-3.3-src.tar.gz=a9883aa526a70635ef81505fcbc67e1d52615373e1585806b5db1a523047b4ebae1cb433cddfc3e69ce06c100215d0ad64e5e14ed6a2d58ef5223f0ed655b469 commons-jexl-3.3-src.zip=6c44d8bdc50e1f5894c6eea4e63d2428425907e8a3c0dbe9b483ed76cd60fc54b9354b824113fc27f6f5448b0d0e46458cfe7ea46813284272a77356de2271fb commons-jexl3-3.3-bom.json=17ba80d97479f8470a6a4e5993757fbacc0fddebec91fc1172146eb9bee539dae992977593a774b99e418034ef2a6cb86832174fa092b4f3546d9eb874e0a783 commons-jexl3-3.3-bom.xml=3190d9be86e4d1d7f5a2d5becdafa89df2decb9c09408c8420b6a078ec8c0b7b763a9821b6b3be2ec7e78c5736aaae0f0bb5b61a73532682f259fa7ef833556b commons-jexl3-3.3-javadoc.jar=d0edb2184d6983f6b9a9230dd6fa1c36d85a654373b845328327ecdb9d81f934511038d215d079488132dc77fd5d69f5da073259324c539b183724374221b40f commons-jexl3-3.3-sources.jar=85fc74e163cd507396ea3985c721c51d398138c1419ddbad69fa4fc598070f74abdb6e73478af1b8dc4be7a035bf43dcaf5314f9d403d714a5bfe0144772ac8f commons-jexl3-3.3-test-sources.jar=7eb8e4c5d0fae0a3e7a7b056f5fe596c868a16bf951d9c1309f4fa62c3f8ef6dec832934cecfff9d86c09a6d71012744e05307aff59af01d59d534078f90e9d0 commons-jexl3-3.3-tests.jar=eced3f404df0739a30101364d08ee19b33b99fe09e63f72cabc45928d215be1c598575218ebede598ab10a1a73f5d6c5b64515af295b4d001d3cee3d99c8e6a6 org.apache.commons_commons-jexl3-3.3.spdx.json=9b15944e44245422fa33faa18dc608c42383041f4657a1c3bf17fd38d80d2a0e8efd208dedb41140dc8273e4fe8a93c1e4a8bbc95b4103d1587cff523db0fd59 I have tested this with ***'mvn clean install site'*** using: Apache Maven 3.8.1 (05c21c65bdfed0f71a2f2ada8b84da59348c4c5d) Maven home: /Users/henri.biestro/Java/apache-maven-3.8.1 Java version: 1.8.0_345, vendor: Azul Systems, Inc., runtime: /Library/Java/JavaVirtualMachines/zulu-8.jdk/Contents/Home/jre Default locale: en_FR, platform encoding: UTF-8 OS name: "mac os x", version: "13.2.1", arch: "aarch64", family: "mac" Darwin l-hbiestro.home 22.3.0 Darwin Kernel Version 22.3.0: Mon Jan 30 20:38:37 PST 2023; root:xnu-8792.81.3~2/RELEASE_ARM64_T6000 arm64 And Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63) Maven home: /Users/henri/Java/apache-maven-3.8.6 Java version: 17.0.6, vendor: Azul Systems, Inc., runtime: /Library/Java/JavaVirtualMachines/zulu-17.jdk/Contents/Home Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "10.15.7", arch: "x86_64", family: "mac" Darwin hornet.home 19.6.0 Darwin Kernel Version 19.6.0: Tue Jun 21 21:18:39 PDT 2022; root:xnu-6153.141.66~1/RELEASE_X86_64 x86_64 Details of changes since 3.2.1 are in the release notes: https://dist.apache.org/repos/dist/dev/commons/jexl/3.3-RC1/RELEASE-NOTES.txt https://dist.apache.org/repos/dist/dev/commons/jexl/3.3-RC1/site/changes-report.html Site: https://dist.apache.org/repos/dist/dev/commons/jexl/3.3-RC1/site/index.html (note some *relative* links are broken and the 3.3 directories are not yet created - these will be OK once the site is deployed.) *** CLIRR Report (compared to 3.2.1): https://dist.apache.org/repos/dist/dev/commons/jexl/3.3-RC1/site/clirr-report.html *** JApiCmp Report (compared to 3.2.1): https://dist.apache.org/repos/dist/dev/commons/jexl/3.3-RC1/site/japicmp.html RAT Report: https://dist.apache.org/repos/dist/dev/commons/jexl/3.3-RC1/site/rat-report.html KEYS: https://www.apache.org/dist/commons/KEYS Please review the release candidate and vote. This vote will close no sooner than 72 hours from now. [ ] +1 Release these artifacts [ ] +0 OK, but... [ ] -0 OK, but really should fix... [ ] -1 I oppose this release because... Thank you, Henri Biestro, Release Manager (using key 4E066E0459CD109B) For following is i
[ JEXL ] Getting ready to release 3.3
Dear all; I intend on starting the release of JEXL 3.3 with a landing (ideally) in early March.. If you've any feedback on features, bugs, etc, that may impact that release, please reach out now. Cheers
Re: JEXL Security
> You have to consider the software in the context it is intended to be > used. Thank you for clarifying and illustrating those notions. We are in agreement about JEXL intended usage and where the responsibility lies wrt security choices. But even in its usage context, with authenticated users, whether you allow files to be created or read or processes to be created should carefully be pondered and reflect a functional necessity. Security guys will say that authenticated users can still have a nefarious intent so users should only be allowed to access and use what is required to perform their duties... > If an application developer was daft enough to expose > System.exec() functionality to untrusted users, it would be treated as > an application vulnerability, not as a Java issue. Considering how complex and complicated software can be, I know I've been daft (on occasion hopefully) by lack of knowledge. A more secure default would avoid the daft configuration error, the one where you don't even know you are making a bad choice because you don't know enough yet. The goal is that we make it harder to ignore JEXL security configuration and if you do, we try and prevent the obvious security holes. With no explicit security configuration, as-is, 'System.exit()' is callable; surely, a better default should be proposed. Henri - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: JEXL Security
Let's restrict this discussion to the case of 'authenticated and authorised users' of an 'enterprise platform'. When we talk about 'unsafe input' vs 'safe input', I'm still confused about what this actually entails. Let's assume we want those users to enter a (JEXL) expression to express their functional need (think of an enterprise spreadsheet of some kind with some built-in constraints). Is this considered an 'unsafe input' by essence ? If so, we need to 'sanitise' it to ensure it is 'harmless' - that being a broad definition. So, what does it mean to 'sanitise' such an input ? You can not do it by an external mean (external to JEXL); well, you could, but then there is almost no point in using JEXL then since you'd already done most of the hardwork of syntactic and semantic checks. Assuming then that the only practical way to control what a script can do is through JEXL itself; splitting the platform scripting feature using different classes/modules/jars still requires configuring these environments properly. And we cannot do this through JEXL jars since we can't know those environment constraints before hand. My proposal of enforcing a default configuration with a very narrow permeability is meant to ensure the platform developers at least realise they have to think about what they expose to whom. Isn't this the resolution strategy we used for the latest log4j2 and text CVEs - Avoid defauit configurations that are too permissive ? > > The primary driver for my thinking is observation of projects that have > tried to separate safe and unsafe functions via configuration and the > steady stream CVEs raised against those projects as security researchers > find ways to bypass the filtering. If there is a requirement to support > unsafe input then I think a stronger separation is required. > > One solution would be different scripting engines for the two use cases > (trusted and untrusted) but that is likely to result in duplicate code > of some form - something else that I don't like. > > Not knowing JEXL at all, would it be possible to have a "safe" JAR that > only provided features for untrusted input and an "extension" JAR you > could add to enable all the "dangerous" features for use with trusted input? > > Mark > > > > > >> > >> This sort of functionality is only required if an application is passing > >> untrusted / unsanitised input to JEXL. That seems an extremely dangerous > >> thing to do to me. Do we have any indications that any real world users > >> are doing this? > >> > >> If the project starts down the road of being "secure by default for > >> untrusted input" then rather than the project avoiding future CVEs, it > >> opens itself up to a long stream of future CVEs as researchers find ways > >> to bypass the restrictions put in place. > >> > >> My recommended approach for projects like JEXL would to be clearly > >> document that all input is expected to be trusted and then reject any > >> vulnerability reports based on processing untrused input. > >> > >> If there are users that need to process untrusted input then I'd suggest > >> starting with asking how they are currently validating / sanitising that > >> input. > >> > >> Mark > >> > >> - > >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > >> For additional commands, e-mail: dev-h...@commons.apache.org > >> > >> > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: JEXL Security
Fair points, thank you. They seem to lead into the point of view that JEXL (or any scripting solution?) should not expose any feature that could be considered security-related avoiding the CVE potential turmoils alltogether. Trusted sanitised input is expected and required so this is a moot discussion. In the EPM field at least, there are real world users who would like to have ways to express a computation, a formula, a label, - anything from a one line expression, snippet to script -through the platform/application they use daily - rather than depend and wait for IT/consultants/software-vendors to implement it. I'm not saying it is reasonable or achievable but is desired. The latest low-code hype is probably fuelled by the same functional needs. Anyhow, it seems reasonable - at least useful - to help control the danger of allowing 'scripting' in a platform. It seems we reduce little of that issue if our stance on security is 'the only scripts you should run are scripts that are trusted'. Even a 'trusted user' can have a nefarious intent... A 'sanitised input' can only be enforced by configuring precisely the (JEXL) engine (JexlPermissions, JexlFeatures, JexlOptions). Even if we rightfully reject any CVE due to a poorly configured engine, we can probably avoid the obvious ones in the first place. Wether security should be addressed by some features seems to be the underlying chasm... Interesting conundrum :-) > > This sort of functionality is only required if an application is passing > untrusted / unsanitised input to JEXL. That seems an extremely dangerous > thing to do to me. Do we have any indications that any real world users > are doing this? > > If the project starts down the road of being "secure by default for > untrusted input" then rather than the project avoiding future CVEs, it > opens itself up to a long stream of future CVEs as researchers find ways > to bypass the restrictions put in place. > > My recommended approach for projects like JEXL would to be clearly > document that all input is expected to be trusted and then reject any > vulnerability reports based on processing untrused input. > > If there are users that need to process untrusted input then I'd suggest > starting with asking how they are currently validating / sanitising that > input. > > Mark > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
JEXL Security
Hello Commons; JEXL-381 is an attempt at making JEXL's default more secure or at least less 'permeable' wrt to the application/platform/JVM/file-system/host that runs it. Based on JexlPermissions - a crude security visibility manager -, this restricts the *default* behavior of what is visible to JEXL scripts to the basics (lang, math, text, collection,...). This does prevent a future crude test of some kind leading to a CVE stating that JEXL poses a security risk since it can create processes or read the whole file-system (cf JEXL-223). I'd like opinions on this idea - assuming it is not a bad one - and how to best expose it. Although JEXL 3.3 is compatible with JEXL 3.2, the runtime behavior might break due to these new default security restrictions. The net-cost is that current users (people actually using JEXL for its intended purpose) will have to actively decide how much permeability they need if they want to upgrade to JEXL 3.3 and retain functionality. They will probably gain at least some insight about their platform/product security. Note that the basic mitigation - being as permeable as JEXL 3.2 - costs only a line of code.. Ideas on how to best warn/expose/explain this to users and any element pertaining to this subject is welcome. :-) Thanks Henrib
Re: [VOTE] Release Apache Commons CSV 1.9.0 based on RC1
[x] +1 Release these artifacts Built from tag using: mvn -V clean test install site Apache Maven 3.6.1 (d66c9c0b3152b2e69ee9bac180bb8fcc8e6af555; 2019-04-04T21:00:29+02:00) Maven home: /Users/henri.biestro/Java/apache-maven-3.6.1 Java version: 1.8.0_202, vendor: Oracle Corporation, runtime: /Library/Java/JavaVirtualMachines/jdk1.8.0_202.jdk/Contents/Home/jre Default locale: en_FR, platform encoding: UTF-8 OS name: "mac os x", version: "10.16", arch: "x86_64", family: "Mac" Browsed site, Javadoc and reports, looks ok. Sorry fo the delay (vacation :-)) On 2021/07/29 12:41:58, Gary Gregory wrote: > May I please have at least one more PMC review? > > TY > Gary - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Need help publishing main site
Hi Stefan; You actually don't change the main site, just the component site if I'm not mistaken. I guess you found this; http://commons.apache.org/site-publish.html#Main_site . When everything is set correctly, the site-deploy target does everything for you, namely push the site to its svn repo. Cheers Henrib ps: congratulations for releasing compress ! On 2021/07/13 04:35:17, Stefan Bodewig wrote: > Hi > > I recall the CMS is no more but I haven't followed how to publish the > site now. The docs still talk about the CMS. > > I have updated component_releases.properties and the DOAP file for > compress but don't know how to apply the change to the deployed website. > > Stefan > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [DISCUSS] Release Compress 1.21 based on RC1
> > > On a Mac that used LDAP, user ids and groups are 'long': > > henri.biestro@L-HBIESTRO-1 commons-compress % id > > uid=1447288081(henri.biestro) gid=1024222515 > > Didn't know that. > Neither did I! > > Are there any tests that actually use the uid/gid of the current user? > Compress will no read them by itself, so the only place things could > fail was if we used native tar to create an archive. Is there such a > test? If so we could try to adapt the test in question. > Any test based on creating/reading a file from what I gather; we read the uid/gid from the file attributes (posix/unix). Another mitigation could be modifying failForBigNumbers to reset uid/gid (aka set to 0L or nobody's id?) instead of failing when they are problematic for the chosen TAR format. Henrib - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Compress 1.21 based on RC1
Side note whilst trying to validate RC1: On a Mac that used LDAP, user ids and groups are 'long': henri.biestro@L-HBIESTRO-1 commons-compress % id uid=1447288081(henri.biestro) gid=1024222515 A lot of tar tests will fail in this (probably rare) situation since tar entries treat uid/gid need the bigNumberMode != BIGNUMBER_ERROR to handle these correctly. Should the bigNumberMode depend on the OS/user-id ? - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons IO 2.11.0 based on RC1
Checked with: henri.biestro@L-HBIESTRO commons-io % mvn -V clean install site Apache Maven 3.6.1 (d66c9c0b3152b2e69ee9bac180bb8fcc8e6af555; 2019-04-04T21:00:29+02:00) Maven home: /Users/henri.biestro/Java/apache-maven-3.6.1 Java version: 1.8.0_202, vendor: Oracle Corporation, runtime: /Library/Java/JavaVirtualMachines/jdk1.8.0_202.jdk/Contents/Home/jre Default locale: en_FR, platform encoding: UTF-8 OS name: "mac os x", version: "10.16", arch: "x86_64", family: "Mac" Site looks good; verified sha1 signature of jar, verified GGregory signed it. [ +1 ] Release Nitpicks: - CircularByteBuffer could benefit from more tests, it sticks out in jacoco report. - No PMD report ? :-) On 2021/07/10 01:52:27, Gary Gregory wrote: > We have fixed a few bugs and added some enhancements since Apache Commons > IO 2.10.0 was released, so I would like to release Apache Commons IO 2.11.0. > > Apache Commons IO 2.11.0 RC1 is available for review here: > https://dist.apache.org/repos/dist/dev/commons/io/2.11.0-RC1 (svn > revision 48762) > > The Git tag commons-io-2.11.0-RC1 commit for this RC is > 8985de8fe74f6622a419b37a6eed0dbc484dc128 which you can browse here: > > https://gitbox.apache.org/repos/asf?p=commons-io.git;a=commit;h=8985de8fe74f6622a419b37a6eed0dbc484dc128 > You may checkout this tag using: > git clone https://gitbox.apache.org/repos/asf/commons-io.git --branch > commons-io-2.11.0-RC1 commons-io-2.11.0-RC1 > > Maven artifacts are here: > > https://repository.apache.org/content/repositories/orgapachecommons-1555/commons-io/commons-io/2.11.0/ > > These are the artifacts and their hashes: > > #Release SHA-512s > #Fri Jul 09 21:42:55 EDT 2021 > commons-io-2.11.0-bin.tar.gz=b28938f197f29a7145f6e43e41b917ebd98bd6ba308e3b7ba85a455b77e3e5a7d62beac1a83e20246ac07ba19048fb4f952e3f5323c714f2b515dd94a1524d46 > commons-io-2.11.0-bin.zip=0aedf61b2cc8c9464dcf2eda7826e4a8f8f83db98b3e908d3ec00fefd07a07fd51d2be868732cc2d2a57804e714e15af384bd4522c463719d033ca0925e5dc95 > commons-io-2.11.0-javadoc.jar=a657ad8ce37d6391f0b99110d497fbf19330d1f7e32df25ab461857b5b15d370bfe4fe2e7f751bfc43752bd695f053f8bf5e14673a178caea39aec5bf1064616 > commons-io-2.11.0-sources.jar=c4364f695d7cbf7de476c74546d0a9413181fce93fc87e72e30fb85ebc718982c9b3048d8d172a88e9a835cb15d64d4d0025108bdf6d43a8c42737b38772087f > commons-io-2.11.0-src.tar.gz=e2ab8ebc9c328093a460f8f5f96c80bb45f5073ec7aaa0beabdcdeac2e97324292eab2e2cb8b64d8e78b2c5d89048ba84e50daa0965dffcbe2fd0da7ab789ee3 > commons-io-2.11.0-src.zip=055313d358ee9e0fee5404b062b2ceeaf4ec3a6ec7ae35e0a8f24656112716634985ce185572c215637566ec9302e8588bd261235638e30a5b9c9b40d729165d > commons-io-2.11.0-test-sources.jar=ca7d5e72f52760edabcc61674ad0740292d5a443a86ae4c9f1b64929ffb4f2d685d6b868d6c9cae6e95080b320150707f3308bfad07f996e38093d453562ace6 > commons-io-2.11.0-tests.jar=e4c47d94dd099bc772c5e643ee63ebdc6086e2505349f57e561dd88621869ac68aabb3c963a0a386ce060bee13032e2230400cdd52736614acf3a2db48605ada > > > I have tested this with the default Maven goal 'mvn' and 'mvn -V > -Duser.name=$my_apache_id > -Dcommons.release-plugin.version=$commons_release_plugin_version -Prelease > -Ptest-deploy -P jacoco -P japicmp clean package site deploy' using: > > Apache Maven 3.8.1 (05c21c65bdfed0f71a2f2ada8b84da59348c4c5d) > Maven home: /usr/local/Cellar/maven/3.8.1/libexec > Java version: 1.8.0_292, vendor: AdoptOpenJDK, runtime: > /Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home/jre > Default locale: en_US, platform encoding: UTF-8 > OS name: "mac os x", version: "10.16", arch: "x86_64", family: "mac" > > Darwin gdg-mac-mini.local 20.5.0 Darwin Kernel Version 20.5.0: Sat May 8 > 05:10:33 PDT 2021; root:xnu-7195.121.3~9/RELEASE_X86_64 x86_64 > > Details of changes since 2.10.0 are in the release notes: > > https://dist.apache.org/repos/dist/dev/commons/io/2.11.0-RC1/RELEASE-NOTES.txt > > https://dist.apache.org/repos/dist/dev/commons/io/2.11.0-RC1/site/changes-report.html > > Site: > > https://dist.apache.org/repos/dist/dev/commons/io/2.11.0-RC1/site/index.html > (note some *relative* links are broken and the 2.11.0 directories are > not yet created - these will be OK once the site is deployed.) > > JApiCmp Report (compared to 2.10.0): > > https://dist.apache.org/repos/dist/dev/commons/io/2.11.0-RC1/site/japicmp.html > > RAT Report: > > https://dist.apache.org/repos/dist/dev/commons/io/2.11.0-RC1/site/rat-report.html > > KEYS: > https://www.apache.org/dist/commons/KEYS > > Please review the release candidate and vote. > This vote will close no sooner than 72 hours from now. > > [ ] +1 Release these artifacts > [ ] +0 OK, but... > [ ] -0 OK, but really should fix... > [ ] -1 I oppose this release because... > > Thank you, > > Gary Gregory, > Release Manager (using key 86fdc7e2a11262cb) > > For following is intended as a helper and refresher for reviewers. > > Validating a release candidate > == > > These guidelines are NOT
[RESULT] Release Apache Commons JEXL 3.2.1
The following people voted on release Apache Commons JEXL 3.2.1: Rob Tompkins +1 Bruno P. Kinoshita +1 Gary Gregory +1 Henri Biestro +1 Thanks! - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons JEXL 3.2.1 based on RC1
japicmp, will do. Thanks On 2021/06/23 23:05:27, Rob Tompkins wrote: > +1 builds and tests with 8 and 11 > > signatures good > > reports all look reasonable > > (nit -> can we get japicmp implemented here?) > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [Pool] release candidste soon
Early pre-check looks fine on site and reports. Cheers On 2021/06/23 02:10:16, Gary Gregory wrote: > Hi All, > > FYI, I plan on cutting a release candidate soon. > > Gary > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons JEXL 3.2.1 based on RC1
I know 3.2 was just (barely) released but it had been a long time (and a long list of issues) so unfortunately, regressions crept in. Sorry to bug you all (pun unintended). I guess the vote will fail for lack of voters - not because anyone has anything to object, just because no-one had the time to look at it. Do we have any (other) way to react to critical bugs besides releasing a 'service pack' version ? My hopeful +1 Cheers On 2021/06/18 10:48:37, Henri Biestro wrote: > > We have fixed 2 critical bugs and 1 enhancement since Apache Commons JEXL 3.2 > was released, so I would like to release Apache Commons JEXL 3.2.1. > > Apache Commons JEXL 3.2.1 RC1 is available for review here: > https://dist.apache.org/repos/dist/dev/commons/jexl/3.2.1-RC1 (svn > revision 48410) > > The Git tag commons-jexl-3.2.1-RC1 commit for this RC is > 3118338f3848e825ff387629348eb9af3d551cea which you can browse here: > > https://gitbox.apache.org/repos/asf?p=commons-jexl.git;a=commit;h=3118338f3848e825ff387629348eb9af3d551cea > You may checkout this tag using: > git clone https://gitbox.apache.org/repos/asf/commons-jexl.git --branch > commons-jexl-3.2.1-RC1 commons-jexl-3.2.1-RC1 > > Maven artifacts are here: > > https://repository.apache.org/content/repositories/orgapachecommons-1553/org/apache/commons/commons-jexl3/3.2.1/ > > These are the artifacts and their hashes: > > #Release SHA-512s > #Fri Jun 18 11:20:54 CEST 2021 > commons-jexl-3.2.1-src.zip=a7746e87028f8ab837d4c1c8a943c15f819892355b15be1e74314cd3a562797955d6a8035682bd28bec4a5d4c094a189560038b820a43c641697d8255ff48318 > commons-jexl-3.2.1-bin.tar.gz.asc=135c083ed24df7b6027132ed1a9f4443563d60cde4a49f4ed59c73ca043f62d3d969d60ac24693731be5a1318378c105999184127924bcf01f647c0f62623c7f > commons-jexl-3.2.1-bin.zip.asc=af0168394ba3d81489aae41562b898948f2da0dd7cfc3424ab19523b306406bea534e3acc8904b9449200f6516eb9a7f13f0d18d9933871b86d2af2a2dfb > commons-jexl3-3.2.1-sources.jar=362b9b0331a17705a9c83fa7fb0eee585da83c5f0cace42307db432ce7fe3f2698f5acf88e95bfa869b226b9af366dd1920a3c1fdb5a1352cb11f94921ef4c15 > commons-jexl-3.2.1-bin.tar.gz=aecff756a8bd88b940256c6aaaefed25be915fc0967125f912506d3c9ecc4b956a73d5c89a2d1237aa8036807a35692b06833d1f6b790460749d599908bfe4df > commons-jexl3-3.2.1-sources.jar.asc=2feb80902d363a09dd4d47e24e7788f67614dd066039101b1dafb79bc6e1386555f430483316baf9f4b863a51cc3535cf9e37feef76856b45ed1c019b7b3e7d2 > commons-jexl3-3.2.1-test-sources.jar.asc=9acb3ac73e9c4c2e498596bc7108c30fca3273af994ccd166250a06211b0a097f05a3e0ee094cd4e4267e2dd64ffbfb92f49f143abcb7fcc6cb230eb38d7fa52 > commons-jexl3-3.2.1-test-sources.jar=d3b43d88228f62446d6c639b9b6b0a2e702d506148f03b230558e1cac9230e3b809714cbacacbc42e73572fab5a9df13999b07a8a2eda8b97e1bc2f6fa716101 > commons-jexl-3.2.1-src.zip.asc=bfe80c6244dc0b674b0839fb16a309e1cf2b9cf508e50bb7560bda64be146a9fd72179c048362dcaa74250a6534592ea564a6f340d82b85610d5b225e1d03087 > commons-jexl3-3.2.1.jar.asc=a80bce7081b343037170faa7b1414fe9ad1d92419a94d08f4ff94598b0ae9ec2187be4e96a90ef72792361a932eeff12d268931372e06a79a366aad37ce24a20 > commons-jexl-3.2.1-src.tar.gz=abfed04bebc5564c2fd8863fdb6dca4d65df7c8db0e687cc401a88598218073943ff76e27ae1344dac7f2d09bb06840f0d0ed4931afff14509ac69e9f7939f63 > commons-jexl-3.2.1-bin.zip=e6dc0832e9e0b2fc28dd865ed373749d95248c14125dc6b095d0d78e99774229b6542b6bdae2de76a05c2787947f629a8e9994f0a8696aa7d8e90c98a9a50a76 > commons-jexl-3.2.1-src.tar.gz.asc=becf8961a066788bba2b8d61337c85207501ffce072522846d5873f37dd9193f25108e8c45dc06e4cfef4823f1d66c159ef78de35f2026d0f3e50aa5023a9503 > commons-jexl3-3.2.1-javadoc.jar=ab6baba187c93f49174c366bdb216ba2fd8f6d752411d62e7c73089898343ebf891672b53ed5dd0d8af486dd685c5fab6326bde7ac53184e856026d9c2b91063 > commons-jexl3-3.2.1-javadoc.jar.asc=495051e4d60fc3daaa56d2e8275c286f0eaef642b46c17bf06686e99e59b9a9be73b7232016128ddb7856612bd25825f30bdf760bf2a7c94f25c7bc88aac77e2 > commons-jexl3-3.2.1.pom.asc=3d35fdbd42e169e0ee3f6e4c08e04130462789556a61efdb057433b15b29f5402f0c0b41d592fa3a1c71f78c6dbdff1ae844d3feb645042b21f8b07d6fb53e12 > commons-jexl3-3.2.1-tests.jar.asc=5d80224655c31ed69903e6be9d9b8631cf31889ecd1c59d5f9a372ea08960a08080aa555aa833bd04d22968b66fc93f862bf9def615eb20af43d2d3b375596ba > commons-jexl3-3.2.1-tests.jar=f22071249bb268b4b3b2f60c28f47c7788343090741d71231c85cc7c02b31dde41836956098aa9daaafc4c74dbd5cbf9c98d51dee2d4ad6806051a665bbc34c6 > > > (no need for .asc hashes!) > > I have tested this with ***'mvn clean install site'*** using: > Apache Maven 3.6.1 (d66c9c0b3152b2e69ee9bac180bb8fcc8e6af555; > 2019-04-04T21:00:29+02:00) > Maven home: /Users/henri.biestro/Java/apache-maven-3.6.1 > Java version: 1.8.0_202, vendor: Oracle Corporation, runtime: > /Library/Java/JavaVirtualMachines/jdk1.8.0_202.jdk/Contents/Home/jre > Default locale: en_FR, platform en
[VOTE] Release Apache Commons JEXL 3.2.1 based on RC1
dist/dev/commons/jexl/3.2.1-RC1/site/rat-report.html KEYS: https://www.apache.org/dist/commons/KEYS Please review the release candidate and vote. This vote will close no sooner that 72 hours from now. [ ] +1 Release these artifacts [ ] +0 OK, but... [ ] -0 OK, but really should fix... [ ] -1 I oppose this release because... Thank you, Henri Biestro, Release Manager (using key 4E066E0459CD109B) For following is intended as a helper and refresher for reviewers. Validating a release candidate == These guidelines are NOT complete. Requirements: Git, Java, Maven. You can validate a release from a release candidate (RC) tag as follows. 1) Clone and checkout the RC tag git clone https://gitbox.apache.org/repos/asf/commons-jexl.git --branch commons-jexl-3.2.1-RC1 commons-jexl-3.2.1-RC1 cd commons-jexl-3.2.1-RC1 2) Check Apache licenses This step is not required if the site includes a RAT report page which you then must check. mvn apache-rat:check 3) Check binary compatibility Older components still use Apache Clirr: This step is not required if the site includes a Clirr report page which you then must check. mvn clirr:check 4) Build the package mvn -V clean package You can record the Maven and Java version produced by -V in your VOTE reply. To gather OS information from a command line: Windows: ver Linux: uname -a 5) Build the site for a single module project Note: Some plugins require the components to be installed instead of packaged. mvn site Check the site reports in: - Windows: target\site\index.html - Linux: target/site/index.html -the end- - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Welcome back Henri Biestro to the PMC
Thank you! Glad to be back. On 2021/06/13 15:44:22, Matt Sicker wrote: > Welcome back, Henri! Glad to see you again! > > On Sun, Jun 13, 2021 at 08:52 Gary Gregory wrote: > > > Let's welcome back Henri Biestro to the PMC. > > > > Gary > > > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [VOTE] Release Apache Commons IO 2.10.0 based on RC1
Tried on a Windows machine, no pb. Retried on the Mac after nuking commons parent 51 from .m2 and everything went smoothly. Sorry for the scare. Checked on Java11 for good measure. :-) henri.biestro@L-HBIESTRO-4 commons-io % mvn -V clean install site Apache Maven 3.6.1 (d66c9c0b3152b2e69ee9bac180bb8fcc8e6af555; 2019-04-04T21:00:29+02:00) Maven home: /Users/henri.biestro/Java/apache-maven-3.6.1 Java version: 11.0.1, vendor: Oracle Corporation, runtime: /Library/Java/JavaVirtualMachines/jdk-11.0.1.jdk/Contents/Home Default locale: en_FR, platform encoding: UTF-8 OS name: "mac os x", version: "10.16", arch: "x86_64", family: "mac" On 2021/06/13 11:31:28, Gary Gregory wrote: > Yeah, coincidentally, I had to delete my Maven cache this week to fix an > unrelated corrupted file and nuking the whole thing was simplest. > > Gary > > On Sun, Jun 13, 2021, 01:32 Henri Biestro wrote: > > > The parent POM is 52, no pb there; executing 'mvn site', the SpotBugs > > report target has a dependency on commons-text-1.9 complaining about > > commons-parent-51. Had to build one locally to overcome, download from repo > > seemed to be a 0 bytes artefact. First build of commons-io on that machine, > > probably something funky on my end (corrupted .m2?). > > Henrib > > > > On 2021/06/12 18:28:52, Gary Gregory wrote: > > > The parent POM version should be 52. Are you sure you are seing 51? > > > > > > Gary > > > > > > > > > On Sat, Jun 12, 2021, 06:09 Henri Biestro wrote: > > > > > > > Using: mvn -V clean install site > > > > Apache Maven 3.6.1 (d66c9c0b3152b2e69ee9bac180bb8fcc8e6af555; > > > > 2019-04-04T21:00:29+02:00) > > > > Maven home: /Users/henri.biestro/Java/apache-maven-3.6.1 > > > > Java version: 1.8.0_202, vendor: Oracle Corporation, runtime: > > > > /Library/Java/JavaVirtualMachines/jdk1.8.0_202.jdk/Contents/Home/jre > > > > Default locale: en_FR, platform encoding: UTF-8 > > > > OS name: "mac os x", version: "10.16", arch: "x86_64", family: "Mac" > > > > > > > > Checked the various site reports, all check OK. > > > > (As a side note, Maven had a hard time resolving a reference to > > > > commons-parent-51 for the SpotBugs report, may be a pb on my side). > > > > > > > > Checked the jar signature, OK. > > > > henri.biestro@L-HBIESTRO Downloads % gpg2 --verify > > > > commons-io-2.10.0.jar.asc > > > > gpg: assuming signed data in 'commons-io-2.10.0.jar' > > > > gpg: Signature made Thu Jun 10 14:43:36 2021 CEST > > > > gpg:using RSA key > > 2DB4F1EF0FA761ECC4EA935C86FDC7E2A11262CB > > > > gpg: Good signature from "Gary David Gregory (Code signing key) < > > > > ggreg...@apache.org>" [unknown] > > > > gpg: WARNING: This key is not certified with a trusted signature! > > > > gpg: There is no indication that the signature belongs to the > > > > owner. > > > > Primary key fingerprint: 2DB4 F1EF 0FA7 61EC C4EA 935C 86FD C7E2 A112 > > 62CB > > > > > > > > Vote [+1] (pending my reintroduction as PMC member :-) ). > > > > > > > > Cheers! > > > > > > > > On 2021/06/10 13:01:54, Gary Gregory wrote: > > > > > We have fixed a few bugs and added some enhancements since Apache > > > > > Commons IO 2.9.0 was released, so I would like to release Apache > > > > > Commons IO 2.10.0. > > > > > > > > > > Apache Commons IO 2.10.0 RC1 is available for review here: > > > > > https://dist.apache.org/repos/dist/dev/commons/io/2.10.0-RC1 > > (svn > > > > > revision 48259) > > > > > > > > > > The Git tag commons-io-2.10.0-RC1 commit for this RC is > > > > > a73895fbefd57c23595a5e9e85f0649993c59080 which you can browse here: > > > > > > > > > > > https://gitbox.apache.org/repos/asf?p=commons-io.git;a=commit;h=a73895fbefd57c23595a5e9e85f0649993c59080 > > > > > You may checkout this tag using: > > > > > git clone https://gitbox.apache.org/repos/asf/commons-io.git > > > > > --branch commons-io-2.10.0-RC1 commons-io-2.10.0-RC1 > > > > > > > > > > Maven artifacts are here: > > > > > > > > > > > https://repository.apache.org/content/repositories/orgapachecommons-1551/commons-io/commons-io/2.10.0/
Re: [VOTE] Release Apache Commons IO 2.10.0 based on RC1
The parent POM is 52, no pb there; executing 'mvn site', the SpotBugs report target has a dependency on commons-text-1.9 complaining about commons-parent-51. Had to build one locally to overcome, download from repo seemed to be a 0 bytes artefact. First build of commons-io on that machine, probably something funky on my end (corrupted .m2?). Henrib On 2021/06/12 18:28:52, Gary Gregory wrote: > The parent POM version should be 52. Are you sure you are seing 51? > > Gary > > > On Sat, Jun 12, 2021, 06:09 Henri Biestro wrote: > > > Using: mvn -V clean install site > > Apache Maven 3.6.1 (d66c9c0b3152b2e69ee9bac180bb8fcc8e6af555; > > 2019-04-04T21:00:29+02:00) > > Maven home: /Users/henri.biestro/Java/apache-maven-3.6.1 > > Java version: 1.8.0_202, vendor: Oracle Corporation, runtime: > > /Library/Java/JavaVirtualMachines/jdk1.8.0_202.jdk/Contents/Home/jre > > Default locale: en_FR, platform encoding: UTF-8 > > OS name: "mac os x", version: "10.16", arch: "x86_64", family: "Mac" > > > > Checked the various site reports, all check OK. > > (As a side note, Maven had a hard time resolving a reference to > > commons-parent-51 for the SpotBugs report, may be a pb on my side). > > > > Checked the jar signature, OK. > > henri.biestro@L-HBIESTRO Downloads % gpg2 --verify > > commons-io-2.10.0.jar.asc > > gpg: assuming signed data in 'commons-io-2.10.0.jar' > > gpg: Signature made Thu Jun 10 14:43:36 2021 CEST > > gpg:using RSA key 2DB4F1EF0FA761ECC4EA935C86FDC7E2A11262CB > > gpg: Good signature from "Gary David Gregory (Code signing key) < > > ggreg...@apache.org>" [unknown] > > gpg: WARNING: This key is not certified with a trusted signature! > > gpg: There is no indication that the signature belongs to the > > owner. > > Primary key fingerprint: 2DB4 F1EF 0FA7 61EC C4EA 935C 86FD C7E2 A112 62CB > > > > Vote [+1] (pending my reintroduction as PMC member :-) ). > > > > Cheers! > > > > On 2021/06/10 13:01:54, Gary Gregory wrote: > > > We have fixed a few bugs and added some enhancements since Apache > > > Commons IO 2.9.0 was released, so I would like to release Apache > > > Commons IO 2.10.0. > > > > > > Apache Commons IO 2.10.0 RC1 is available for review here: > > > https://dist.apache.org/repos/dist/dev/commons/io/2.10.0-RC1 (svn > > > revision 48259) > > > > > > The Git tag commons-io-2.10.0-RC1 commit for this RC is > > > a73895fbefd57c23595a5e9e85f0649993c59080 which you can browse here: > > > > > https://gitbox.apache.org/repos/asf?p=commons-io.git;a=commit;h=a73895fbefd57c23595a5e9e85f0649993c59080 > > > You may checkout this tag using: > > > git clone https://gitbox.apache.org/repos/asf/commons-io.git > > > --branch commons-io-2.10.0-RC1 commons-io-2.10.0-RC1 > > > > > > Maven artifacts are here: > > > > > https://repository.apache.org/content/repositories/orgapachecommons-1551/commons-io/commons-io/2.10.0/ > > > > > > These are the artifacts and their hashes: > > > > > > #Release SHA-512s > > > #Thu Jun 10 08:43:37 EDT 2021 > > > > > commons-io-2.10.0-bin.tar.gz=14c08c93379e975ca28723086acc4c1ba9acb99ed4a36e21ea6cdf9eeebac53cb08f5f606ade69daa58af4aa7c56b4b286cf96d36604139d5de9ee3902fc09b9 > > > > > commons-io-2.10.0-bin.zip=a5e32c8dbf76779247fb233646631e213b125c655a299edea895dfaddd86672fbe91396c548100b4d35d5647005066850243704d751d25028ecd13cafc3f36d8 > > > > > commons-io-2.10.0-javadoc.jar=ecdd571aa8de94e41c1d507384fddcd52d845687b10471ef5641033040d4209eed28c5018bd2e3283233132c70ad9188c604c586e36f4bbb93fe748c4713ebc7 > > > > > commons-io-2.10.0-sources.jar=8152939638af55595858a7214e9a38804911b1f8e7a7a9d49c1456e258577bfc72671915d33c05d33e40f41c14e0090ddc2789e7ba0020c8f391448ae14d735d > > > > > commons-io-2.10.0-src.tar.gz=227a2293c4e0ab209da1a78db07e93a940c45393dfc48764552c432c37bed974f1cff6379edd4240bec8d635919e4a7008ce39687ce43ae3463cee42337a3335 > > > > > commons-io-2.10.0-src.zip=6f6088ec14c896ea84b4e31867925d51b770c7750d7ca108296b778fa0b45fe70514a3f590ad1f00343ad5adb7882d9a905237f30a07058c5ab80e51b072f402 > > > > > commons-io-2.10.0-test-sources.jar=2591d6038d829f3ec0b58a00bc4e884ce37ebace91a7ec7cad364419d13bebec5a98a7cadb8fa2534f9f98a1b0718bb669311125054f2ace85c985c1f074ee2d > > > > > commons-io-2.10.0-tests.jar=b5eddbdc6c2b335e1afc08ce64acc9a008396839384fcdb61790d536eb96e5d920cfb213eaeee9b9d8368d45f9f2c0b9625babaf2c0ac1ee6c4d68c977461061 > > > > > >
Re: [VOTE] Release Apache Commons IO 2.10.0 based on RC1
Using: mvn -V clean install site Apache Maven 3.6.1 (d66c9c0b3152b2e69ee9bac180bb8fcc8e6af555; 2019-04-04T21:00:29+02:00) Maven home: /Users/henri.biestro/Java/apache-maven-3.6.1 Java version: 1.8.0_202, vendor: Oracle Corporation, runtime: /Library/Java/JavaVirtualMachines/jdk1.8.0_202.jdk/Contents/Home/jre Default locale: en_FR, platform encoding: UTF-8 OS name: "mac os x", version: "10.16", arch: "x86_64", family: "Mac" Checked the various site reports, all check OK. (As a side note, Maven had a hard time resolving a reference to commons-parent-51 for the SpotBugs report, may be a pb on my side). Checked the jar signature, OK. henri.biestro@L-HBIESTRO Downloads % gpg2 --verify commons-io-2.10.0.jar.asc gpg: assuming signed data in 'commons-io-2.10.0.jar' gpg: Signature made Thu Jun 10 14:43:36 2021 CEST gpg:using RSA key 2DB4F1EF0FA761ECC4EA935C86FDC7E2A11262CB gpg: Good signature from "Gary David Gregory (Code signing key) " [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 2DB4 F1EF 0FA7 61EC C4EA 935C 86FD C7E2 A112 62CB Vote [+1] (pending my reintroduction as PMC member :-) ). Cheers! On 2021/06/10 13:01:54, Gary Gregory wrote: > We have fixed a few bugs and added some enhancements since Apache > Commons IO 2.9.0 was released, so I would like to release Apache > Commons IO 2.10.0. > > Apache Commons IO 2.10.0 RC1 is available for review here: > https://dist.apache.org/repos/dist/dev/commons/io/2.10.0-RC1 (svn > revision 48259) > > The Git tag commons-io-2.10.0-RC1 commit for this RC is > a73895fbefd57c23595a5e9e85f0649993c59080 which you can browse here: > > https://gitbox.apache.org/repos/asf?p=commons-io.git;a=commit;h=a73895fbefd57c23595a5e9e85f0649993c59080 > You may checkout this tag using: > git clone https://gitbox.apache.org/repos/asf/commons-io.git > --branch commons-io-2.10.0-RC1 commons-io-2.10.0-RC1 > > Maven artifacts are here: > > https://repository.apache.org/content/repositories/orgapachecommons-1551/commons-io/commons-io/2.10.0/ > > These are the artifacts and their hashes: > > #Release SHA-512s > #Thu Jun 10 08:43:37 EDT 2021 > commons-io-2.10.0-bin.tar.gz=14c08c93379e975ca28723086acc4c1ba9acb99ed4a36e21ea6cdf9eeebac53cb08f5f606ade69daa58af4aa7c56b4b286cf96d36604139d5de9ee3902fc09b9 > commons-io-2.10.0-bin.zip=a5e32c8dbf76779247fb233646631e213b125c655a299edea895dfaddd86672fbe91396c548100b4d35d5647005066850243704d751d25028ecd13cafc3f36d8 > commons-io-2.10.0-javadoc.jar=ecdd571aa8de94e41c1d507384fddcd52d845687b10471ef5641033040d4209eed28c5018bd2e3283233132c70ad9188c604c586e36f4bbb93fe748c4713ebc7 > commons-io-2.10.0-sources.jar=8152939638af55595858a7214e9a38804911b1f8e7a7a9d49c1456e258577bfc72671915d33c05d33e40f41c14e0090ddc2789e7ba0020c8f391448ae14d735d > commons-io-2.10.0-src.tar.gz=227a2293c4e0ab209da1a78db07e93a940c45393dfc48764552c432c37bed974f1cff6379edd4240bec8d635919e4a7008ce39687ce43ae3463cee42337a3335 > commons-io-2.10.0-src.zip=6f6088ec14c896ea84b4e31867925d51b770c7750d7ca108296b778fa0b45fe70514a3f590ad1f00343ad5adb7882d9a905237f30a07058c5ab80e51b072f402 > commons-io-2.10.0-test-sources.jar=2591d6038d829f3ec0b58a00bc4e884ce37ebace91a7ec7cad364419d13bebec5a98a7cadb8fa2534f9f98a1b0718bb669311125054f2ace85c985c1f074ee2d > commons-io-2.10.0-tests.jar=b5eddbdc6c2b335e1afc08ce64acc9a008396839384fcdb61790d536eb96e5d920cfb213eaeee9b9d8368d45f9f2c0b9625babaf2c0ac1ee6c4d68c977461061 > > > > I have tested this with 'mvn -V -Prelease -Ptest-deploy -P jacoco -P > japicmp clean package site deploy' using: > > Apache Maven 3.8.1 (05c21c65bdfed0f71a2f2ada8b84da59348c4c5d) > Maven home: /usr/local/Cellar/maven/3.8.1/libexec > Java version: 1.8.0_292, vendor: AdoptOpenJDK, runtime: > /Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home/jre > Default locale: en_US, platform encoding: UTF-8 > OS name: "mac os x", version: "10.16", arch: "x86_64", family: "mac" > > Details of changes since 2.9.0 are in the release notes: > > https://dist.apache.org/repos/dist/dev/commons/io/2.10.0-RC1/RELEASE-NOTES.txt > > https://dist.apache.org/repos/dist/dev/commons/io/2.10.0-RC1/site/changes-report.html > > Site: > > https://dist.apache.org/repos/dist/dev/commons/io/2.10.0-RC1/site/index.html > (note some *relative* links are broken and the 2.10.0 directories > are not yet created - these will be OK once the site is deployed.) > > JApiCmp Report (compared to 2.9.0): > > https://dist.apache.org/repos/dist/dev/commons/io/2.10.0-RC1/site/japicmp.html > > RAT Report: > > https://dist.apache.org/repos/dist/dev/commons/io/2.10.0-RC1/site/rat-report.html > > KEYS: > https://www.apache.org/dist/commons/KEYS > > Please review the release candidate and vote. > This vote will close no sooner than 72 hours from now. > > [ ] +1 Release these artifacts > [ ] +0 OK, but... > [ ] -0
Releasing JEXL woes
I've been fumbling a bit with the release process, especially the site part, I'm pretty sure I've missed a (few) steps somewhere since the site still refers to release 3.1 or to 3.2.1-snapshot here and there. I'm a bit lost about what the 'site' is :-) Is it the whole commons site or only the JEXL site ? The procedure described in http://commons.apache.org/site-publish.html is very confusing to me now... And the 'being in flux' warning or the yaml publishing mail make me even more confused. A quick look at the site, a little bit of guidance and advice would be really welcome. I don't want to announce the release if I've fubar-ed the whole thing... Thanks in advance. - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
[RESULT] Release Apache Commons JEXL 3.2
The following people voted on release JEXL 3.2: Gary +1 Matt +1 Henrib +1 Gary, Matt, thank you! On 2021/06/03 18:34:40, Henri Biestro wrote: > > We have fixed quite a few bugs and added some significant enhancements since > Apache Commons JEXL 3.1 was released, so I would like to release Apache > Commons JEXL 3.2. > > Apache Commons JEXL 3.2 RC1 is available for review here: > https://dist.apache.org/repos/dist/dev/commons/jexl/3.2-RC1 (svn revision > 48128) > > The Git tag commons-jexl-3.2-RC1 commit for this RC is > 3bbdc91d649a085564561a6e93ba9e052d841508 which you can browse here: > > https://gitbox.apache.org/repos/asf?p=commons-jexl.git;a=commit;h=3bbdc91d649a085564561a6e93ba9e052d841508 > You may checkout this tag using: > git clone https://gitbox.apache.org/repos/asf/commons-jexl.git --branch > commons-jexl-3.2-RC1 commons-jexl-3.2-RC1 > > Maven artifacts are here: > > https://repository.apache.org/content/repositories/orgapachecommons-1550/org/apache/commons/commons-jexl3/3.2/ > > These are the artifacts and their hashes: > > #Release SHA-512s > #Thu Jun 03 20:13:49 CEST 2021 > commons-jexl-3.2-bin.tar.gz=65593259dcb4e4cb3621766a59206e579d487ca0d56010ac8c514c21df2f0e5c90b05cb36b2c65f8e191b4fb86e91a5124e546d7017927efdcd3cbffeb8e33fa > commons-jexl-3.2-bin.tar.gz.asc=56ffe095ec050cb3047b9a9463319427d1799351dc16526e4b066cbfbe3d0554ff38fa970e3eac36fe4f96d93f6918dee38a3aeaefbbaafca62dc258c208755f > commons-jexl-3.2-bin.zip=184dfaa4e9e6aaca1e421a9c220f3c13902a71454a6d35eea8347017b93944a5c2f9455722b49a496e7e616481aa9bfba24ce5a4bb8cfc0b6f8f39680ddec95f > commons-jexl-3.2-bin.zip.asc=56e5a673a59b422f994281e7e30e74945cee3576b4953077d8c25de9483bd3b24f51f16d5e18b51e74ae649853567b5f0a9900cb61a81aa3b47bd01e22771874 > commons-jexl-3.2-src.tar.gz=cd489cc0f6c117a24be4aedaf1e5a8cf06183085d307c9b855d62f7302709979e4482d6de8da87535381adae8d4671c5cea2af3bb3818050613db87da12aba5f > commons-jexl-3.2-src.tar.gz.asc=af323b1bac610aea3166cf80433e27aa9c0d7396b56903329ef1d6faa0f808268da729e71c72c69be9695e077c3467abdc2f4d1d8e8a7c9cf53311829ae8e766 > commons-jexl-3.2-src.zip=f10e0a83c6d98f2f12cacfd92acb2b326f718052a73c539c8ca7f39cc60aad4b48331d5ad644dc9c4367ab5d8b1280bf44ccacee6b29fb138f1c12f0f2e285be > commons-jexl-3.2-src.zip.asc=d99a223f3f5c813316d1ca112a1ee21af84c78475925415d8277b3ecdedd97e3b29a17ba5db5f65f22d945a541f38651f4bb1025892633a4f8cd4988e6d37815 > commons-jexl3-3.2-javadoc.jar=476200ebabb311e3a2197555b19f99ad284cca3501fa170fefd4885c5c310d162340a395dc7ebca842a0483700ca0d689ce42f19557efeab734b4315efa95791 > commons-jexl3-3.2-javadoc.jar.asc=816934c204b16946b9e8482d7fc2784d0f0a845ff4345509265db0f86a6a335fcfcc5c861a78fc431a71122fafc3a5720cb8edabaa35029cc34e4a49faf55135 > commons-jexl3-3.2-sources.jar=4cce369e319d8b83c835124f1c242a4e6502945d28cc8df7bcd36c09cade6aa13d5072b4407ddb01976a13a50df3ec8749e5896df076a501a6fc35eb29a8a8fd > commons-jexl3-3.2-sources.jar.asc=1eabb310ddcfef0d3caf4d645361549390b22a9be46591ba2c77974e178aa1992e5d88b27cb8145b4437e5bb772577f1a7c6f311cf0aac3129f6ea74574f1a37 > commons-jexl3-3.2-test-sources.jar=944469e6ee58df60807305a4c1386239656efa3fa432a6ff23250e8f878e2135b0658e2e18a1959a1e1a1748764d9e7b6ef264404366d06ae7ab79b4db445be0 > commons-jexl3-3.2-test-sources.jar.asc=725e071ce91dd8c6ce8b8761834bb7578f5c725083bf7614c4f41e72ff2b76be7a03181fa36ec90da534025be236c418294338969d93b64dc87fd7afce4d38e0 > commons-jexl3-3.2-tests.jar=2c986cc9c3943f2d5231e77481819c78f37271e8586d3cc41d639664686de44519b7acb68f34f9dce1781fb70a2330bfff75dc3d3050463a403ee894260d6a98 > commons-jexl3-3.2-tests.jar.asc=e36eb120d1b71689efa6200707f9e58436621e02cd97bff9ad88da323197f0cf9065ebb4c879179ac6f0aeead165eca224e905018eac71f1fe59e80c010e25c3 > commons-jexl3-3.2.jar.asc=97522856c9a68cef53b421d44b350e7998803e459d54edaf20f07be8373968e2009f8734d7d6e89a35757993b227408e6701302a2d2483655fbdc93c2c698756 > commons-jexl3-3.2.pom.asc=0cf4afe3be69f9a7a6e0755ef9a095c903b7979c9585fbe6ecff11808d36c3ccd11b06b3dffd00a0a1c332599613b5afcbef827462b0bbca2140a398cf6baf47 > > > (no need for .asc hashes!) > > I have tested this with 'mvn clean install site' using: > > Apache Maven 3.6.1 (d66c9c0b3152b2e69ee9bac180bb8fcc8e6af555; > 2019-04-04T21:00:29+02:00) > Maven home: /Users/henri.biestro/Java/apache-maven-3.6.1 > Java version: 1.8.0_202, vendor: Oracle Corporation, runtime: > /Library/Java/JavaVirtualMachines/jdk1.8.0_202.jdk/Contents/Home/jre > Default locale: en_FR, platform encoding: UTF-8 > OS name: "mac os x", version: "10.16", arch: "x86_64", family: "mac" > > Details of changes since 3.1 are in the release notes: > > https://dist.apache.org/repos/dist/dev/commons/jexl/3.2-RC1/RELEASE-NOTES.txt > > https://dist.apache.org/repos/dist/dev/commons/jexl/3.2-RC1/site/
[VOTE] Release Apache Commons JEXL 3.2 based on RC1
jexl/3.2-RC1/site/japicmp.html Note that Clirr reports several errors. These are considered OK for the reasons stated below. These exceptions are also noted in the Changes and Release Notes. Errors reported: - methods added to interface: OK because that does not affect binary compatibility. RAT Report: https://dist.apache.org/repos/dist/dev/commons/jexl/3.2-RC1/site/rat-report.html KEYS: https://www.apache.org/dist/commons/KEYS Please review the release candidate and vote. This vote will close no sooner that 72 hours from now. [ ] +1 Release these artifacts [ ] +0 OK, but... [ ] -0 OK, but really should fix... [ ] -1 I oppose this release because... Thank you, Henri Biestro, Release Manager (using key 4E066E0459CD109B) For following is intended as a helper and refresher for reviewers. Validating a release candidate == These guidelines are NOT complete. Requirements: Git, Java, Maven. You can validate a release from a release candidate (RC) tag as follows. 1) Clone and checkout the RC tag git clone https://gitbox.apache.org/repos/asf/commons-jexl.git --branch commons-jexl-3.2-RC1 commons-jexl-3.2-RC1 cd commons-jexl-3.2-RC1 2) Check Apache licenses This step is not required if the site includes a RAT report page which you then must check. mvn apache-rat:check 3) Check binary compatibility Older components still use Apache Clirr: This step is not required if the site includes a Clirr report page which you then must check. mvn clirr:check Newer components use JApiCmp with the japicmp Maven Profile: This step is not required if the site includes a JApiCmp report page which you then must check. mvn install -DskipTests -P japicmp japicmp:cmp 4) Build the package mvn -V clean package You can record the Maven and Java version produced by -V in your VOTE reply. To gather OS information from a command line: Windows: ver Linux: uname -a 5) Build the site for a single module project Note: Some plugins require the components to be installed instead of packaged. mvn site Check the site reports in: - Windows: target\site\index.html - Linux: target/site/index.html 6) Build the site for a multi-module project mvn site mvn site:stage Check the site reports in: - Windows: target\site\index.html - Linux: target/site/index.html - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [ JEXL ] Preparing release
Found the culprit; it seems 'site' plugin uses the report section to generate the javadoc whilst 'release' plugin uses the build section to do the same. Fixed the issue by adding the same javadoc plugin configuration in build section of the pom.xml. On 2021/01/05 17:05:32, Henri Biestro wrote: > Hello Team; Happy new year! > > I'm trying (again) to release JEXL 3.2 and I'm stuck at the 'Maven release > plugin' step in https://commons.apache.org/releases/prepare.html. > > Despite the fact a 'maven site' from IntelliJ does succeed, a 'mv > release:prepare -DtryRun' fails generating the Javadoc with a: > [INFO] [ERROR] Failed to execute goal > org.apache.maven.plugins:maven-javadoc-plugin:3.2.0:jar (attach-javadocs) on > project commons-jexl3: MavenReportException: Error while generating Javadoc: > [INFO] [ERROR] Exit code: 1 - > /Users/henri.biestro/Java/Jexl/git/commons-jexl/src/main/java/org/apache/commons/jexl3/parser/SimpleNode.java:128: > warning: no description for @param > > The package is excluded in the configuration so I must be missing an obvious > step somewhere else to let maven do its magic properly. > Any help appreciated :-) > > > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [ JEXL ] Preparing release
Thanks John, IntelliJ is indeed rich in its options. I realise my question was badly phrased; my problem is really about 'mvn site' vs 'mvn release:prepare'. The former works executed from a shell or IntelliJ, the latter does not failing on javadoc for a package that it should ignore. On 2021/01/05 21:23:26, John Patrick wrote: > What version of java is the command line maven using and what is > intellij using for; > 1. Settings -> "Build, Execution, Deployment" -> "Build Tools" -> > Maven -> Importing -> "JDK for importer" > 2. Settings -> "Build, Execution, Deployment" -> "Build Tools" -> > Maven -> Runner -> "JDK for importer" > 3. "Project Structure" -> Project -> "Project SDK" > > As when running maven tasks within IntelliJ, I can never remember > which of 1, 2 or 3 is used. > > 1 is used when importing and refreshing maven projects, so if you have > conditional profiles with activation based upon jvm, changing this > might be needed. > 2 i think is used when running tasks > 3 is used when writing code, validating code and also compiling code. > 3 i think is also used when running unit tests > > Not sure if that will show other issues of fix this issue, hopefully > it maybe highlight if different jvm's are being used when comparing > inside and outside intellij. > > John > > > On Tue, 5 Jan 2021 at 17:06, Henri Biestro wrote: > > > > Hello Team; Happy new year! > > > > I'm trying (again) to release JEXL 3.2 and I'm stuck at the 'Maven release > > plugin' step in https://commons.apache.org/releases/prepare.html. > > > > Despite the fact a 'maven site' from IntelliJ does succeed, a 'mv > > release:prepare -DtryRun' fails generating the Javadoc with a: > > [INFO] [ERROR] Failed to execute goal > > org.apache.maven.plugins:maven-javadoc-plugin:3.2.0:jar (attach-javadocs) > > on project commons-jexl3: MavenReportException: Error while generating > > Javadoc: > > [INFO] [ERROR] Exit code: 1 - > > /Users/henri.biestro/Java/Jexl/git/commons-jexl/src/main/java/org/apache/commons/jexl3/parser/SimpleNode.java:128: > > warning: no description for @param > > > > The package is excluded in the configuration so I must be missing an > > obvious step somewhere else to let maven do its magic properly. > > Any help appreciated :-) > > > > > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [ JEXL ] Preparing release
I'm working from the command line following the steps outlined in the doc. I can not fix the Javadoc because these classes are generated by javacc, the whole package is intended to be ignored (excluded) and docLint is already off. 'mvn site' succeeds, 'mvn release:prepare -DtryRun' fails; it seems there release plugin is using a different configuration wrt javadoc generation. .. org.apache.maven.plugins maven-javadoc-plugin *.internal:*.parser public none .. I seek help, not diss. On 2021/01/05 19:00:57, Gary Gregory wrote: > You "should" fix the Javadoc warnings; -) or disable doclint. > > Gary > > > On Tue, Jan 5, 2021, 12:06 Henri Biestro wrote: > > > Hello Team; Happy new year! > > > > I'm trying (again) to release JEXL 3.2 and I'm stuck at the 'Maven release > > plugin' step in https://commons.apache.org/releases/prepare.html. > > > > Despite the fact a 'maven site' from IntelliJ does succeed, a 'mv > > release:prepare -DtryRun' fails generating the Javadoc with a: > > [INFO] [ERROR] Failed to execute goal > > org.apache.maven.plugins:maven-javadoc-plugin:3.2.0:jar (attach-javadocs) > > on project commons-jexl3: MavenReportException: Error while generating > > Javadoc: > > [INFO] [ERROR] Exit code: 1 - > > /Users/henri.biestro/Java/Jexl/git/commons-jexl/src/main/java/org/apache/commons/jexl3/parser/SimpleNode.java:128: > > warning: no description for @param > > > > The package is excluded in the configuration so I must be missing an > > obvious step somewhere else to let maven do its magic properly. > > Any help appreciated :-) > > > > > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
[ JEXL ] Preparing release
Hello Team; Happy new year! I'm trying (again) to release JEXL 3.2 and I'm stuck at the 'Maven release plugin' step in https://commons.apache.org/releases/prepare.html. Despite the fact a 'maven site' from IntelliJ does succeed, a 'mv release:prepare -DtryRun' fails generating the Javadoc with a: [INFO] [ERROR] Failed to execute goal org.apache.maven.plugins:maven-javadoc-plugin:3.2.0:jar (attach-javadocs) on project commons-jexl3: MavenReportException: Error while generating Javadoc: [INFO] [ERROR] Exit code: 1 - /Users/henri.biestro/Java/Jexl/git/commons-jexl/src/main/java/org/apache/commons/jexl3/parser/SimpleNode.java:128: warning: no description for @param The package is excluded in the configuration so I must be missing an obvious step somewhere else to let maven do its magic properly. Any help appreciated :-) - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: [JEXL] Switching from Cobertura to Jacoco
I still don't get why I need to (re)configure so many plugins in JEXL's pom - any explanation is still welcome - but I managed to switch to Jacoco and Spotbugs. Fighting with maven is always a tad tedious and I still fear trying to release... Migrating to Java 8 code can now resume. - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
[JEXL] Switching from Cobertura to Jacoco
A recent commit in the code line (no pr btw) broke JEXL site's generation ability since Cobertura does not support Java 8 lambda constructs. I've thus been trying to switch to Jacoco as the coverage tool. I've removed the cobertura.profile, added the jacoco.profile in the conf dir, removed all Cobertura references from the pom.xml and ... nothing. The 'site' target does not produce any coverage report anymore. I've looked at other commons pom (vfs, collections, net), I've seen no explicit mention of Jacoco anywhere besides through the file. The only thing I get in the best case is the cryptic 'unable to read execution file'. Any hints to what I'm obviously overlooking ? Thanks - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Re: [doc] Release preparations
You are right, thanks for the catch. Might be more useful to mention how to import your Apache public and private key instead. Henrib - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Re: [doc] Release preparations
Made me search a while; not a git project, seems to be done through https://cms.apache.org/commons/ . Henrib - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Re: [doc] Release preparations
I’ll happily PR but which git project contains this file? - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
[doc] Release preparations
Just a nitpick for release-manager wannabes like myself about the pom.xml *releaseManagerKey*. Since my gpg knowledge was a bit rusty, I suppose others might have to seek the info too... Anyhow, around the 'update KEYS file if necessary', may be we could add: If you haven't done so, execute 'gpg --import KEYS'. As a release-manager, you'll need your key id (the 64 bits version) that you may find with 'gpg --keyid-format LONG -k 0xDEADBEEF' where DEADBEEF is your short (32 bit) key id or 'gpg --list-signatures | grep ' . Cheers - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Release JEXL 3.0 based on RC1
Dear all, JEXL 3.0 is ready for review. The 2.1 attempt comments have been folded in; JEXL 3 being binary and source code incompatible with JEXL 2, the code has moved to the new o.a.c.jexl3 package. I've also moved some classes to the internal packages to make the public API clearer for the future. Here is a quick list of new features (from the release notes): What's new in 3.0: == * A more thorough arithmetic (JexlArithmetic) that allows fine control over decimals (scale and precision), a new syntax for numeric literals (OGNL inspired Big and Huge notations) and a better type handling keeping the most appropriate representation in casual operations. * The introduction of script variables and parameters that reduce context dependencies and methods; this allows to perform checks after script creation (light static checking hints). Plus the ability to call script from scripts. * A sandoxing feature to restrict and rename what JEXL can access from the environment allowing tighter control over security. * Extensions to UnifiedJEXL that allow the creation of templates. New features in 3.0: * JEXL-114: Allow scripts to create local variables // Add return keyword * JEXL-113: Add functions to extract which variables, parameters and local variables are used to evaluate a script * JEXL-118: Provide an IN operator * JEXL-115: Add support for asynchronous script execution and cancellation * JEXL-116: Add control over classes, methods, constructors and properties allowed in scripts * JEXL-120: Add simple template features * JEXL-119: Allow indexed properties container resolution in expressions Tested against Java 1.{5,6} / Maven{2,3}, Windows 7/Linux/Mac OS. Tag: https://svn.apache.org/repos/asf/commons/proper/jexl/tags/COMMONS_JEXL_3_0/ Site: https://people.apache.org/~henrib/jexl-3.0 Binaries: https://repository.apache.org/content/repositories/orgapachecommons-267/ This vote will close in 72 hours, 08:00PM GMT, Dec 3rd. [ ] +1 Release these artifacts [ ] +0 OK, but... [ ] -0 OK, but really should fix... [ ] -1 I oppose this release because... Many thanks, Regards. Henrib
[CANCELLED] Release JEXL 3.0 based on RC1
I'm obviously unfit as RM. Sorry for the mess, feel free to remove any offending tag/branch/code. Regards. Henrib - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
[VOTE] Release JEXL 2.1 based on RC1
Dear all, After a pretty long cycle, JEXL 2.1 is ready for review. Here is a quick list of new features (from the release notes): What's new in 2.1: == * A more thorough arithmetic (JexlArithmetic) that allows fine control over decimals (scale and precision), a new syntax for numeric literals (OGNL inspired Big and Huge notations) and a better type handling keeping the most appropriate representation in casual operations. * The introduction of script variables and parameters that reduce context dependencies and methods; this allows to perform checks after script creation (light static checking hints). Plus the ability to call script from scripts. * A sandoxing feature to restrict and rename what JEXL can access from the environment allowing tighter control over security. * Extensions to UnifiedJEXL that allow the creation of templates. New features in 2.1: * JEXL-114: Allow scripts to create local variables // Add return keyword * JEXL-113: Add functions to extract which variables, parameters and local variables are used to evaluate a script * JEXL-118: Provide an IN operator * JEXL-115: Add support for asynchronous script execution and cancellation * JEXL-116: Add control over classes, methods, constructors and properties allowed in scripts * JEXL-120: Add simple template features * JEXL-119: Allow indexed properties container resolution in expressions Tested against Java 1.{5,6} / Maven{2,3}, Windows 7/Linux/Mac OS. Tag: https://svn.apache.org/repos/asf/commons/proper/jexl/tags/COMMONS_JEXL_2_1_RC1/ Site: https://people.apache.org/~henrib/jexl-2.1 Binaries: https://repository.apache.org/content/repositories/orgapachecommons-258/ This vote will close in 72 hours, 08:00PM GMT, Nov 30th. [ ] +1 Release these artifacts [ ] +0 OK, but... [ ] -0 OK, but really should fix... [ ] -1 I oppose this release because... Many thanks, Regards. Henrib
[CANCELLED][VOTE] Release JEXL 2.1 based on RC1
Gary and Sebb pointed out that, per apache release rules, incompatible binaries require new package name (i.e. jexl3). My bad, sorry. Henrib - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
[ANNOUNCE] Apache Commons JEXL 2.0.1 released
The Apache Commons team is pleased to announce the release of version 2.0.1 of Commons JEXL. JEXL is an Expression Language supporting most of the constructs in the JSTL Expression Language, along with some additional extensions. As a library, it is intended to facilitate the implementation of dynamic and scripting features in applications and frameworks. Version 2.0.1 is a hotfix release correcting issues discovered in version 2.0. Source and binary distributions are available for download from the Apache Commons JEXL download site: http://commons.apache.org/jexl/download_jexl.cgi Please verify signatures using the KEYS file available at the above location when downloading the release. For more information on Apache Commons JEXL, visit the JEXL home page: http://commons.apache.org/jexl/ Feedback, suggestions for improvement or bug reports are welcome via the Mailing Lists and Issue Tracking links here: http://commons.apache.org/jexl/project-info.html Henri Biestro - On behalf of the Apache Commons community