Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3

2015-11-13 Thread Luc Maisonobe
Le 13/11/2015 00:31, Thomas Neidhart a écrit : > Hi all, > > in order to provide a work-around for the known remote code exploit via > java de-serialization of malicious InvokerTransformer instances, I would > like to start a vote to release Commons Collections 3.2.2 based on RC3. > > Notes: >

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC2

2015-11-13 Thread Hank Grabowski
A more reasonable and measured article that appeared in JavaWorld: http://www.javaworld.com/article/3003197/security/library-misuse-exposes-leading-java-platforms-to-attack.html On Fri, Nov 13, 2015 at 8:19 AM, Donald Freeman wrote: > > I wanted to forward this

Re: SafeObjectInputStream in Commons?

2015-11-13 Thread Kristian Rosenvold
I'd think commons-io too. I have once again startes moves to release the next version so if you're quick I can review & incorporate it. Remember testcases :) Kristian 13. nov. 2015 18.00 skrev "Bertrand Delacretaz" : > Hi, > > I've just subscribed to this list after

Re: SafeObjectInputStream in Commons?

2015-11-13 Thread Bertrand Delacretaz
Hi Jörg, On Fri, Nov 13, 2015 at 6:22 PM, Jörg Schaible wrote: > ...Good enhancement. For commons-io?... Probably, I'm not familiar with the wide picture of Commons modules. > ...Would be good to have also an analogous ObjectOutputStream, just to avoid a > problem at

Re: SafeObjectInputStream in Commons?

2015-11-13 Thread Jörg Schaible
Hi Bertrand, Bertrand Delacretaz wrote: > Hi, > > I've just subscribed to this list after briefly discussing this with > Benedikt Ritter. > > I have written a small module [1] that provides a safer replacement > for ObjectInputStream, to avoid the recently discussed Java > deserialization

SafeObjectInputStream in Commons?

2015-11-13 Thread Bertrand Delacretaz
Hi, I've just subscribed to this list after briefly discussing this with Benedikt Ritter. I have written a small module [1] that provides a safer replacement for ObjectInputStream, to avoid the recently discussed Java deserialization issues. For now that module is in my Sling whiteboard but I'd

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3

2015-11-13 Thread Jörg Schaible
+1 Builds fine now with my compiler zoo. Thomas Neidhart wrote: > Hi all, > > in order to provide a work-around for the known remote code exploit via > java de-serialization of malicious InvokerTransformer instances, I would > like to start a vote to release Commons Collections 3.2.2 based on

Re: SafeObjectInputStream in Commons?

2015-11-13 Thread Bertrand Delacretaz
On Fri, Nov 13, 2015 at 6:26 PM, Kristian Rosenvold wrote: > ...if you're quick I can review & incorporate it. Remember > testcases :)... How quick? Weekend starts in half an hour here and I'll be busy with other things ;-) And if I miss that "quick" train, when's the

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3

2015-11-13 Thread Gary Gregory
+1 Tested with src zip. BUT: - The site Javadoc link is labeled "3.2.1" (fixed in https://svn.apache.org/repos/asf/commons/proper/collections/branches/COLLECTIONS_3_2_X ) - The site history does not mentioned (fixed in svn) ASC OK, MD5 OK, SHA1 OK. Everyone's checking these, right? Reports

Re: SafeObjectInputStream in Commons?

2015-11-13 Thread Phil Steitz
Hey Bertrand, Welcome to Commons! Phil > On Nov 13, 2015, at 12:00 PM, Bertrand Delacretaz > wrote: > > Hi, > > I've just subscribed to this list after briefly discussing this with > Benedikt Ritter. > > I have written a small module [1] that provides a safer

Re: SafeObjectInputStream in Commons?

2015-11-13 Thread Gary Gregory
On Fri, Nov 13, 2015 at 11:53 AM, Phil Steitz wrote: > Hey Bertrand, > > Welcome to Commons! > +1 Gary > > Phil > > > On Nov 13, 2015, at 12:00 PM, Bertrand Delacretaz < > bdelacre...@apache.org> wrote: > > > > Hi, > > > > I've just subscribed to this list after

Re: SafeObjectInputStream in Commons?

2015-11-13 Thread Bertrand Delacretaz
On Fri, Nov 13, 2015 at 6:27 PM, Bertrand Delacretaz wrote: >... How quick? Weekend starts in half an hour here... Actually that was more than enough, here you go: https://issues.apache.org/jira/browse/IO-487 -Bertrand

Re: SafeObjectInputStream in Commons?

2015-11-13 Thread Gary Gregory
Sounds intetesting! Gary On Nov 13, 2015 9:48 AM, "Bertrand Delacretaz" wrote: > On Fri, Nov 13, 2015 at 6:27 PM, Bertrand Delacretaz > wrote: > >... How quick? Weekend starts in half an hour here... > > Actually that was more than enough, here

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3

2015-11-13 Thread Thomas Neidhart
On 11/13/2015 08:26 PM, Gary Gregory wrote: > +1 > > Tested with src zip. > > BUT: > > - The site Javadoc link is labeled "3.2.1" (fixed in > https://svn.apache.org/repos/asf/commons/proper/collections/branches/COLLECTIONS_3_2_X > ) > - The site history does not mentioned (fixed in svn) as I

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3

2015-11-13 Thread Gary Gregory
On Fri, Nov 13, 2015 at 12:12 PM, Luc Maisonobe wrote: > Le 13/11/2015 20:26, Gary Gregory a écrit : > > +1 > > > > Tested with src zip. > > > > BUT: > > > > - The site Javadoc link is labeled "3.2.1" (fixed in > > >

Re: SafeObjectInputStream in Commons?

2015-11-13 Thread Uwe Barthel
+2 :-) mit freundlichen Grüßen Uwe Barthel -- bart...@x-reizend.de > On 13 Nov 2015, at 18:22, Jörg Schaible wrote: > > Hi Bertrand, > > Bertrand Delacretaz wrote: > >> Hi, >> >> I've just subscribed to this list after briefly discussing this with >> Benedikt

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3

2015-11-13 Thread Stefan Bodewig
On 2015-11-13, Thomas Neidhart wrote: > Please review the release candidate and vote. +1 Stefan - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org

[GitHub] commons-compress pull request:

2015-11-13 Thread PascalSchumacher
Github user PascalSchumacher commented on the pull request: https://github.com/apache/commons-compress/commit/1e592b52c54ff3186b5d11fe64021ab758db7234#commitcomment-14393072 In src/changes/changes.xml: In src/changes/changes.xml on line 50: "fpr" should be "for" --- If your

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC3

2015-11-13 Thread Luc Maisonobe
Le 13/11/2015 20:26, Gary Gregory a écrit : > +1 > > Tested with src zip. > > BUT: > > - The site Javadoc link is labeled "3.2.1" (fixed in > https://svn.apache.org/repos/asf/commons/proper/collections/branches/COLLECTIONS_3_2_X > ) > - The site history does not mentioned (fixed in svn) > >

Re: SafeObjectInputStream in Commons?

2015-11-13 Thread Bertrand Delacretaz
On Fri, Nov 13, 2015 at 8:53 PM, Phil Steitz wrote: > ...Welcome to Commons! Thanks! After so many years doing Java stuff at the ASF I finally found something meaningful to contribute here. -Bertrand -

Re: [VOTE] Release Commons Collections 3.2.2 Based on RC2

2015-11-13 Thread Donald Freeman
I wanted to forward this on. I found this article this morning talking about the issue on itworld. http://www.itworld.com/article/3004632/thousands-of-java-applications-vulnerable-to-nine-month-old-remote-code-execution-exploit.html Thanks,Don Freeman On Thu, Nov 12, 2015 at 10:11 AM, Gary

Re: [math] Version mgt idea

2015-11-13 Thread Gilles
On Mon, 9 Nov 2015 10:34:43 -0600, Ole Ersoy wrote: If I'm interested in some functionality that is 'beta' then I first have to realize that it's 'beta'...Maybe just tag the branch beta. After that there's probably (Judging from the number of people communicating here) 1/2 people interested.