Re: [VOTE] Release activemq-nms-openwire 2.1.0-rc1

[Havret]

Results of the activemq-nms-openwire 2.1.0-rc1 release vote.

The vote passes with 5 Binding Votes

Binding Votes:
Jeff Genender
Clebert Suconic
Chris Porebski
Arthur Naseef
Michael André Pearce

Non-Binding Votes:
Bruce Dodson

Thank you for all the contributions and everyone's time reviewing the
release candidate and voting.

I will proceed with publishing the release now.

Chris

On Tue, Mar 7, 2023 at 2:47 AM Clebert Suconic 
wrote:

> Is this still open ?   +1
> On Mon, Mar 6, 2023 at 5:22 PM Arthur Naseef  wrote:
>
> > +1
> >
> > I downloaded the sources and built on Windows 10.  Also reviewed the
> commit
> > that adds the deny and allow lists.
> >
> > Art
> >
> >
> > On Wed, Mar 1, 2023 at 8:12 AM  wrote:
> >
> > > +1
> > >
> > > Jeff
> > >
> > >
> > > > On Mar 1, 2023, at 4:02 AM, Michael André Pearce <
> > > michaelpea...@apache.org> wrote:
> > > >
> > > > Thanks Chris, much needed feature!
> > > >
> > > > +1 (binding)
> > > >
> > > > On 2023/02/26 11:09:15 Havret wrote:
> > > >> Hi all,
> > > >>
> > > >> I have put together another release of activemq-nms-openwire. Please
> > > review
> > > >> it and vote accordingly.
> > > >>
> > > >> This release includes an important new feature that allows users to
> > > specify
> > > >> an allow/deny list of types for binary serialization. This can help
> > > prevent
> > > >> potential security vulnerabilities.
> > > >>
> > > >> The feature is implemented in the same way as in qpid-jms, using a
> > > >> deserialization policy that controls which types can be trusted for
> > > >> deserialization from an incoming NMS IObjectMessage containing
> > > serialized
> > > >> .NET Object content. By default, all types are trusted during
> > > >> deserialization. However, the default Deserialization Policy object
> > > >> provides URI options for specifying an allow list and a deny list of
> > > .NET
> > > >> classes or namespaces.
> > > >>
> > > >> The following options are available:
> > > >>
> > > >> - nms.deserializationPolicy.allowList: A comma-separated list of
> > > >> classes/namespaces that are allowed during deserialization, unless
> > they
> > > are
> > > >> overridden by the deny list. Names in this list are not pattern
> > values;
> > > the
> > > >> exact class or namespace name must be configured (e.g.
> > > >> "System.Collections.Queue" or "System.Collections"). Namespace
> matches
> > > >> include sub-namespaces. The default is to allow all.
> > > >> - nms.deserializationPolicy.denyList: A comma-separated list of
> > > >> classes/namespaces that are rejected during deserialization. Names
> in
> > > this
> > > >> list are not pattern values; the exact class or namespace name must
> be
> > > >> configured (e.g. "System.Collections.Queue" or
> "System.Collections").
> > > >> Namespace matches include sub-namespaces. The default is to reject
> > none.
> > > >>
> > > >> This release contains the following change:
> > > >> *
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935
> > > >> <
> > >
> >
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935
> > > >*
> > > >>
> > > >> The files can be grabbed from:
> > > >>
> > >
> >
> https://dist.apache.org/repos/dist/dev/activemq/activemq-nms-openwire/2.1.0-rc1/
> > > >>
> > > >> Regards,
> > > >> Chris
> > > >>
> > > >> Here's mine +1 (binding)
> > > >>
> > >
> > >
> >
> --
> Clebert Suconic
>

Re: [VOTE] Release activemq-nms-openwire 2.1.0-rc1

[Michael André Pearce]

Thanks Chris, much needed feature!

+1 (binding) 

On 2023/02/26 11:09:15 Havret wrote:
> Hi all,
> 
> I have put together another release of activemq-nms-openwire. Please review
> it and vote accordingly.
> 
> This release includes an important new feature that allows users to specify
> an allow/deny list of types for binary serialization. This can help prevent
> potential security vulnerabilities.
> 
> The feature is implemented in the same way as in qpid-jms, using a
> deserialization policy that controls which types can be trusted for
> deserialization from an incoming NMS IObjectMessage containing serialized
> .NET Object content. By default, all types are trusted during
> deserialization. However, the default Deserialization Policy object
> provides URI options for specifying an allow list and a deny list of .NET
> classes or namespaces.
> 
> The following options are available:
> 
> - nms.deserializationPolicy.allowList: A comma-separated list of
> classes/namespaces that are allowed during deserialization, unless they are
> overridden by the deny list. Names in this list are not pattern values; the
> exact class or namespace name must be configured (e.g.
> "System.Collections.Queue" or "System.Collections"). Namespace matches
> include sub-namespaces. The default is to allow all.
> - nms.deserializationPolicy.denyList: A comma-separated list of
> classes/namespaces that are rejected during deserialization. Names in this
> list are not pattern values; the exact class or namespace name must be
> configured (e.g. "System.Collections.Queue" or "System.Collections").
> Namespace matches include sub-namespaces. The default is to reject none.
> 
> This release contains the following change:
> *https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935
> *
> 
> The files can be grabbed from:
> https://dist.apache.org/repos/dist/dev/activemq/activemq-nms-openwire/2.1.0-rc1/
> 
> Regards,
> Chris
> 
> Here's mine +1 (binding)
> 

Re: [VOTE] Release activemq-nms-openwire 2.1.0-rc1

[W B D]

+1 (non-binding)

Updated an existing application to use the release candidate and deployed
to a test environment. No regressions were noted. However, it does not use
IObjectMessage.

Also, built the project from the source archive on dist.apache.org.
However, I needed to add a reference to Apache.NMS.Test 1.8.0 to get the
test project to build. Also, I wasn't actually able to run most of the
tests, due to limitations of my environment (no local SQL Server).

The solution also contains a doc project, which was missing from the source
archive - perhaps this is intentional? I see it was the same for 2.0.1.

Regards,
Bruce Dodson

On Sun, Feb 26, 2023 at 3:09 AM Havret  wrote:

> Hi all,
>
> I have put together another release of activemq-nms-openwire. Please review
> it and vote accordingly.
>
> This release includes an important new feature that allows users to specify
> an allow/deny list of types for binary serialization. This can help prevent
> potential security vulnerabilities.
>
> The feature is implemented in the same way as in qpid-jms, using a
> deserialization policy that controls which types can be trusted for
> deserialization from an incoming NMS IObjectMessage containing serialized
> .NET Object content. By default, all types are trusted during
> deserialization. However, the default Deserialization Policy object
> provides URI options for specifying an allow list and a deny list of .NET
> classes or namespaces.
>
> The following options are available:
>
> - nms.deserializationPolicy.allowList: A comma-separated list of
> classes/namespaces that are allowed during deserialization, unless they are
> overridden by the deny list. Names in this list are not pattern values; the
> exact class or namespace name must be configured (e.g.
> "System.Collections.Queue" or "System.Collections"). Namespace matches
> include sub-namespaces. The default is to allow all.
> - nms.deserializationPolicy.denyList: A comma-separated list of
> classes/namespaces that are rejected during deserialization. Names in this
> list are not pattern values; the exact class or namespace name must be
> configured (e.g. "System.Collections.Queue" or "System.Collections").
> Namespace matches include sub-namespaces. The default is to reject none.
>
> This release contains the following change:
> *
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935
> <
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935
> >*
>
> The files can be grabbed from:
>
> https://dist.apache.org/repos/dist/dev/activemq/activemq-nms-openwire/2.1.0-rc1/
>
> Regards,
> Chris
>
> Here's mine +1 (binding)
>

Re: [VOTE] Release activemq-nms-openwire 2.1.0-rc1

[jgenender]

Yeah it actually should be on both.  private@ is where the vote actually 
counts.  dev@ is for keeping it public.

Jeff

> On Feb 27, 2023, at 8:10 AM, Bruce Snyder  wrote:
> 
> Whoops, now I see it's on both. My mistake.
> 
> Bruce
> 
> On Mon, Feb 27, 2023 at 8:09 AM Bruce Snyder  wrote:
> 
>> This vote should be moved to the dev@ list.
>> 
>> Bruce
>> 
>> On Sun, Feb 26, 2023 at 4:09 AM Havret  wrote:
>> 
>>> Hi all,
>>> 
>>> I have put together another release of activemq-nms-openwire. Please
>>> review
>>> it and vote accordingly.
>>> 
>>> This release includes an important new feature that allows users to
>>> specify
>>> an allow/deny list of types for binary serialization. This can help
>>> prevent
>>> potential security vulnerabilities.
>>> 
>>> The feature is implemented in the same way as in qpid-jms, using a
>>> deserialization policy that controls which types can be trusted for
>>> deserialization from an incoming NMS IObjectMessage containing serialized
>>> .NET Object content. By default, all types are trusted during
>>> deserialization. However, the default Deserialization Policy object
>>> provides URI options for specifying an allow list and a deny list of .NET
>>> classes or namespaces.
>>> 
>>> The following options are available:
>>> 
>>> - nms.deserializationPolicy.allowList: A comma-separated list of
>>> classes/namespaces that are allowed during deserialization, unless they
>>> are
>>> overridden by the deny list. Names in this list are not pattern values;
>>> the
>>> exact class or namespace name must be configured (e.g.
>>> "System.Collections.Queue" or "System.Collections"). Namespace matches
>>> include sub-namespaces. The default is to allow all.
>>> - nms.deserializationPolicy.denyList: A comma-separated list of
>>> classes/namespaces that are rejected during deserialization. Names in this
>>> list are not pattern values; the exact class or namespace name must be
>>> configured (e.g. "System.Collections.Queue" or "System.Collections").
>>> Namespace matches include sub-namespaces. The default is to reject none.
>>> 
>>> This release contains the following change:
>>> *
>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935
>>> <
>>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935
 *
>>> 
>>> The files can be grabbed from:
>>> 
>>> https://dist.apache.org/repos/dist/dev/activemq/activemq-nms-openwire/2.1.0-rc1/
>>> 
>>> Regards,
>>> Chris
>>> 
>>> Here's mine +1 (binding)
>>> 
>> 
>> 
>> --
>> perl -e 'print
>> unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E> http://bsnyder.org/ 
>> 
> 
> 
> -- 
> perl -e 'print
> unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E http://bsnyder.org/ 

Re: [VOTE] Release activemq-nms-openwire 2.1.0-rc1

[Bruce Snyder]

Whoops, now I see it's on both. My mistake.

Bruce

On Mon, Feb 27, 2023 at 8:09 AM Bruce Snyder  wrote:

> This vote should be moved to the dev@ list.
>
> Bruce
>
> On Sun, Feb 26, 2023 at 4:09 AM Havret  wrote:
>
>> Hi all,
>>
>> I have put together another release of activemq-nms-openwire. Please
>> review
>> it and vote accordingly.
>>
>> This release includes an important new feature that allows users to
>> specify
>> an allow/deny list of types for binary serialization. This can help
>> prevent
>> potential security vulnerabilities.
>>
>> The feature is implemented in the same way as in qpid-jms, using a
>> deserialization policy that controls which types can be trusted for
>> deserialization from an incoming NMS IObjectMessage containing serialized
>> .NET Object content. By default, all types are trusted during
>> deserialization. However, the default Deserialization Policy object
>> provides URI options for specifying an allow list and a deny list of .NET
>> classes or namespaces.
>>
>> The following options are available:
>>
>> - nms.deserializationPolicy.allowList: A comma-separated list of
>> classes/namespaces that are allowed during deserialization, unless they
>> are
>> overridden by the deny list. Names in this list are not pattern values;
>> the
>> exact class or namespace name must be configured (e.g.
>> "System.Collections.Queue" or "System.Collections"). Namespace matches
>> include sub-namespaces. The default is to allow all.
>> - nms.deserializationPolicy.denyList: A comma-separated list of
>> classes/namespaces that are rejected during deserialization. Names in this
>> list are not pattern values; the exact class or namespace name must be
>> configured (e.g. "System.Collections.Queue" or "System.Collections").
>> Namespace matches include sub-namespaces. The default is to reject none.
>>
>> This release contains the following change:
>> *
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935
>> <
>> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935
>> >*
>>
>> The files can be grabbed from:
>>
>> https://dist.apache.org/repos/dist/dev/activemq/activemq-nms-openwire/2.1.0-rc1/
>>
>> Regards,
>> Chris
>>
>> Here's mine +1 (binding)
>>
>
>
> --
> perl -e 'print
> unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E http://bsnyder.org/ 
>


-- 
perl -e 'print
unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61Ehttp://bsnyder.org/ 

Re: [VOTE] Release activemq-nms-openwire 2.1.0-rc1

[Bruce Snyder]

This vote should be moved to the dev@ list.

Bruce

On Sun, Feb 26, 2023 at 4:09 AM Havret  wrote:

> Hi all,
>
> I have put together another release of activemq-nms-openwire. Please review
> it and vote accordingly.
>
> This release includes an important new feature that allows users to specify
> an allow/deny list of types for binary serialization. This can help prevent
> potential security vulnerabilities.
>
> The feature is implemented in the same way as in qpid-jms, using a
> deserialization policy that controls which types can be trusted for
> deserialization from an incoming NMS IObjectMessage containing serialized
> .NET Object content. By default, all types are trusted during
> deserialization. However, the default Deserialization Policy object
> provides URI options for specifying an allow list and a deny list of .NET
> classes or namespaces.
>
> The following options are available:
>
> - nms.deserializationPolicy.allowList: A comma-separated list of
> classes/namespaces that are allowed during deserialization, unless they are
> overridden by the deny list. Names in this list are not pattern values; the
> exact class or namespace name must be configured (e.g.
> "System.Collections.Queue" or "System.Collections"). Namespace matches
> include sub-namespaces. The default is to allow all.
> - nms.deserializationPolicy.denyList: A comma-separated list of
> classes/namespaces that are rejected during deserialization. Names in this
> list are not pattern values; the exact class or namespace name must be
> configured (e.g. "System.Collections.Queue" or "System.Collections").
> Namespace matches include sub-namespaces. The default is to reject none.
>
> This release contains the following change:
> *
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935
> <
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311201&version=12352935
> >*
>
> The files can be grabbed from:
>
> https://dist.apache.org/repos/dist/dev/activemq/activemq-nms-openwire/2.1.0-rc1/
>
> Regards,
> Chris
>
> Here's mine +1 (binding)
>


-- 
perl -e 'print
unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61Ehttp://bsnyder.org/