Here's an updated bugzilla triage for the forthcoming 1.4.3 release. Most of the issues mentioned in my previous mail have been fixed. The remaining issues are:
1. https://issues.apache.org/bugzilla/show_bug.cgi?id=44918 Some security concerns were raised about the supplied patch. It would be nice to fix it I guess, but time's running out... 2. "==" versus "equals" problem. As I mentioned in one of the comments I have a fix for the problem of not being able to specify what ElementChecker implementation to use. The problem is that there are many more pointer comparisons in the source code, and I don't think there's any point half-fixing the problem. I vote that we punt on this issue until after 1.4.3. 3. https://issues.apache.org/bugzilla/show_bug.cgi?id=42239 There are two patches that need to be applied for this issue. Sean, can you have a scan of the patch I supplied, particularly the copyright information on top of the Apache License in the ResourceResolver implementation (which was adapter from another patch for this issue). I think it's ok, but I just want to confirm. If it's ok then I'll commit the patches. 4. https://issues.apache.org/bugzilla/show_bug.cgi?id=47459 I haven't really had time to look at this issue yet. Any thoughts? Colm. -----Original Message----- From: Colm O hEigeartaigh [mailto:cohei...@progress.com] Sent: 18 June 2009 11:51 To: security-dev@xml.apache.org Subject: 1.4.3 bugzilla triage Hi, Here's a bugzilla triage as promised for 1.4.3. There are 25 open bugs against the Java component of XML-Security. I've submitted patches for the following: https://issues.apache.org/bugzilla/show_bug.cgi?id=47265 https://issues.apache.org/bugzilla/show_bug.cgi?id=47260 https://issues.apache.org/bugzilla/show_bug.cgi?id=47029 https://issues.apache.org/bugzilla/show_bug.cgi?id=45388 https://issues.apache.org/bugzilla/show_bug.cgi?id=42986 https://issues.apache.org/bugzilla/show_bug.cgi?id=44335 Once Sean's set up my commit rights I'll commit the more trivial of these fixes, and leave the other ones for review by the community before applying them. These issues all relate to the "==" versus "equals" problem: https://issues.apache.org/bugzilla/show_bug.cgi?id=46681 https://issues.apache.org/bugzilla/show_bug.cgi?id=45637 https://issues.apache.org/bugzilla/show_bug.cgi?id=44874 https://issues.apache.org/bugzilla/show_bug.cgi?id=40897 I want to do some profiling of this over the next while. I think the best way of tackling it though is to add a system property which will enable using "equals". The following seem to me to be reasonable candidates for fixing in 1.4.3: https://issues.apache.org/bugzilla/show_bug.cgi?id=45744 https://issues.apache.org/bugzilla/show_bug.cgi?id=44991 https://issues.apache.org/bugzilla/show_bug.cgi?id=44918 I think the following could make it in as well, but I'm not sure: https://issues.apache.org/bugzilla/show_bug.cgi?id=42239 Is there any other issue anyone wants fixed for 1.4.3? Colm.
