Colm O hEigeartaigh wrote:
Here's an updated bugzilla triage for the forthcoming 1.4.3 release.
Most of the issues mentioned in my previous mail have been fixed. The
remaining issues are:

1. https://issues.apache.org/bugzilla/show_bug.cgi?id=44918

Some security concerns were raised about the supplied patch. It would be
nice to fix it I guess, but time's running out...

I'm not satisfied with the proposed patch as it contains a security hole. See http://java.sun.com/security/seccodeguide.html#6-0 for more information. It can allow untrusted code to control the xmlsec configuration by passing in the name of a configFile which will then be opened inside a doPrivileged block. I think we should hold off on this until I have more time to think about a better solution.

2. "==" versus "equals" problem.

As I mentioned in one of the comments I have a fix for the problem of
not being able to specify what ElementChecker implementation to use. The
problem is that there are many more pointer comparisons in the source
code, and I don't think there's any point half-fixing the problem. I
vote that we punt on this issue until after 1.4.3.

Ok with me.

3. https://issues.apache.org/bugzilla/show_bug.cgi?id=42239

There are two patches that need to be applied for this issue. Sean, can
you have a scan of the patch I supplied, particularly the copyright
information on top of the Apache License in the ResourceResolver
implementation (which was adapter from another patch for this issue). I
think it's ok, but I just want to confirm. If it's ok then I'll commit
the patches.

I'll take a look and get back to you.

4. https://issues.apache.org/bugzilla/show_bug.cgi?id=47459

I haven't really had time to look at this issue yet.

Not have I. I will try to have a look later today.

--Sean

Reply via email to