Colm O hEigeartaigh wrote:
Here's an updated bugzilla triage for the forthcoming 1.4.3 release.
Most of the issues mentioned in my previous mail have been fixed. The
remaining issues are:
1. https://issues.apache.org/bugzilla/show_bug.cgi?id=44918
Some security concerns were raised about the supplied patch. It would be
nice to fix it I guess, but time's running out...
I'm not satisfied with the proposed patch as it contains a security hole. See
http://java.sun.com/security/seccodeguide.html#6-0 for more information. It can
allow untrusted code to control the xmlsec configuration by passing in the name
of a configFile which will then be opened inside a doPrivileged block. I think
we should hold off on this until I have more time to think about a better solution.
2. "==" versus "equals" problem.
As I mentioned in one of the comments I have a fix for the problem of
not being able to specify what ElementChecker implementation to use. The
problem is that there are many more pointer comparisons in the source
code, and I don't think there's any point half-fixing the problem. I
vote that we punt on this issue until after 1.4.3.
Ok with me.
3. https://issues.apache.org/bugzilla/show_bug.cgi?id=42239
There are two patches that need to be applied for this issue. Sean, can
you have a scan of the patch I supplied, particularly the copyright
information on top of the Apache License in the ResourceResolver
implementation (which was adapter from another patch for this issue). I
think it's ok, but I just want to confirm. If it's ok then I'll commit
the patches.
I'll take a look and get back to you.
4. https://issues.apache.org/bugzilla/show_bug.cgi?id=47459
I haven't really had time to look at this issue yet.
Not have I. I will try to have a look later today.
--Sean
