Hey List, This morning (here in Shanghai) Tomcat sent off three low severity security email alerts and it got me thinking that the included .jar files could become stale and pose a potential security risk within the project.
Is there right now a way to track upgrades/security patches as they become available and get them committed back into the project? Or put it another way, is there a file in OFBiz which tracks all the included jars, a bit like OPTIONAL_LIBRARIES file tells you were to get the jars we cant include? Or should someone subscribe the dev list to the security announcements where they are available? Perhaps also before the branch is created we could have a check list of actions needed and checking/upgrading components could be one of them - at least then we know that the branch was secure at the time of creation? Excuse me if that turned into a ramble but I just woke up this morning with this on the brain! Cheers Sam
