You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@struts.apache.org by Stefaan Dutry <sd...@apache.org> on 2017/07/13 12:20:10 UTC
upgrade to struts 2.5.12 + commons-lang3
We are upgrading our projects at work to the new released struts version 2.5.12.
We encountered a problem while upgrading one of our applications.
The problem was that the project defined a dependency to commons-lang3.
The struts AnnotationValidationInterceptor uses a method that was
added to commons-lang3 version 3.6 (Methodutils.getAnnotation)
This was easily fixed by updating our own commons-lang3 version to 3.6.
I was wondering if there's a possibility to add to the version notes
for 2.5.12 that it requires a minimum version of commons-lang3 of 3.6.
This just to prevent others having to search for the same problem.
Regards,
Stefaan Dutry (sdutry)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: upgrade to struts 2.5.12 + commons-lang3
Posted by Lukasz Lenart <lu...@apache.org>.
A new issue type was defined
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311041&version=12341116
2017-07-27 11:25 GMT+02:00 Lukasz Lenart <lu...@apache.org>:
> 2017-07-27 11:10 GMT+02:00 Stefaan Dutry <sd...@apache.org>:
>> An alternative solution, that requires less changes, could be to add a
>> label to these issues.
>>
>> Issues can be filtered on a label in JIRA.
>>
>> for example:
>> https://issues.apache.org/jira/issues/?jql=project%20%3D%20WW%20AND%20labels%20%3D%20dependency-upgrade
>>
>> or with a fix version:
>> https://issues.apache.org/jira/issues/?jql=project%20%3D%20WW%20AND%20labels%20%3D%20dependency-upgrade%20AND%20fixVersion%20%3D%202.5.12
>
> The case is that I'm using a Release Notes generated by JIRA and it's
> grouped by the Issue type, doing this manually can be error prone
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311041&version=12341116
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: upgrade to struts 2.5.12 + commons-lang3
Posted by Lukasz Lenart <lu...@apache.org>.
2017-07-27 11:10 GMT+02:00 Stefaan Dutry <sd...@apache.org>:
> An alternative solution, that requires less changes, could be to add a
> label to these issues.
>
> Issues can be filtered on a label in JIRA.
>
> for example:
> https://issues.apache.org/jira/issues/?jql=project%20%3D%20WW%20AND%20labels%20%3D%20dependency-upgrade
>
> or with a fix version:
> https://issues.apache.org/jira/issues/?jql=project%20%3D%20WW%20AND%20labels%20%3D%20dependency-upgrade%20AND%20fixVersion%20%3D%202.5.12
The case is that I'm using a Release Notes generated by JIRA and it's
grouped by the Issue type, doing this manually can be error prone
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12311041&version=12341116
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: upgrade to struts 2.5.12 + commons-lang3
Posted by Stefaan Dutry <sd...@apache.org>.
An alternative solution, that requires less changes, could be to add a
label to these issues.
Issues can be filtered on a label in JIRA.
for example:
https://issues.apache.org/jira/issues/?jql=project%20%3D%20WW%20AND%20labels%20%3D%20dependency-upgrade
or with a fix version:
https://issues.apache.org/jira/issues/?jql=project%20%3D%20WW%20AND%20labels%20%3D%20dependency-upgrade%20AND%20fixVersion%20%3D%202.5.12
Regards,
Stefaan Dutry (sdutry)
2017-07-17 8:10 GMT+02:00 Lukasz Lenart <lu...@apache.org>:
> 2017-07-14 9:43 GMT+02:00 Stefaan Dutry <sd...@apache.org>:
>>> Yes and this additional issue type should allow easily identify such
>>> duplications when assembling a version notes - all the changes in
>>> dependencies will be listed in a one place :)
>>
>> Great.
>>
>>
>> In short:
>> Seems good to me. Thx for considering this :-)
>
> Requested an new issue type
> https://issues.apache.org/jira/browse/INFRA-14589
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: upgrade to struts 2.5.12 + commons-lang3
Posted by Lukasz Lenart <lu...@apache.org>.
2017-07-14 9:43 GMT+02:00 Stefaan Dutry <sd...@apache.org>:
>> Yes and this additional issue type should allow easily identify such
>> duplications when assembling a version notes - all the changes in
>> dependencies will be listed in a one place :)
>
> Great.
>
>
> In short:
> Seems good to me. Thx for considering this :-)
Requested an new issue type
https://issues.apache.org/jira/browse/INFRA-14589
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: upgrade to struts 2.5.12 + commons-lang3
Posted by Stefaan Dutry <sd...@apache.org>.
> To sum up: only the latest version of a dependency will be listed in
> the version notes
Great.
> but in this case (if the vulnerability can have large impact) we are
> preparing a fast track release (e.g. 2.5.10.1) - in this case the list
> of changes is none or very minimal
True, those changes were minimal.
* in this case if S2-047 or S2-049 apply to you you still need to upgrade
* when there's no large impact vulnerability, companies are not always
willing to allow the upgrade (mine doesn't due to budget + capacity),
meaning you have to upgrade a couple of versions at that time.
> I do not really grasp what you mean by that
All i meant was that when you need to do a quick upgrade for security
reasons, you want it done and running in production as quickly as
possible.
This was already countered with
* your previous answer concerning 2.5.10.1
* Usually the quick workarounds without upgrading, if they exist, also
get mentioned in the vulnerabilities
> Yes and this additional issue type should allow easily identify such
> duplications when assembling a version notes - all the changes in
> dependencies will be listed in a one place :)
Great.
In short:
Seems good to me. Thx for considering this :-)
Regards,
Stefaan Dutry (sdutry)
2017-07-14 9:14 GMT+02:00 Lukasz Lenart <lu...@apache.org>:
> 2017-07-14 9:04 GMT+02:00 Stefaan Dutry <sd...@apache.org>:
>> What happens when a dependency gets updated multiple times in a
>> release? Will it be listed multiple times (since it shows all issues
>> with that type)?
>
> It will allow me (or anybody other) quickly figure out the duplication
> and I can just leave info about the latest version of the dependency;
> and remove the others as I did in announcement
> http://struts.apache.org/announce.html#a20170717
>
> To sum up: only the latest version of a dependency will be listed in
> the version notes
>
>> My reasoning was:
>> * When you need to do a quick upgrade due to a fixed vulnerability you
>> just want a quick checklist of the things that need to be
>> changed/checked
>
> but in this case (if the vulnerability can have large impact) we are
> preparing a fast track release (e.g. 2.5.10.1) - in this case the list
> of changes is none or very minimal
>
>> * At that time the developer doesn't realy care for the other
>> improvements/upgrades (which are already listed now, and can be
>> checked by anyone interested)
>
> I do not really grasp what you mean by that
>
>> * When a dependency gets updated multiple times, the only version of
>> interest is the one used in the release.
>
> Yes and this additional issue type should allow easily identify such
> duplications when assembling a version notes - all the changes in
> dependencies will be listed in a one place :)
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: upgrade to struts 2.5.12 + commons-lang3
Posted by Lukasz Lenart <lu...@apache.org>.
2017-07-14 9:04 GMT+02:00 Stefaan Dutry <sd...@apache.org>:
> What happens when a dependency gets updated multiple times in a
> release? Will it be listed multiple times (since it shows all issues
> with that type)?
It will allow me (or anybody other) quickly figure out the duplication
and I can just leave info about the latest version of the dependency;
and remove the others as I did in announcement
http://struts.apache.org/announce.html#a20170717
To sum up: only the latest version of a dependency will be listed in
the version notes
> My reasoning was:
> * When you need to do a quick upgrade due to a fixed vulnerability you
> just want a quick checklist of the things that need to be
> changed/checked
but in this case (if the vulnerability can have large impact) we are
preparing a fast track release (e.g. 2.5.10.1) - in this case the list
of changes is none or very minimal
> * At that time the developer doesn't realy care for the other
> improvements/upgrades (which are already listed now, and can be
> checked by anyone interested)
I do not really grasp what you mean by that
> * When a dependency gets updated multiple times, the only version of
> interest is the one used in the release.
Yes and this additional issue type should allow easily identify such
duplications when assembling a version notes - all the changes in
dependencies will be listed in a one place :)
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: upgrade to struts 2.5.12 + commons-lang3
Posted by Stefaan Dutry <sd...@apache.org>.
Łukasz,
That will probably work.
What happens when a dependency gets updated multiple times in a
release? Will it be listed multiple times (since it shows all issues
with that type)?
My reasoning was:
* When you need to do a quick upgrade due to a fixed vulnerability you
just want a quick checklist of the things that need to be
changed/checked
* At that time the developer doesn't realy care for the other
improvements/upgrades (which are already listed now, and can be
checked by anyone interested)
* When a dependency gets updated multiple times, the only version of
interest is the one used in the release.
Regards,
Stefaan Dutry (sdutry)
2017-07-14 8:20 GMT+02:00 Lukasz Lenart <lu...@apache.org>:
> 2017-07-13 21:28 GMT+02:00 Stefaan Dutry <sd...@apache.org>:
>> Łukasz,
>>
>> You are right, the issue mentioning about the change to commons-lang3
>> version 3.6 is in the issue list.
>> This is also where we found what needed to be done.
>>
>> This is the list where we looked when something was wrong,
>> unfortunately for us, we spotted a different issue first:
>> * [WW-4748] - Upgrade commons-lang3 to 3.5
>>
>> The only idea i can come up with so far would be to add a miniature
>> upgrade guide section (from the previous version to this one).
>> Something as small as 2 bullet points, for example:
>>
>> Upgrade guide (2.5.10.1 -> 2.5.12)
>> * upgrade struts libraries to the new version (2.5.12)
>> * struts2 now requires at least commons-lang3 version 3.6 (transitive
>> dependency)
>>
>> Technicaly we should have just spotted it by listing the dependencies
>> of the project.
>> So, it's nothing important, it's just an idea.
>
> I see your point, maybe we should introduce a new type of Issue -
> "Dependency" which will clear indicates that this changes dependency
> of the framework and it will be listed in its own section on the
> Version Notes. wdyt?
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: upgrade to struts 2.5.12 + commons-lang3
Posted by Lukasz Lenart <lu...@apache.org>.
2017-07-13 21:28 GMT+02:00 Stefaan Dutry <sd...@apache.org>:
> Łukasz,
>
> You are right, the issue mentioning about the change to commons-lang3
> version 3.6 is in the issue list.
> This is also where we found what needed to be done.
>
> This is the list where we looked when something was wrong,
> unfortunately for us, we spotted a different issue first:
> * [WW-4748] - Upgrade commons-lang3 to 3.5
>
> The only idea i can come up with so far would be to add a miniature
> upgrade guide section (from the previous version to this one).
> Something as small as 2 bullet points, for example:
>
> Upgrade guide (2.5.10.1 -> 2.5.12)
> * upgrade struts libraries to the new version (2.5.12)
> * struts2 now requires at least commons-lang3 version 3.6 (transitive
> dependency)
>
> Technicaly we should have just spotted it by listing the dependencies
> of the project.
> So, it's nothing important, it's just an idea.
I see your point, maybe we should introduce a new type of Issue -
"Dependency" which will clear indicates that this changes dependency
of the framework and it will be listed in its own section on the
Version Notes. wdyt?
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: upgrade to struts 2.5.12 + commons-lang3
Posted by Stefaan Dutry <sd...@apache.org>.
Łukasz,
You are right, the issue mentioning about the change to commons-lang3
version 3.6 is in the issue list.
This is also where we found what needed to be done.
This is the list where we looked when something was wrong,
unfortunately for us, we spotted a different issue first:
* [WW-4748] - Upgrade commons-lang3 to 3.5
The only idea i can come up with so far would be to add a miniature
upgrade guide section (from the previous version to this one).
Something as small as 2 bullet points, for example:
Upgrade guide (2.5.10.1 -> 2.5.12)
* upgrade struts libraries to the new version (2.5.12)
* struts2 now requires at least commons-lang3 version 3.6 (transitive
dependency)
Technicaly we should have just spotted it by listing the dependencies
of the project.
So, it's nothing important, it's just an idea.
Regards,
Stefaan Dutry (sdutry)
2017-07-13 14:23 GMT+02:00 Lukasz Lenart <lu...@apache.org>:
> 2017-07-13 14:20 GMT+02:00 Stefaan Dutry <sd...@apache.org>:
>> We are upgrading our projects at work to the new released struts version 2.5.12.
>>
>> We encountered a problem while upgrading one of our applications.
>> The problem was that the project defined a dependency to commons-lang3.
>> The struts AnnotationValidationInterceptor uses a method that was
>> added to commons-lang3 version 3.6 (Methodutils.getAnnotation)
>>
>> This was easily fixed by updating our own commons-lang3 version to 3.6.
>>
>> I was wondering if there's a possibility to add to the version notes
>> for 2.5.12 that it requires a minimum version of commons-lang3 of 3.6.
>>
>> This just to prevent others having to search for the same problem.
>
> There is such entry
> https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.12
> https://issues.apache.org/jira/browse/WW-4809
>
> or did you have something else on the mind?
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org
Re: upgrade to struts 2.5.12 + commons-lang3
Posted by Lukasz Lenart <lu...@apache.org>.
2017-07-13 14:20 GMT+02:00 Stefaan Dutry <sd...@apache.org>:
> We are upgrading our projects at work to the new released struts version 2.5.12.
>
> We encountered a problem while upgrading one of our applications.
> The problem was that the project defined a dependency to commons-lang3.
> The struts AnnotationValidationInterceptor uses a method that was
> added to commons-lang3 version 3.6 (Methodutils.getAnnotation)
>
> This was easily fixed by updating our own commons-lang3 version to 3.6.
>
> I was wondering if there's a possibility to add to the version notes
> for 2.5.12 that it requires a minimum version of commons-lang3 of 3.6.
>
> This just to prevent others having to search for the same problem.
There is such entry
https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.12
https://issues.apache.org/jira/browse/WW-4809
or did you have something else on the mind?
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org