You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by Robert Munteanu <ro...@apache.org> on 2022/05/20 11:43:49 UTC

[VOTE] Release Apache Sling XSS Protection API 2.2.20

Hi,

We solved 4 issues in this release:
https://issues.apache.org/jira/browse/SLING/fixforversion/12351228

Staging repository:
https://repository.apache.org/content/repositories/orgapachesling-2640/

You can use this UNIX script to download the release and verify the signatures:
https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD

Usage:
sh check_staged_release.sh 2640 /tmp/sling-staging

Please vote to approve this release:

  [ ] +1 Approve the release
  [ ]  0 Don't care
  [ ] -1 Don't release, because ...

This majority vote is open for at least 72 hours.

Regards,
Robert Munteanu

Re: [VOTE] Release Apache Sling XSS Protection API 2.2.20

Posted by Robert Munteanu <ro...@apache.org>.

Hi Eric,

On Fri, 2022-05-20 at 14:04 -0700, Eric Norman wrote:
> +1 for the functionality as I don't see anything broken
> 
> However, this isn't really a drop in replacement for the previous
> version
> since the SLING-11201 changes have introduced a new dependency on
> "org.apache.commons:commons-text:1.9" and that bundle is not
> currently in
> the starter distribution.  Others may be missing that bundle as
> well.  So
> there may be an additional step needed to add the commons-text bundle
> to
> your server before this version of the xss bundle can be resolved and
> used.  Perhaps that would warrant an increase to the minor version
> number
> and some migration instructions in the README or somewhere else?

I think this is a good point. We typically have not paid too much
attention to to bundle versions and what they communicate to consumers.

I have also considered a minor version upgrade, but decided against it,
for the following reasons:

- commons-text is a relatively small requirement, and there will not be
a lot of work to add it to an existing deployment
- we will get a minor version bump 'soon' once we stop supporting
embedded stylesheets
- we will get another minor version bump once we switch away from
AntiSamy [1]

Therefore, I'd like to 'conserve' the minor version bumps for these
more significant occurences.

I would like to release this version now in order to get more people
running it ASAP so they are warned of the policy change regarding
embedded stylesheets, which would allow us to make a decision regarding
retiring it sooner.

I hope that works for you.

Thanks,
Robert


[1]: https://issues.apache.org/jira/browse/SLING-7231

> 
> Regards,
> -Eric
> 
> 
> On Fri, May 20, 2022 at 4:45 AM Robert Munteanu <ro...@apache.org>
> wrote:
> 
> > Hi,
> > 
> > We solved 4 issues in this release:
> > https://issues.apache.org/jira/browse/SLING/fixforversion/12351228
> > 
> > Staging repository:
> > https://repository.apache.org/content/repositories/orgapachesling-2640/
> > 
> > You can use this UNIX script to download the release and verify the
> > signatures:
> > 
> > https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD
> > 
> > Usage:
> > sh check_staged_release.sh 2640 /tmp/sling-staging
> > 
> > Please vote to approve this release:
> > 
> >   [ ] +1 Approve the release
> >   [ ]  0 Don't care
> >   [ ] -1 Don't release, because ...
> > 
> > This majority vote is open for at least 72 hours.
> > 
> > Regards,
> > Robert Munteanu
> >

Re: [VOTE] Release Apache Sling XSS Protection API 2.2.20

Posted by Eric Norman <en...@apache.org>.

+1 for the functionality as I don't see anything broken

However, this isn't really a drop in replacement for the previous version
since the SLING-11201 changes have introduced a new dependency on
"org.apache.commons:commons-text:1.9" and that bundle is not currently in
the starter distribution.  Others may be missing that bundle as well.  So
there may be an additional step needed to add the commons-text bundle to
your server before this version of the xss bundle can be resolved and
used.  Perhaps that would warrant an increase to the minor version number
and some migration instructions in the README or somewhere else?

Regards,
-Eric

On Fri, May 20, 2022 at 4:45 AM Robert Munteanu <ro...@apache.org> wrote:

> Hi,
>
> We solved 4 issues in this release:
> https://issues.apache.org/jira/browse/SLING/fixforversion/12351228
>
> Staging repository:
> https://repository.apache.org/content/repositories/orgapachesling-2640/
>
> You can use this UNIX script to download the release and verify the
> signatures:
>
> https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD
>
> Usage:
> sh check_staged_release.sh 2640 /tmp/sling-staging
>
> Please vote to approve this release:
>
>   [ ] +1 Approve the release
>   [ ]  0 Don't care
>   [ ] -1 Don't release, because ...
>
> This majority vote is open for at least 72 hours.
>
> Regards,
> Robert Munteanu
>

[RESULT] [VOTE] Release Apache Sling XSS Protection API 2.2.20

Posted by Robert Munteanu <ro...@apache.org>.

Hi,

The vote has passed with the following result:

+1 (binding): Carsten Ziegeler, Karl Pauls, Robert Munteanu
+1 (non-binding): none

I will copy this release to the Sling dist directory and
promote the artifacts to the central Maven repository.

Regards,
Robert Munteanu

Re: [VOTE] Release Apache Sling XSS Protection API 2.2.20

Posted by Karl Pauls <ka...@gmail.com>.

+1

regards,

Karl

On Friday, May 20, 2022, Carsten Ziegeler <cz...@apache.org> wrote:

> +1
>
> Carsten
>
> Am 20.05.2022 um 13:43 schrieb Robert Munteanu:
>
>> Hi,
>>
>> We solved 4 issues in this release:
>> https://issues.apache.org/jira/browse/SLING/fixforversion/12351228
>>
>> Staging repository:
>> https://repository.apache.org/content/repositories/orgapachesling-2640/
>>
>> You can use this UNIX script to download the release and verify the
>> signatures:
>> https://gitbox.apache.org/repos/asf?p=sling-tooling-release.
>> git;a=blob;f=check_staged_release.sh;hb=HEAD
>>
>> Usage:
>> sh check_staged_release.sh 2640 /tmp/sling-staging
>>
>> Please vote to approve this release:
>>
>>    [ ] +1 Approve the release
>>    [ ]  0 Don't care
>>    [ ] -1 Don't release, because ...
>>
>> This majority vote is open for at least 72 hours.
>>
>> Regards,
>> Robert Munteanu
>>
>
> --
> Carsten Ziegeler
> Adobe
> cziegeler@apache.org
>


-- 
Karl Pauls
karlpauls@gmail.com

Re: [VOTE] Release Apache Sling XSS Protection API 2.2.20

Posted by Carsten Ziegeler <cz...@apache.org>.

+1

Carsten

Am 20.05.2022 um 13:43 schrieb Robert Munteanu:
> Hi,
> 
> We solved 4 issues in this release:
> https://issues.apache.org/jira/browse/SLING/fixforversion/12351228
> 
> Staging repository:
> https://repository.apache.org/content/repositories/orgapachesling-2640/
> 
> You can use this UNIX script to download the release and verify the signatures:
> https://gitbox.apache.org/repos/asf?p=sling-tooling-release.git;a=blob;f=check_staged_release.sh;hb=HEAD
> 
> Usage:
> sh check_staged_release.sh 2640 /tmp/sling-staging
> 
> Please vote to approve this release:
> 
>    [ ] +1 Approve the release
>    [ ]  0 Don't care
>    [ ] -1 Don't release, because ...
> 
> This majority vote is open for at least 72 hours.
> 
> Regards,
> Robert Munteanu

-- 
Carsten Ziegeler
Adobe
cziegeler@apache.org

Re: [VOTE] Release Apache Sling XSS Protection API 2.2.20

Posted by Robert Munteanu <ro...@apache.org>.

On Fri, 2022-05-20 at 11:43 +0000, Robert Munteanu wrote:
> Please vote to approve this release:

+1
Robert