You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@struts.apache.org by Lukasz Lenart <lu...@apache.org> on 2021/10/03 08:11:57 UTC

Re: New Struts 2.5.x release

I'm ready to prepare a test build for 2.5.27, here is the list of changes:
https://issues.apache.org/jira/projects/WW/versions/12349611

Let me know if something is missing.


Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

pon., 20 wrz 2021 o 16:13 info@flyingfischer.ch
<in...@flyingfischer.ch> napisał(a):
>
> +1
>
> Am 20.09.21 um 15:59 schrieb Dave Newton:
> > +1
> >
> >
> > On Mon, Sep 20, 2021 at 1:25 AM Lukasz Lenart <lu...@apache.org>
> > wrote:
> >
> >> Hi,
> >>
> >> I would like to release the last 2.5.x version and focus on Struts
> >> 2.6. All the PRs that are targeting Struts 2.5.x should be re-targeted
> >> to Struts 2.6 (the master branch) and we should only accept security
> >> fixes to 2.5 branch.
> >>
> >> Any objections?
> >>
> >>
> >> Regards
> >> --
> >> Łukasz
> >> + 48 606 323 122 http://www.lenart.org.pl/
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> >> For additional commands, e-mail: dev-help@struts.apache.org
> >>
> >> --
> > em: davelnewton@gmail.com
> > mo: 908-380-8699
> > gh: davelnewton <https://github.com/davelnewton>
> > so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>
> > bl: Maker's End Blog <https://blog.makersend.com>
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: New Struts 2.5.x release

Posted by Lukasz Lenart <lu...@apache.org>.

sob., 9 paź 2021 o 07:10 James Chaplin <jc...@apache.org> napisał(a):
>
> Hi Łukasz.
>
> Thanks for putting the list together for 2.5.27 changes.  Beyond what has already been discussed in other replies, the only other potential for 2.5.27 that I noticed was WW 5129 / PR 495.
>
> It looks like PR 495 still has changes requested/discussion going on, so I am thinking it probably is not being considered for 2.5.27, but figured it would not hurt to mention it in case it was overlooked.

Yes, I intentionally omitted this change, I still need to finish some
outstanding requests and it changes behaviour a bit.


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: New Struts 2.5.x release

Posted by James Chaplin <jc...@apache.org>.

Hi Łukasz.

Thanks for putting the list together for 2.5.27 changes.  Beyond what has already been discussed in other replies, the only other potential for 2.5.27 that I noticed was WW 5129 / PR 495.

It looks like PR 495 still has changes requested/discussion going on, so I am thinking it probably is not being considered for 2.5.27, but figured it would not hurt to mention it in case it was overlooked.

Regards,

     James.

On 2021/10/03 08:11:57, Lukasz Lenart <lu...@apache.org> wrote: 
> I'm ready to prepare a test build for 2.5.27, here is the list of changes:
> https://issues.apache.org/jira/projects/WW/versions/12349611
> 
> Let me know if something is missing.
> 
> 
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
> 
> pon., 20 wrz 2021 o 16:13 info@flyingfischer.ch
> <in...@flyingfischer.ch> napisał(a):
> >
> > +1
> >
> > Am 20.09.21 um 15:59 schrieb Dave Newton:
> > > +1
> > >
> > >
> > > On Mon, Sep 20, 2021 at 1:25 AM Lukasz Lenart <lu...@apache.org>
> > > wrote:
> > >
> > >> Hi,
> > >>
> > >> I would like to release the last 2.5.x version and focus on Struts
> > >> 2.6. All the PRs that are targeting Struts 2.5.x should be re-targeted
> > >> to Struts 2.6 (the master branch) and we should only accept security
> > >> fixes to 2.5 branch.
> > >>
> > >> Any objections?
> > >>
> > >>
> > >> Regards
> > >> --
> > >> Łukasz
> > >> + 48 606 323 122 http://www.lenart.org.pl/
> > >>
> > >> ---------------------------------------------------------------------
> > >> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> > >> For additional commands, e-mail: dev-help@struts.apache.org
> > >>
> > >> --
> > > em: davelnewton@gmail.com
> > > mo: 908-380-8699
> > > gh: davelnewton <https://github.com/davelnewton>
> > > so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>
> > > bl: Maker's End Blog <https://blog.makersend.com>
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> > For additional commands, e-mail: dev-help@struts.apache.org
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: New Struts 2.5.x release

Posted by Lukasz Lenart <lu...@apache.org>.

niedz., 3 paź 2021 o 14:27 Yasser Zamani <ya...@apache.org> napisał(a):
>
> Thanks! yes my PR is missing and in my opinion still it's not clear and
> there's no proof for me that why we shouldn't include those improvements!

I didn't include it because I have large concerns (already commented
on the PR) and it looks like Aleksandr has the same (see the
:thumb-up:). I will add an additional comment to the PR.


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: New Struts 2.5.x release

Posted by Yasser Zamani <ya...@apache.org>.

Thanks! yes my PR is missing and in my opinion still it's not clear and
there's no proof for me that why we shouldn't include those improvements!

Regards.

On 10/3/2021 11:41 AM, Lukasz Lenart wrote:
> I'm ready to prepare a test build for 2.5.27, here is the list of changes:
> https://issues.apache.org/jira/projects/WW/versions/12349611
> 
> Let me know if something is missing.
> 
> 
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
> 
> pon., 20 wrz 2021 o 16:13 info@flyingfischer.ch
> <in...@flyingfischer.ch> napisał(a):
>>
>> +1
>>
>> Am 20.09.21 um 15:59 schrieb Dave Newton:
>>> +1
>>>
>>>
>>> On Mon, Sep 20, 2021 at 1:25 AM Lukasz Lenart <lu...@apache.org>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I would like to release the last 2.5.x version and focus on Struts
>>>> 2.6. All the PRs that are targeting Struts 2.5.x should be re-targeted
>>>> to Struts 2.6 (the master branch) and we should only accept security
>>>> fixes to 2.5 branch.
>>>>
>>>> Any objections?
>>>>
>>>>
>>>> Regards
>>>> --
>>>> Łukasz
>>>> + 48 606 323 122 http://www.lenart.org.pl/
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>>>> For additional commands, e-mail: dev-help@struts.apache.org
>>>>
>>>> --
>>> em: davelnewton@gmail.com
>>> mo: 908-380-8699
>>> gh: davelnewton <https://github.com/davelnewton>
>>> so: Dave Newton <http://stackoverflow.com/users/438992/dave-newton>
>>> bl: Maker's End Blog <https://blog.makersend.com>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: New Struts 2.5.x release

Posted by Lukasz Lenart <lu...@apache.org>.

niedz., 3 paź 2021 o 11:16 info@flyingfischer.ch
<in...@flyingfischer.ch> napisał(a):
>
> Hi Łukasz
>
> any reason why we cannot use XStream 1.4.18 instead of version version
> 1.4.16?
>
> There seem to be a bunch of recent CVEs fixed in 1.4.18, released on the
> August 22, 2021
>
> http://x-stream.github.io/
>
> As far as I can see, it still supports Java 7. Only the next major
> release 1.5 will require Java 8. However, we should upgrade Struts to
> Java 8 anyway.

The problem is that it's not a drop-in replacement, the OVal plugin
needs to be upgraded as well [1]. I mean, you can replace XStream on
your own if you do not use the OVal plugin.
I have some concerns introducing such changes into 2.5.x as behaviour
has slightly changed.

[1] https://github.com/apache/struts/pull/499


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org