Re: Upcoming releases

[David Crossley <cr...@apache.org>]

On Tue, May 31, 2016 at 11:01:51PM +0300, Johan Sj�berg wrote:
> 
> Referring to David\u2019s message on the "user" list, there seems to be plans
> for Cocoon-2.1 and Cocoon-2.2 releases. That\u2019s great!

Thanks for your interest.

It is a loose use of the term "plans", but yeah, these are the first steps.

> What would be needed
> from "outsiders" to help with these, patches and testing, more?

Reviewing these lists of issues:

https://issues.apache.org/jira/issues/?filter=12310771
COCOON-open-with-patch
... twiddle that filter to restrict to "Affects Version".

https://issues.apache.org/jira/issues/?filter=12335814
COCOON-affects-2_1_12-and-2_1_13
... general issues affecting recent 2.1

Also, there would be some documentation tweaks needed.
However i am not clear about the state of our system.

> Personally
> I would be interested in an official release of the 2.1 branch and will
> check what possible local changes I might have.

I too am mainly interested in Cocoon-2.1

Yes please do add to our JIRA issue tracker any changes that you
reckon are useful.

You might need to be added to JIRA permissions. If so then please
contact the "private" mail list and tell us your JIRA username.

Thanks again. Hopefully your efforts will encourage others.

-David

Re: Upcoming releases

[David Crossley <cr...@apache.org>]

On Mon, Jun 06, 2016 at 03:16:58PM +0300, Johan Sj�berg wrote:
> Greetings.
> 
> Those filters seems to include 11 issues where 3 are reported as Bug. Of
> these two should IMO be checked, COCOON-2253 and COCOON-2246.

Thanks for the review. Hopefully a committer can do those.

I have not looked at other filters to see any suggested enhancements.

> So, the important thing would perhaps be to find consensus about what's
> gonna be in 2.1.13, is it branded as a library upgrade and Java 8 support
> release or that plus some new features?

There are some new features already. If others would like
to add or enhance anything then please provide patches.

Upgrading some supporting products would be good. We did do some
last time. For some (IIRC e.g. FOP) we would need to raise our
minimum Java version. Upgrading Ant would be good.

Also need to review the recent commits and patch $COCOON_HOME/status.xml
to notify any worthy changes.

> Are most who would like to see a
> 2.1.13 release waiting for official Java 8 support?

Deciding the minimum Java version is one of the early release
process steps. It would be better to have a separate mail thread.
Also we should review such discussion from last time.

I am not sure what you mean by "Java 8 support".

The main demos on our vm are okay:
http://cocoon.zones.apache.org

The HEAD of the current 2.1 branch does work for me,
but i did need to add this recently:
  http://svn.apache.org/r1623915
  Enable 'java' to be found on a modern Mac OS X.

> All in all, it doesn't
> look too bad. IOW, not too much stuff todo.
>
> Additionally I think it would be nice to have a configurable
> SaxParserFactory and a configurable DocumentBuilderFactory, to prevent some
> XEE attacks. I didn't find any in the code, but I might have missed it of
> course. That's low prio though, as it can be achieved with external
> implementations of the Factories registered in cocoon.xconf.

If someone can provide such an enhancement then that would be useful.

We should also provide some documentation to warn about such problems,
As alluded to earlier, our documentation system is busted.
So perhaps a Wiki page (could be moved to docs later).

e.g. remind to not process source xml docs that you do not control;
e.g. remind that Catalog Entity Resolver can assist; etc.
and link to articles like these:

Managing XML data: XML catalogs
http://www.ibm.com/developerworks/library/x-mxd3/

and 

Tip: Configure SAX parsers for secure processing
Prevent entity resolution vulnerabilities and overflow attacks
http://www.ibm.com/developerworks/xml/library/x-tipcfsx
... Oh crikey, it is 404. So need rescue of wayback machine
or find something similar.

-David

> Thoughts?
> 
> Cheers,
> 
> Johan
> 
> On Wed, Jun 1, 2016 at 6:40 AM, David Crossley <cr...@apache.org> wrote:
> 
> > On Tue, May 31, 2016 at 11:01:51PM +0300, Johan Sj�berg wrote:
> > >
> > > Referring to David\u2019s message on the "user" list, there seems to be plans
> > > for Cocoon-2.1 and Cocoon-2.2 releases. That\u2019s great!
> >
> > Thanks for your interest.
> >
> > It is a loose use of the term "plans", but yeah, these are the first steps.
> >
> > > What would be needed
> > > from "outsiders" to help with these, patches and testing, more?
> >
> > Reviewing these lists of issues:
> >
> > https://issues.apache.org/jira/issues/?filter=12310771
> > COCOON-open-with-patch
> > ... twiddle that filter to restrict to "Affects Version".
> >
> > https://issues.apache.org/jira/issues/?filter=12335814
> > COCOON-affects-2_1_12-and-2_1_13
> > ... general issues affecting recent 2.1
> >
> > Also, there would be some documentation tweaks needed.
> > However i am not clear about the state of our system.
> >
> > > Personally
> > > I would be interested in an official release of the 2.1 branch and will
> > > check what possible local changes I might have.
> >
> > I too am mainly interested in Cocoon-2.1
> >
> > Yes please do add to our JIRA issue tracker any changes that you
> > reckon are useful.
> >
> > You might need to be added to JIRA permissions. If so then please
> > contact the "private" mail list and tell us your JIRA username.
> >
> > Thanks again. Hopefully your efforts will encourage others.
> >
> > -David
> >

Re: Upcoming releases

[Johan Sjöberg <yo...@gmail.com>]

Greetings.

Those filters seems to include 11 issues where 3 are reported as Bug. Of
these two should IMO be checked, COCOON-2253 and COCOON-2246.

So, the important thing would perhaps be to find consensus about what's
gonna be in 2.1.13, is it branded as a library upgrade and Java 8 support
release or that plus some new features? Are most who would like to see a
2.1.13 release waiting for official Java 8 support? All in all, it doesn't
look too bad. IOW, not too much stuff todo.

Additionally I think it would be nice to have a configurable
SaxParserFactory and a configurable DocumentBuilderFactory, to prevent some
XEE attacks. I didn't find any in the code, but I might have missed it of
course. That's low prio though, as it can be achieved with external
implementations of the Factories registered in cocoon.xconf.

Thoughts?

Cheers,

Johan

On Wed, Jun 1, 2016 at 6:40 AM, David Crossley <cr...@apache.org> wrote:

> On Tue, May 31, 2016 at 11:01:51PM +0300, Johan Sjöberg wrote:
> >
> > Referring to David’s message on the "user" list, there seems to be plans
> > for Cocoon-2.1 and Cocoon-2.2 releases. That’s great!
>
> Thanks for your interest.
>
> It is a loose use of the term "plans", but yeah, these are the first steps.
>
> > What would be needed
> > from "outsiders" to help with these, patches and testing, more?
>
> Reviewing these lists of issues:
>
> https://issues.apache.org/jira/issues/?filter=12310771
> COCOON-open-with-patch
> ... twiddle that filter to restrict to "Affects Version".
>
> https://issues.apache.org/jira/issues/?filter=12335814
> COCOON-affects-2_1_12-and-2_1_13
> ... general issues affecting recent 2.1
>
> Also, there would be some documentation tweaks needed.
> However i am not clear about the state of our system.
>
> > Personally
> > I would be interested in an official release of the 2.1 branch and will
> > check what possible local changes I might have.
>
> I too am mainly interested in Cocoon-2.1
>
> Yes please do add to our JIRA issue tracker any changes that you
> reckon are useful.
>
> You might need to be added to JIRA permissions. If so then please
> contact the "private" mail list and tell us your JIRA username.
>
> Thanks again. Hopefully your efforts will encourage others.
>
> -David
>