1.4.3 bugzilla triage

[Colm O hEigeartaigh <co...@progress.com>]

Hi,

Here's a bugzilla triage as promised for 1.4.3. There are 25 open bugs
against the Java component of XML-Security.

I've submitted patches for the following:

https://issues.apache.org/bugzilla/show_bug.cgi?id=47265
https://issues.apache.org/bugzilla/show_bug.cgi?id=47260
https://issues.apache.org/bugzilla/show_bug.cgi?id=47029
https://issues.apache.org/bugzilla/show_bug.cgi?id=45388
https://issues.apache.org/bugzilla/show_bug.cgi?id=42986
https://issues.apache.org/bugzilla/show_bug.cgi?id=44335

Once Sean's set up my commit rights I'll commit the more trivial of
these fixes, and leave the other ones for review by the community before
applying them.

These issues all relate to the "==" versus "equals" problem:

https://issues.apache.org/bugzilla/show_bug.cgi?id=46681
https://issues.apache.org/bugzilla/show_bug.cgi?id=45637
https://issues.apache.org/bugzilla/show_bug.cgi?id=44874
https://issues.apache.org/bugzilla/show_bug.cgi?id=40897

I want to do some profiling of this over the next while. I think the
best way of tackling it though is to add a system property which will
enable using "equals".

The following seem to me to be reasonable candidates for fixing in
1.4.3:

https://issues.apache.org/bugzilla/show_bug.cgi?id=45744
https://issues.apache.org/bugzilla/show_bug.cgi?id=44991
https://issues.apache.org/bugzilla/show_bug.cgi?id=44918

I think the following could make it in as well, but I'm not sure:

https://issues.apache.org/bugzilla/show_bug.cgi?id=42239

Is there any other issue anyone wants fixed for 1.4.3?

Colm.

Re: 1.4.3 bugzilla triage

[Sean Mullan <Se...@Sun.COM>]

Colm O hEigeartaigh wrote:
> Here's an updated bugzilla triage for the forthcoming 1.4.3 release.
> Most of the issues mentioned in my previous mail have been fixed. The
> remaining issues are:
> 
> 1. https://issues.apache.org/bugzilla/show_bug.cgi?id=44918
> 
> Some security concerns were raised about the supplied patch. It would be
> nice to fix it I guess, but time's running out...

I'm not satisfied with the proposed patch as it contains a security hole. See 
http://java.sun.com/security/seccodeguide.html#6-0 for more information. It can 
allow untrusted code to control the xmlsec configuration by passing in the name 
of a configFile which will then be opened inside a doPrivileged block. I think 
we should hold off on this until I have more time to think about a better solution.

> 2. "==" versus "equals" problem.
> 
> As I mentioned in one of the comments I have a fix for the problem of
> not being able to specify what ElementChecker implementation to use. The
> problem is that there are many more pointer comparisons in the source
> code, and I don't think there's any point half-fixing the problem. I
> vote that we punt on this issue until after 1.4.3.

Ok with me.

> 3. https://issues.apache.org/bugzilla/show_bug.cgi?id=42239
> 
> There are two patches that need to be applied for this issue. Sean, can
> you have a scan of the patch I supplied, particularly the copyright
> information on top of the Apache License in the ResourceResolver
> implementation (which was adapter from another patch for this issue). I
> think it's ok, but I just want to confirm. If it's ok then I'll commit
> the patches.

I'll take a look and get back to you.

> 4. https://issues.apache.org/bugzilla/show_bug.cgi?id=47459
> 
> I haven't really had time to look at this issue yet. 

Not have I. I will try to have a look later today.

--Sean

RE: 1.4.3 bugzilla triage

[Colm O hEigeartaigh <co...@progress.com>]

Here's an updated bugzilla triage for the forthcoming 1.4.3 release.
Most of the issues mentioned in my previous mail have been fixed. The
remaining issues are:

1. https://issues.apache.org/bugzilla/show_bug.cgi?id=44918

Some security concerns were raised about the supplied patch. It would be
nice to fix it I guess, but time's running out...

2. "==" versus "equals" problem.

As I mentioned in one of the comments I have a fix for the problem of
not being able to specify what ElementChecker implementation to use. The
problem is that there are many more pointer comparisons in the source
code, and I don't think there's any point half-fixing the problem. I
vote that we punt on this issue until after 1.4.3.

3. https://issues.apache.org/bugzilla/show_bug.cgi?id=42239

There are two patches that need to be applied for this issue. Sean, can
you have a scan of the patch I supplied, particularly the copyright
information on top of the Apache License in the ResourceResolver
implementation (which was adapter from another patch for this issue). I
think it's ok, but I just want to confirm. If it's ok then I'll commit
the patches.

4. https://issues.apache.org/bugzilla/show_bug.cgi?id=47459

I haven't really had time to look at this issue yet. 

Any thoughts?

Colm.


-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@progress.com] 
Sent: 18 June 2009 11:51
To: security-dev@xml.apache.org
Subject: 1.4.3 bugzilla triage


Hi,

Here's a bugzilla triage as promised for 1.4.3. There are 25 open bugs
against the Java component of XML-Security.

I've submitted patches for the following:

https://issues.apache.org/bugzilla/show_bug.cgi?id=47265
https://issues.apache.org/bugzilla/show_bug.cgi?id=47260
https://issues.apache.org/bugzilla/show_bug.cgi?id=47029
https://issues.apache.org/bugzilla/show_bug.cgi?id=45388
https://issues.apache.org/bugzilla/show_bug.cgi?id=42986
https://issues.apache.org/bugzilla/show_bug.cgi?id=44335

Once Sean's set up my commit rights I'll commit the more trivial of
these fixes, and leave the other ones for review by the community before
applying them.

These issues all relate to the "==" versus "equals" problem:

https://issues.apache.org/bugzilla/show_bug.cgi?id=46681
https://issues.apache.org/bugzilla/show_bug.cgi?id=45637
https://issues.apache.org/bugzilla/show_bug.cgi?id=44874
https://issues.apache.org/bugzilla/show_bug.cgi?id=40897

I want to do some profiling of this over the next while. I think the
best way of tackling it though is to add a system property which will
enable using "equals".

The following seem to me to be reasonable candidates for fixing in
1.4.3:

https://issues.apache.org/bugzilla/show_bug.cgi?id=45744
https://issues.apache.org/bugzilla/show_bug.cgi?id=44991
https://issues.apache.org/bugzilla/show_bug.cgi?id=44918

I think the following could make it in as well, but I'm not sure:

https://issues.apache.org/bugzilla/show_bug.cgi?id=42239

Is there any other issue anyone wants fixed for 1.4.3?

Colm.