You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@wicket.apache.org by Frank Bille <fr...@apache.org> on 2007/12/06 21:17:20 UTC

[VOTE] Release Wicket 1.3.0 release candidate 2

Hi all,

I have uploaded the artifacts to my p.a.o account. This is what I have
tested:

* Run "mvn clean install" on the distribution. Installs, no test failures.
* Run RAT[1] on the release and checked the output. Nothing to notice.
* Tried different things in the examples, like ajax, links, images, forms,
guice and pub2. Nothing to notice.

The releases has been signed with my GPG key, which you can find in the
KEYS[2] file.

Anyway, here you can find the distribution files:
http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2/dist/<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2/dist/>

and here you can find the maven repo:
http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2/m2-repo/<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2/m2-repo/>

and here I have uploaded the RAT logs:
http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2>

[ ] Release Apache Wicket 1.3.0-rc2
[ ] Don't release, because...


Regards
Frank

[1]: http://code.google.com/p/arat/
[2]: http://svn.apache.org/repos/asf/wicket/common/KEYS

Re: [VOTE] Release Wicket 1.3.0 release candidate 2

Posted by Martijn Dashorst <ma...@gmail.com>.

+1
the zip builds, and runs the examples correctly using mvn jetty:run

Martijn

On Dec 6, 2007 9:17 PM, Frank Bille <fr...@apache.org> wrote:

> Hi all,
>
> I have uploaded the artifacts to my p.a.o account. This is what I have
> tested:
>
> * Run "mvn clean install" on the distribution. Installs, no test failures.
> * Run RAT[1] on the release and checked the output. Nothing to notice.
> * Tried different things in the examples, like ajax, links, images, forms,
> guice and pub2. Nothing to notice.
>
> The releases has been signed with my GPG key, which you can find in the
> KEYS[2] file.
>
> Anyway, here you can find the distribution files:
>
> http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2/dist/
> <
> http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2/dist/
> >
>
> and here you can find the maven repo:
>
> http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2/m2-repo/
> <
> http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2/m2-repo/
> >
>
> and here I have uploaded the RAT logs:
> http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2<
> http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2>
>
> [ ] Release Apache Wicket 1.3.0-rc2
> [ ] Don't release, because...
>
>
> Regards
> Frank
>
> [1]: http://code.google.com/p/arat/
> [2]: http://svn.apache.org/repos/asf/wicket/common/KEYS
>



-- 
Buy Wicket in Action: http://manning.com/dashorst
Apache Wicket 1.3.0-rc1 is released
Get it now: http://www.apache.org/dyn/closer.cgi/wicket/1.3.0-rc1/

Re: [VOTE] Release Wicket 1.3.0 release candidate 2

Posted by Frank Bille <fr...@apache.org>.

I have time today, so I will commit the fix to the rc2 branch, as well as
the new design for the examples.

Frank


On Dec 7, 2007 4:40 PM, Matej Knopp <ma...@gmail.com> wrote:

> will do.
>
> On Dec 7, 2007 10:20 AM, Frank Bille <fr...@apache.org> wrote:
> > Ok, unless someone has a good reason that the issue is invalid, I will
> stop
> > the vote now.
> >
> > I can first rebuild on sunday, but Matej, can you commit the fix to the
> > release branch as well as update the issue to say that it's fixed in
> rc2?
> >
> > Frank
> >
> >
> >
> > On Dec 7, 2007 1:40 AM, Matej Knopp <ma...@gmail.com> wrote:
> >
> > > -1 from me too.
> > >
> > > I just commited the fix though. Here's a jira issue for it:
> > > https://issues.apache.org/jira/browse/WICKET-1209
> > >
> > > -Matej
> > >
> > > On Dec 7, 2007 1:34 AM, Matt Clark <mc...@voyence.com> wrote:
> > > > I don't have a vote obviously, but -1 just because of what I believe
> is
> > > > a serious security problem with WicketSessionFilter.  Revision
> 556446,
> > > > which was trying to also make the application object available via
> > > > wicketsessionfilter, added some coded immediately after the
> > > > Session.unset().  In the next revision 556700 that change was
> reverted,
> > > > but instead of just removing the code from 556446 the change also
> > > > removed the Session.unset().  Now, we're using WicketSessionFilter
> and
> > > > our users are seeing information from other users' sessions.
> > > >
> > > > I believe all that is required to fix this is to add back a
> > > > Session.unset() after the chain.doFilter in WicketSessionFilter, but
> > > > would it also be a good idea to do this?
> > > >
> > > > try{
> > > >         filter.doChain(...);
> > > > }finally{
> > > >         Session.unset();
> > > > }
> > > >
> > > > We're really looking forwarded to some of the fixes in RC2, so I
> hope
> > > > this can make it in there, as it appears to be just an accident.
> > > >
> > > > Thanks,
> > > > Matt Clark
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Johan Compagner [mailto:jcompagner@gmail.com]
> > > > Sent: Thursday, December 06, 2007 5:38 PM
> > > > To: dev@wicket.apache.org
> > > > Subject: Re: [VOTE] Release Wicket 1.3.0 release candidate 2
> > > >
> > > > +1 release
> > > >
> > > > 2007/12/6, Frank Bille <fr...@apache.org>:
> > > > > Hi all,
> > > > >
> > > > > I have uploaded the artifacts to my p.a.o account. This is what I
> have
> > > > > tested:
> > > > >
> > > > > * Run "mvn clean install" on the distribution. Installs, no test
> > > > failures.
> > > > > * Run RAT[1] on the release and checked the output. Nothing to
> notice.
> > > > > * Tried different things in the examples, like ajax, links,
> images,
> > > > forms,
> > > > > guice and pub2. Nothing to notice.
> > > > >
> > > > > The releases has been signed with my GPG key, which you can find
> in
> > > > the
> > > > > KEYS[2] file.
> > > > >
> > > > > Anyway, here you can find the distribution files:
> > > > >
> > > >
> http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2/di<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2/di>
> <
> http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2/di
> >
> > > > st/<
> http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-
> > > > rc2/dist/>
> > > > >
> > > > > and here you can find the maven repo:
> > > > >
> > > >
> http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2/m2<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2/m2>
> <
> http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2/m2
> >
> > > > -repo/<
> http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3
> > > > .0-rc2/m2-repo/>
> > > > >
> > > > > and here I have uploaded the RAT logs:
> > > > >
> > > >
> http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2>
> <http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2>
> >
> > > <ht
> > > > tp://people.apache.org/%7Efrankbille/releases/apache-
> wicket-1.3.0-rc2>
> > > > >
> > > > > [ ] Release Apache Wicket 1.3.0-rc2
> > > > > [ ] Don't release, because...
> > > > >
> > > > >
> > > > > Regards
> > > > > Frank
> > > > >
> > > > > [1]: http://code.google.com/p/arat/
> > > > > [2]: http://svn.apache.org/repos/asf/wicket/common/KEYS
> > > > >
> > > >
> > >
> >
>

Re: [VOTE] Release Wicket 1.3.0 release candidate 2

Posted by Matej Knopp <ma...@gmail.com>.

will do.

On Dec 7, 2007 10:20 AM, Frank Bille <fr...@apache.org> wrote:
> Ok, unless someone has a good reason that the issue is invalid, I will stop
> the vote now.
>
> I can first rebuild on sunday, but Matej, can you commit the fix to the
> release branch as well as update the issue to say that it's fixed in rc2?
>
> Frank
>
>
>
> On Dec 7, 2007 1:40 AM, Matej Knopp <ma...@gmail.com> wrote:
>
> > -1 from me too.
> >
> > I just commited the fix though. Here's a jira issue for it:
> > https://issues.apache.org/jira/browse/WICKET-1209
> >
> > -Matej
> >
> > On Dec 7, 2007 1:34 AM, Matt Clark <mc...@voyence.com> wrote:
> > > I don't have a vote obviously, but -1 just because of what I believe is
> > > a serious security problem with WicketSessionFilter.  Revision 556446,
> > > which was trying to also make the application object available via
> > > wicketsessionfilter, added some coded immediately after the
> > > Session.unset().  In the next revision 556700 that change was reverted,
> > > but instead of just removing the code from 556446 the change also
> > > removed the Session.unset().  Now, we're using WicketSessionFilter and
> > > our users are seeing information from other users' sessions.
> > >
> > > I believe all that is required to fix this is to add back a
> > > Session.unset() after the chain.doFilter in WicketSessionFilter, but
> > > would it also be a good idea to do this?
> > >
> > > try{
> > >         filter.doChain(...);
> > > }finally{
> > >         Session.unset();
> > > }
> > >
> > > We're really looking forwarded to some of the fixes in RC2, so I hope
> > > this can make it in there, as it appears to be just an accident.
> > >
> > > Thanks,
> > > Matt Clark
> > >
> > >
> > > -----Original Message-----
> > > From: Johan Compagner [mailto:jcompagner@gmail.com]
> > > Sent: Thursday, December 06, 2007 5:38 PM
> > > To: dev@wicket.apache.org
> > > Subject: Re: [VOTE] Release Wicket 1.3.0 release candidate 2
> > >
> > > +1 release
> > >
> > > 2007/12/6, Frank Bille <fr...@apache.org>:
> > > > Hi all,
> > > >
> > > > I have uploaded the artifacts to my p.a.o account. This is what I have
> > > > tested:
> > > >
> > > > * Run "mvn clean install" on the distribution. Installs, no test
> > > failures.
> > > > * Run RAT[1] on the release and checked the output. Nothing to notice.
> > > > * Tried different things in the examples, like ajax, links, images,
> > > forms,
> > > > guice and pub2. Nothing to notice.
> > > >
> > > > The releases has been signed with my GPG key, which you can find in
> > > the
> > > > KEYS[2] file.
> > > >
> > > > Anyway, here you can find the distribution files:
> > > >
> > > http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2/di<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2/di>
> > > st/<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-
> > > rc2/dist/>
> > > >
> > > > and here you can find the maven repo:
> > > >
> > > http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2/m2<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2/m2>
> > > -repo/<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3
> > > .0-rc2/m2-repo/>
> > > >
> > > > and here I have uploaded the RAT logs:
> > > >
> > > http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2>
>
> > <ht
> > > tp://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2>
> > > >
> > > > [ ] Release Apache Wicket 1.3.0-rc2
> > > > [ ] Don't release, because...
> > > >
> > > >
> > > > Regards
> > > > Frank
> > > >
> > > > [1]: http://code.google.com/p/arat/
> > > > [2]: http://svn.apache.org/repos/asf/wicket/common/KEYS
> > > >
> > >
> >
>

Re: [VOTE] Release Wicket 1.3.0 release candidate 2

Posted by Frank Bille <fr...@apache.org>.

Ok, unless someone has a good reason that the issue is invalid, I will stop
the vote now.

I can first rebuild on sunday, but Matej, can you commit the fix to the
release branch as well as update the issue to say that it's fixed in rc2?

Frank


On Dec 7, 2007 1:40 AM, Matej Knopp <ma...@gmail.com> wrote:

> -1 from me too.
>
> I just commited the fix though. Here's a jira issue for it:
> https://issues.apache.org/jira/browse/WICKET-1209
>
> -Matej
>
> On Dec 7, 2007 1:34 AM, Matt Clark <mc...@voyence.com> wrote:
> > I don't have a vote obviously, but -1 just because of what I believe is
> > a serious security problem with WicketSessionFilter.  Revision 556446,
> > which was trying to also make the application object available via
> > wicketsessionfilter, added some coded immediately after the
> > Session.unset().  In the next revision 556700 that change was reverted,
> > but instead of just removing the code from 556446 the change also
> > removed the Session.unset().  Now, we're using WicketSessionFilter and
> > our users are seeing information from other users' sessions.
> >
> > I believe all that is required to fix this is to add back a
> > Session.unset() after the chain.doFilter in WicketSessionFilter, but
> > would it also be a good idea to do this?
> >
> > try{
> >         filter.doChain(...);
> > }finally{
> >         Session.unset();
> > }
> >
> > We're really looking forwarded to some of the fixes in RC2, so I hope
> > this can make it in there, as it appears to be just an accident.
> >
> > Thanks,
> > Matt Clark
> >
> >
> > -----Original Message-----
> > From: Johan Compagner [mailto:jcompagner@gmail.com]
> > Sent: Thursday, December 06, 2007 5:38 PM
> > To: dev@wicket.apache.org
> > Subject: Re: [VOTE] Release Wicket 1.3.0 release candidate 2
> >
> > +1 release
> >
> > 2007/12/6, Frank Bille <fr...@apache.org>:
> > > Hi all,
> > >
> > > I have uploaded the artifacts to my p.a.o account. This is what I have
> > > tested:
> > >
> > > * Run "mvn clean install" on the distribution. Installs, no test
> > failures.
> > > * Run RAT[1] on the release and checked the output. Nothing to notice.
> > > * Tried different things in the examples, like ajax, links, images,
> > forms,
> > > guice and pub2. Nothing to notice.
> > >
> > > The releases has been signed with my GPG key, which you can find in
> > the
> > > KEYS[2] file.
> > >
> > > Anyway, here you can find the distribution files:
> > >
> > http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2/di<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2/di>
> > st/<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-
> > rc2/dist/>
> > >
> > > and here you can find the maven repo:
> > >
> > http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2/m2<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2/m2>
> > -repo/<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3
> > .0-rc2/m2-repo/>
> > >
> > > and here I have uploaded the RAT logs:
> > >
> > http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2>
> <ht
> > tp://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2>
> > >
> > > [ ] Release Apache Wicket 1.3.0-rc2
> > > [ ] Don't release, because...
> > >
> > >
> > > Regards
> > > Frank
> > >
> > > [1]: http://code.google.com/p/arat/
> > > [2]: http://svn.apache.org/repos/asf/wicket/common/KEYS
> > >
> >
>

Re: [VOTE] Release Wicket 1.3.0 release candidate 2

Posted by Matej Knopp <ma...@gmail.com>.

-1 from me too.

I just commited the fix though. Here's a jira issue for it:
https://issues.apache.org/jira/browse/WICKET-1209

-Matej

On Dec 7, 2007 1:34 AM, Matt Clark <mc...@voyence.com> wrote:
> I don't have a vote obviously, but -1 just because of what I believe is
> a serious security problem with WicketSessionFilter.  Revision 556446,
> which was trying to also make the application object available via
> wicketsessionfilter, added some coded immediately after the
> Session.unset().  In the next revision 556700 that change was reverted,
> but instead of just removing the code from 556446 the change also
> removed the Session.unset().  Now, we're using WicketSessionFilter and
> our users are seeing information from other users' sessions.
>
> I believe all that is required to fix this is to add back a
> Session.unset() after the chain.doFilter in WicketSessionFilter, but
> would it also be a good idea to do this?
>
> try{
>         filter.doChain(...);
> }finally{
>         Session.unset();
> }
>
> We're really looking forwarded to some of the fixes in RC2, so I hope
> this can make it in there, as it appears to be just an accident.
>
> Thanks,
> Matt Clark
>
>
> -----Original Message-----
> From: Johan Compagner [mailto:jcompagner@gmail.com]
> Sent: Thursday, December 06, 2007 5:38 PM
> To: dev@wicket.apache.org
> Subject: Re: [VOTE] Release Wicket 1.3.0 release candidate 2
>
> +1 release
>
> 2007/12/6, Frank Bille <fr...@apache.org>:
> > Hi all,
> >
> > I have uploaded the artifacts to my p.a.o account. This is what I have
> > tested:
> >
> > * Run "mvn clean install" on the distribution. Installs, no test
> failures.
> > * Run RAT[1] on the release and checked the output. Nothing to notice.
> > * Tried different things in the examples, like ajax, links, images,
> forms,
> > guice and pub2. Nothing to notice.
> >
> > The releases has been signed with my GPG key, which you can find in
> the
> > KEYS[2] file.
> >
> > Anyway, here you can find the distribution files:
> >
> http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2/di
> st/<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-
> rc2/dist/>
> >
> > and here you can find the maven repo:
> >
> http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2/m2
> -repo/<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3
> .0-rc2/m2-repo/>
> >
> > and here I have uploaded the RAT logs:
> >
> http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2<ht
> tp://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2>
> >
> > [ ] Release Apache Wicket 1.3.0-rc2
> > [ ] Don't release, because...
> >
> >
> > Regards
> > Frank
> >
> > [1]: http://code.google.com/p/arat/
> > [2]: http://svn.apache.org/repos/asf/wicket/common/KEYS
> >
>

RE: [VOTE] Release Wicket 1.3.0 release candidate 2

Posted by Matt Clark <mc...@voyence.com>.

I don't have a vote obviously, but -1 just because of what I believe is
a serious security problem with WicketSessionFilter.  Revision 556446,
which was trying to also make the application object available via
wicketsessionfilter, added some coded immediately after the
Session.unset().  In the next revision 556700 that change was reverted,
but instead of just removing the code from 556446 the change also
removed the Session.unset().  Now, we're using WicketSessionFilter and
our users are seeing information from other users' sessions.

I believe all that is required to fix this is to add back a
Session.unset() after the chain.doFilter in WicketSessionFilter, but
would it also be a good idea to do this?

try{
	filter.doChain(...);
}finally{
	Session.unset();
}

We're really looking forwarded to some of the fixes in RC2, so I hope
this can make it in there, as it appears to be just an accident.

Thanks,
Matt Clark

-----Original Message-----
From: Johan Compagner [mailto:jcompagner@gmail.com] 
Sent: Thursday, December 06, 2007 5:38 PM
To: dev@wicket.apache.org
Subject: Re: [VOTE] Release Wicket 1.3.0 release candidate 2

+1 release

2007/12/6, Frank Bille <fr...@apache.org>:
> Hi all,
>
> I have uploaded the artifacts to my p.a.o account. This is what I have
> tested:
>
> * Run "mvn clean install" on the distribution. Installs, no test
failures.
> * Run RAT[1] on the release and checked the output. Nothing to notice.
> * Tried different things in the examples, like ajax, links, images,
forms,
> guice and pub2. Nothing to notice.
>
> The releases has been signed with my GPG key, which you can find in
the
> KEYS[2] file.
>
> Anyway, here you can find the distribution files:
>
http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2/di
st/<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-
rc2/dist/>
>
> and here you can find the maven repo:
>
http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2/m2
-repo/<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3
.0-rc2/m2-repo/>
>
> and here I have uploaded the RAT logs:
>
http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2<ht
tp://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2>
>
> [ ] Release Apache Wicket 1.3.0-rc2
> [ ] Don't release, because...
>
>
> Regards
> Frank
>
> [1]: http://code.google.com/p/arat/
> [2]: http://svn.apache.org/repos/asf/wicket/common/KEYS
>

Re: [VOTE] Release Wicket 1.3.0 release candidate 2

Posted by Johan Compagner <jc...@gmail.com>.

+1 release

2007/12/6, Frank Bille <fr...@apache.org>:
> Hi all,
>
> I have uploaded the artifacts to my p.a.o account. This is what I have
> tested:
>
> * Run "mvn clean install" on the distribution. Installs, no test failures.
> * Run RAT[1] on the release and checked the output. Nothing to notice.
> * Tried different things in the examples, like ajax, links, images, forms,
> guice and pub2. Nothing to notice.
>
> The releases has been signed with my GPG key, which you can find in the
> KEYS[2] file.
>
> Anyway, here you can find the distribution files:
> http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2/dist/<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2/dist/>
>
> and here you can find the maven repo:
> http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2/m2-repo/<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2/m2-repo/>
>
> and here I have uploaded the RAT logs:
> http://people.apache.org/~frankbille/releases/apache-wicket-1.3.0-rc2<http://people.apache.org/%7Efrankbille/releases/apache-wicket-1.3.0-rc2>
>
> [ ] Release Apache Wicket 1.3.0-rc2
> [ ] Don't release, because...
>
>
> Regards
> Frank
>
> [1]: http://code.google.com/p/arat/
> [2]: http://svn.apache.org/repos/asf/wicket/common/KEYS
>