You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by Bertrand Delacretaz <bd...@apache.org> on 2016/08/12 08:23:39 UTC
[VOTE] Release Apache Sling XSS Protection Bundle 1.0.12
Hi,
The vote is still ongoing for V1.0.10 of the same module, but we
should have waited for another small fix that's included in this
release. No big deal.
We solved 1 issue in this release:
https://issues.apache.org/jira/browse/SLING/fixforversion/12338062
Staging repository:
https://repository.apache.org/content/repositories/orgapachesling-1500/
You can use this UNIX script to download the release and verify the signatures:
http://svn.apache.org/repos/asf/sling/trunk/check_staged_release.sh
Usage:
sh check_staged_release.sh 1500 /tmp/sling-staging
Please vote to approve this release:
[ ] +1 Approve the release
[ ] 0 Don't care
[ ] -1 Don't release, because ...
This majority vote is open for at least 72 hours.
Here's my +1.
-Bertrand
Re: [VOTE] Release Apache Sling XSS Protection Bundle 1.0.12
Posted by Ian Boston <ie...@tfd.co.uk>.
+1, all signatures check out.
Ian
On 12 August 2016 at 09:35, Carsten Ziegeler <cz...@apache.org> wrote:
> +1
>
>
>
> --
> Carsten Ziegeler
> Adobe Research Switzerland
> cziegeler@apache.org
>
>
Re: [VOTE] Release Apache Sling XSS Protection Bundle 1.0.12
Posted by Carsten Ziegeler <cz...@apache.org>.
+1
--
Carsten Ziegeler
Adobe Research Switzerland
cziegeler@apache.org
Re: [VOTE] Release Apache Sling XSS Protection Bundle 1.0.12
Posted by Oliver Lietz <ap...@oliverlietz.de>.
On Friday 12 August 2016 10:23:39 Bertrand Delacretaz wrote:
> Hi,
>
> The vote is still ongoing for V1.0.10 of the same module, but we
> should have waited for another small fix that's included in this
> release. No big deal.
>
> We solved 1 issue in this release:
> https://issues.apache.org/jira/browse/SLING/fixforversion/12338062
+1
O.
Re: XSS bundle is broken in trunk
Posted by Karl Pauls <ka...@gmail.com>.
On Fri, Aug 26, 2016 at 1:31 PM, Oliver Lietz <ap...@oliverlietz.de> wrote:
> On Friday 26 August 2016 13:14:01 Carsten Ziegeler wrote:
> > Karl Pauls wrote:
> > > Well, you cant't have only one place as each module needs to be able to
> > > (if
> > > needed) declare what other licensed code it contains. You can only do
> that
> > > for bundles that don't have anything to declare which actually (at
> least
> > > in
> > > theory) we have - that is the point of the appended-resources. You
> > > over-right LICENSE and NOTICE on a case by case basis when it is needed
> > > (i.e., the module contains external/differently licensed code).
> > >
> > > At least, appended-resources is what we probably should be using for
> that
> > > -
> > > however, as far as I can see a lot of bundles do follow a different
> > > approach (probably for historic reasons) namely, they duplicate the
> > > LICENSE
> > > and NOTICE files in the root of the bundle svn dir and inside
> > > src/main/resources/META-INF. In the case of the css bundle, it was
> > > probably
> > > forgotten to do the duplication.
> >
> > Yes, that's for historic reasons and we simply never went through the
> > whole code base to use appended-resources.
> >
> > > Obviously, that is probably not the best way to do it - hence, if you
> are
> > > talking about clean-up I would recommend to rework all bundles to have
> > > their LICENSE and NOTICE appended by default and override it on a case
> by
> > > case basis via appended-resources if needed. I don't think we are
> talking
> > > about a lot of work in that regard so if others think it is worthwhile
> we
> > > might want to create a JIRA issues to list what bundles needed to be
> > > changed and just do it in one go (If others agree, I'd be willing to
> look
> > > into it)...
> >
> > That would be awesome, +1 :)
>
> Indeed, much appreciated!
>
> O.
>
> > Carsten
>
Ok, I'll try to get to it before too long.
regards,
Karl
--
Karl Pauls
karlpauls@gmail.com
Re: XSS bundle is broken in trunk
Posted by Oliver Lietz <ap...@oliverlietz.de>.
On Friday 26 August 2016 13:14:01 Carsten Ziegeler wrote:
> Karl Pauls wrote:
> > Well, you cant't have only one place as each module needs to be able to
> > (if
> > needed) declare what other licensed code it contains. You can only do that
> > for bundles that don't have anything to declare which actually (at least
> > in
> > theory) we have - that is the point of the appended-resources. You
> > over-right LICENSE and NOTICE on a case by case basis when it is needed
> > (i.e., the module contains external/differently licensed code).
> >
> > At least, appended-resources is what we probably should be using for that
> > -
> > however, as far as I can see a lot of bundles do follow a different
> > approach (probably for historic reasons) namely, they duplicate the
> > LICENSE
> > and NOTICE files in the root of the bundle svn dir and inside
> > src/main/resources/META-INF. In the case of the css bundle, it was
> > probably
> > forgotten to do the duplication.
>
> Yes, that's for historic reasons and we simply never went through the
> whole code base to use appended-resources.
>
> > Obviously, that is probably not the best way to do it - hence, if you are
> > talking about clean-up I would recommend to rework all bundles to have
> > their LICENSE and NOTICE appended by default and override it on a case by
> > case basis via appended-resources if needed. I don't think we are talking
> > about a lot of work in that regard so if others think it is worthwhile we
> > might want to create a JIRA issues to list what bundles needed to be
> > changed and just do it in one go (If others agree, I'd be willing to look
> > into it)...
>
> That would be awesome, +1 :)
Indeed, much appreciated!
O.
> Carsten
Re: XSS bundle is broken in trunk
Posted by Carsten Ziegeler <cz...@apache.org>.
Karl Pauls wrote:
>
> Well, you cant't have only one place as each module needs to be able to (if
> needed) declare what other licensed code it contains. You can only do that
> for bundles that don't have anything to declare which actually (at least in
> theory) we have - that is the point of the appended-resources. You
> over-right LICENSE and NOTICE on a case by case basis when it is needed
> (i.e., the module contains external/differently licensed code).
>
> At least, appended-resources is what we probably should be using for that -
> however, as far as I can see a lot of bundles do follow a different
> approach (probably for historic reasons) namely, they duplicate the LICENSE
> and NOTICE files in the root of the bundle svn dir and inside
> src/main/resources/META-INF. In the case of the css bundle, it was probably
> forgotten to do the duplication.
Yes, that's for historic reasons and we simply never went through the
whole code base to use appended-resources.
>
> Obviously, that is probably not the best way to do it - hence, if you are
> talking about clean-up I would recommend to rework all bundles to have
> their LICENSE and NOTICE appended by default and override it on a case by
> case basis via appended-resources if needed. I don't think we are talking
> about a lot of work in that regard so if others think it is worthwhile we
> might want to create a JIRA issues to list what bundles needed to be
> changed and just do it in one go (If others agree, I'd be willing to look
> into it)...
That would be awesome, +1 :)
Carsten
--
Carsten Ziegeler
Adobe Research Switzerland
cziegeler@apache.org
Re: XSS bundle is broken in trunk (was: Re: [VOTE] Release Apache
Sling XSS Protection Bundle 1.0.12)
Posted by Karl Pauls <ka...@gmail.com>.
On Fri, Aug 26, 2016 at 12:43 PM, Oliver Lietz <ap...@oliverlietz.de>
wrote:
> On Thursday 25 August 2016 22:11:00 Karl Pauls wrote:
> > On Thu, Aug 25, 2016 at 5:36 PM, Radu Cotescu <ra...@apache.org> wrote:
>
> hi,
>
> > I think I finally fixed this in https://svn.apache.org/r1757708. I've
> run a
> >
> > > test with the SNAPSHOT version and everything works as expected.
> >
> > Looks good!
>
> shouldn't we have a global setting/configuration in parent which is valid
> for
> all modules? Fixing include of LICENSE and NOTICE in one module sounds
> awkward.
>
Well, you cant't have only one place as each module needs to be able to (if
needed) declare what other licensed code it contains. You can only do that
for bundles that don't have anything to declare which actually (at least in
theory) we have - that is the point of the appended-resources. You
over-right LICENSE and NOTICE on a case by case basis when it is needed
(i.e., the module contains external/differently licensed code).
At least, appended-resources is what we probably should be using for that -
however, as far as I can see a lot of bundles do follow a different
approach (probably for historic reasons) namely, they duplicate the LICENSE
and NOTICE files in the root of the bundle svn dir and inside
src/main/resources/META-INF. In the case of the css bundle, it was probably
forgotten to do the duplication.
Obviously, that is probably not the best way to do it - hence, if you are
talking about clean-up I would recommend to rework all bundles to have
their LICENSE and NOTICE appended by default and override it on a case by
case basis via appended-resources if needed. I don't think we are talking
about a lot of work in that regard so if others think it is worthwhile we
might want to create a JIRA issues to list what bundles needed to be
changed and just do it in one go (If others agree, I'd be willing to look
into it)...
regards,
Karl
>
> Regards,
> O.
>
> > regards,
> >
> > Karl
>
>
--
Karl Pauls
karlpauls@gmail.com
Re: XSS bundle is broken in trunk (was: Re: [VOTE] Release Apache Sling XSS Protection Bundle 1.0.12)
Posted by Oliver Lietz <ap...@oliverlietz.de>.
On Thursday 25 August 2016 22:11:00 Karl Pauls wrote:
> On Thu, Aug 25, 2016 at 5:36 PM, Radu Cotescu <ra...@apache.org> wrote:
hi,
> I think I finally fixed this in https://svn.apache.org/r1757708. I've run a
>
> > test with the SNAPSHOT version and everything works as expected.
>
> Looks good!
shouldn't we have a global setting/configuration in parent which is valid for
all modules? Fixing include of LICENSE and NOTICE in one module sounds
awkward.
Regards,
O.
> regards,
>
> Karl
Re: XSS bundle is broken in trunk (was: Re: [VOTE] Release Apache
Sling XSS Protection Bundle 1.0.12)
Posted by Karl Pauls <ka...@gmail.com>.
On Thu, Aug 25, 2016 at 5:36 PM, Radu Cotescu <ra...@apache.org> wrote:
I think I finally fixed this in https://svn.apache.org/r1757708. I've run a
> test with the SNAPSHOT version and everything works as expected.
>
Looks good!
regards,
Karl
--
Karl Pauls
karlpauls@gmail.com
Re: XSS bundle is broken in trunk (was: Re: [VOTE] Release Apache
Sling XSS Protection Bundle 1.0.12)
Posted by Radu Cotescu <ra...@apache.org>.
Hi,
I think I finally fixed this in https://svn.apache.org/r1757708. I've run a
test with the SNAPSHOT version and everything works as expected.
Have a nice day!
Cheers,
Radu
On Thu, 25 Aug 2016 at 15:06 Karl Pauls <ka...@gmail.com> wrote:
> Hi Radu,
>
> ok. I can look into it tonight as well if you like - regardless, I think we
> should use the appended resources approach.
>
> regards, Karl
>
> On Thursday, August 25, 2016, Radu Cotescu <ra...@apache.org> wrote:
>
> > Hi Karl,
> >
> > Yes, we should find a different approach since your commit makes the
> > SLING-INF folder not to be contained any more by the jar, which makes the
> > XSS bundle more or less useless since some of its components cannot be
> > activated.
> >
> > I'll fix this now as I want to release version 1.0.14.
> >
> > Cheers,
> > Radu
> >
> > On Sat, 20 Aug 2016 at 00:19 Karl Pauls <karlpauls@gmail.com
> > <javascript:;>> wrote:
> >
> > >
> > > Done.
> > >
> > > I guess I went the easy way for now by adding a Include-Resource
> > statement
> > > to the maven-bundle-plugin instructions (a better way probably would be
> > to
> > > move the LICENSE and NOTICE files to src/main/resources/appended-
> > resources
> > > and use the remote resources plugin but oh well).
> > >
> > > regards,
> > >
> > > Karl
> > >
> > >
> > > > -Bertrand
> > > >
> > >
> > >
> > >
> > > --
> > > Karl Pauls
> > > karlpauls@gmail.com <javascript:;>
> > >
> >
>
>
> --
> Karl Pauls
> karlpauls@gmail.com
> http://twitter.com/karlpauls
> http://www.linkedin.com/in/karlpauls
> https://profiles.google.com/karlpauls
>
Re: XSS bundle is broken in trunk (was: Re: [VOTE] Release Apache
Sling XSS Protection Bundle 1.0.12)
Posted by Karl Pauls <ka...@gmail.com>.
Hi Radu,
ok. I can look into it tonight as well if you like - regardless, I think we
should use the appended resources approach.
regards, Karl
On Thursday, August 25, 2016, Radu Cotescu <ra...@apache.org> wrote:
> Hi Karl,
>
> Yes, we should find a different approach since your commit makes the
> SLING-INF folder not to be contained any more by the jar, which makes the
> XSS bundle more or less useless since some of its components cannot be
> activated.
>
> I'll fix this now as I want to release version 1.0.14.
>
> Cheers,
> Radu
>
> On Sat, 20 Aug 2016 at 00:19 Karl Pauls <karlpauls@gmail.com
> <javascript:;>> wrote:
>
> >
> > Done.
> >
> > I guess I went the easy way for now by adding a Include-Resource
> statement
> > to the maven-bundle-plugin instructions (a better way probably would be
> to
> > move the LICENSE and NOTICE files to src/main/resources/appended-
> resources
> > and use the remote resources plugin but oh well).
> >
> > regards,
> >
> > Karl
> >
> >
> > > -Bertrand
> > >
> >
> >
> >
> > --
> > Karl Pauls
> > karlpauls@gmail.com <javascript:;>
> >
>
--
Karl Pauls
karlpauls@gmail.com
http://twitter.com/karlpauls
http://www.linkedin.com/in/karlpauls
https://profiles.google.com/karlpauls
XSS bundle is broken in trunk (was: Re: [VOTE] Release Apache Sling
XSS Protection Bundle 1.0.12)
Posted by Radu Cotescu <ra...@apache.org>.
Hi Karl,
Yes, we should find a different approach since your commit makes the
SLING-INF folder not to be contained any more by the jar, which makes the
XSS bundle more or less useless since some of its components cannot be
activated.
I'll fix this now as I want to release version 1.0.14.
Cheers,
Radu
On Sat, 20 Aug 2016 at 00:19 Karl Pauls <ka...@gmail.com> wrote:
>
> Done.
>
> I guess I went the easy way for now by adding a Include-Resource statement
> to the maven-bundle-plugin instructions (a better way probably would be to
> move the LICENSE and NOTICE files to src/main/resources/appended-resources
> and use the remote resources plugin but oh well).
>
> regards,
>
> Karl
>
>
> > -Bertrand
> >
>
>
>
> --
> Karl Pauls
> karlpauls@gmail.com
>
Re: [VOTE] Release Apache Sling XSS Protection Bundle 1.0.12
Posted by Karl Pauls <ka...@gmail.com>.
On Fri, Aug 19, 2016 at 4:03 PM, Bertrand Delacretaz <bdelacretaz@apache.org
> wrote:
> On Fri, Aug 19, 2016 at 3:19 PM, Karl Pauls <ka...@gmail.com> wrote:
> >>... I guess at a minimum I would make sure that the problem is fixed in
> trunk
> >> first so that it at least doesn't happen again.
> >>
> > I can try to look into it tonight if you want me too ...
>
> You're welcome! It's probably very simple but ENOTIME here at the
> moment, doing the headless chicken thing on other fronts ;-)
>
Done.
I guess I went the easy way for now by adding a Include-Resource statement
to the maven-bundle-plugin instructions (a better way probably would be to
move the LICENSE and NOTICE files to src/main/resources/appended-resources
and use the remote resources plugin but oh well).
regards,
Karl
> -Bertrand
>
--
Karl Pauls
karlpauls@gmail.com
Re: [VOTE] Release Apache Sling XSS Protection Bundle 1.0.12
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Fri, Aug 19, 2016 at 3:19 PM, Karl Pauls <ka...@gmail.com> wrote:
>>... I guess at a minimum I would make sure that the problem is fixed in trunk
>> first so that it at least doesn't happen again.
>>
> I can try to look into it tonight if you want me too ...
You're welcome! It's probably very simple but ENOTIME here at the
moment, doing the headless chicken thing on other fronts ;-)
-Bertrand
Re: [VOTE] Release Apache Sling XSS Protection Bundle 1.0.12
Posted by Karl Pauls <ka...@gmail.com>.
On Friday, August 19, 2016, Karl Pauls <ka...@gmail.com> wrote:
> On Fri, Aug 19, 2016 at 12:53 PM, Bertrand Delacretaz <
> bdelacretaz@apache.org
> <javascript:_e(%7B%7D,'cvml','bdelacretaz@apache.org');>> wrote:
>
>> Hi Karl,
>>
>> On Wed, Aug 17, 2016 at 12:42 AM, Karl Pauls <karlpauls@gmail.com
>> <javascript:_e(%7B%7D,'cvml','karlpauls@gmail.com');>> wrote:
>> > ...It seems to me that at a minimum the NOTICE and LICENSE of the source
>> > release should be used for the binary as well, no?...
>>
>> Good catch - what happens is that the bundles/extensions/xss source
>> code provides its own NOTICE/LICENSE files, which might be needed for
>> the binary distribution as that embeds a number of things.
>>
>> But for some reason those files are only taken into account when
>> building the source archive.
>>
>> As you didn't -1 this vote I assume you are ok with releasing as is
>> and taking care of this issue separately?
>>
>
> Well, technically I guess, you have enough +1 votes already to do as you
> please so it really is up to you :-).
>
> Personally, however, I really don't like releasing artifacts with improper
> NOTICE/LICENSE files so I'm -1 but I can live with being overruled by the majority
> vote.
>
> I guess at a minimum I would make sure that the problem is fixed in trunk
> first so that it at least doesn't happen again.
>
I can try to look into it tonight if you want me too ...
regards,
Karl
> regards,
>
> Karl
>
> -Bertrand
>>
>
>
>
> --
> Karl Pauls
> karlpauls@gmail.com <javascript:_e(%7B%7D,'cvml','karlpauls@gmail.com');>
>
--
Karl Pauls
karlpauls@gmail.com
http://twitter.com/karlpauls
http://www.linkedin.com/in/karlpauls
https://profiles.google.com/karlpauls
Re: [VOTE] Release Apache Sling XSS Protection Bundle 1.0.12
Posted by Karl Pauls <ka...@gmail.com>.
On Fri, Aug 19, 2016 at 12:53 PM, Bertrand Delacretaz <
bdelacretaz@apache.org> wrote:
> Hi Karl,
>
> On Wed, Aug 17, 2016 at 12:42 AM, Karl Pauls <ka...@gmail.com> wrote:
> > ...It seems to me that at a minimum the NOTICE and LICENSE of the source
> > release should be used for the binary as well, no?...
>
> Good catch - what happens is that the bundles/extensions/xss source
> code provides its own NOTICE/LICENSE files, which might be needed for
> the binary distribution as that embeds a number of things.
>
> But for some reason those files are only taken into account when
> building the source archive.
>
> As you didn't -1 this vote I assume you are ok with releasing as is
> and taking care of this issue separately?
>
Well, technically I guess, you have enough +1 votes already to do as you
please so it really is up to you :-).
Personally, however, I really don't like releasing artifacts with improper
NOTICE/LICENSE files so I'm -1 but I can live with being overruled by
the majority
vote.
I guess at a minimum I would make sure that the problem is fixed in trunk
first so that it at least doesn't happen again.
regards,
Karl
-Bertrand
>
--
Karl Pauls
karlpauls@gmail.com
Re: [VOTE] Release Apache Sling XSS Protection Bundle 1.0.12
Posted by Bertrand Delacretaz <bd...@apache.org>.
Hi Karl,
On Wed, Aug 17, 2016 at 12:42 AM, Karl Pauls <ka...@gmail.com> wrote:
> ...It seems to me that at a minimum the NOTICE and LICENSE of the source
> release should be used for the binary as well, no?...
Good catch - what happens is that the bundles/extensions/xss source
code provides its own NOTICE/LICENSE files, which might be needed for
the binary distribution as that embeds a number of things.
But for some reason those files are only taken into account when
building the source archive.
As you didn't -1 this vote I assume you are ok with releasing as is
and taking care of this issue separately?
-Bertrand
Re: [VOTE] Release Apache Sling XSS Protection Bundle 1.0.12
Posted by Karl Pauls <ka...@gmail.com>.
Maybe I'm missing something but it looks to me like there is some
inconsistency with the NOTICE and LICENSE going on - namely,
the NOTICE in the source release states that it:
"includes software developed by the The Open Web Application Security
Project (https://www.owasp.org/)"
(but the source release doesn't actually include any) while the NOTICE of
the resulting binary (i.e., the jar file) _does not_ say that (but the
binary does actually include it).
Likewise, the LICENSE of the source release lists the relevant licenses and
copyrights which are actually included in the binary but the
META-INF/LICENSE of the binary doesn't.
It seems to me that at a minimum the NOTICE and LICENSE of the source
release should be used for the binary as well, no?
regards,
Karl
On Fri, Aug 12, 2016 at 10:23 AM, Bertrand Delacretaz <
bdelacretaz@apache.org> wrote:
>
> Hi,
>
> The vote is still ongoing for V1.0.10 of the same module, but we
> should have waited for another small fix that's included in this
> release. No big deal.
>
> We solved 1 issue in this release:
> https://issues.apache.org/jira/browse/SLING/fixforversion/12338062
>
> Staging repository:
> https://repository.apache.org/content/repositories/orgapachesling-1500/
>
> You can use this UNIX script to download the release and verify the
signatures:
> http://svn.apache.org/repos/asf/sling/trunk/check_staged_release.sh
>
> Usage:
> sh check_staged_release.sh 1500 /tmp/sling-staging
>
> Please vote to approve this release:
>
> [ ] +1 Approve the release
> [ ] 0 Don't care
> [ ] -1 Don't release, because ...
>
> This majority vote is open for at least 72 hours.
>
> Here's my +1.
>
> -Bertrand
--
Karl Pauls
karlpauls@gmail.com