You are viewing a plain text version of this content. The canonical link for it is here.
Posted to log4net-dev@logging.apache.org by Stefan Bodewig <bo...@apache.org> on 2013/11/18 06:21:33 UTC
[VOTE] Release Log4Net 1.2.13 based on RC3
Hi all,
three times is a charm. :-)
Changes over RC2 is a packaging change (the 3.5 assemblies now contain
the ILogExtensions) and two bug fixes.
log4net 1.2.13 RC3 is available for review here:
https://dist.apache.org/repos/dist/dev/logging/log4net
(revision 3550)
Details of changes since 1.2.12 are in the release notes:
http://logging.apache.org/log4net/log4net-1.2.13/release/release-notes.html
I have tested this with Mono and several .NET frameworks using NAnt.
The tag is here:
https://svn.apache.org/repos/asf/logging/log4net/tags/1.2.13RC3
(revision 1542676)
Site:
http://logging.apache.org/log4net/log4net-1.2.13/
(this is revision 887035 of
https://svn.apache.org/repos/infra/websites/production/logging/content/log4net/log4net-1.2.13)
RAT Report:
http://logging.apache.org/log4net/log4net-1.2.13/rat-report.html
Votes, please. This vote will close in 72 hours, 0530 GMT 21-Nov
2013
[ ] +1 Release these artifacts
[ ] +0 OK, but...
[ ] -0 OK, but really should fix...
[ ] -1 I oppose this release because...
Thanks!
Stefan
Re: [VOTE] Release Log4Net 1.2.13 based on RC3
Posted by Christian Grobmeier <gr...@gmail.com>.
On 21 Nov 2013, at 8:17, Dominik Psenner wrote:
>>> One no blocker which I just saw: the KEYS file is included in the
>>> dist. Shouldn't it be left out?
>>
>> I think we've always done it that way in log4net and I know Ant has
>> been
>> doing so since 2000 - what's wrong with it?
>
> They have been there also in 1.2.12 and 1.2.11. So this isn't
> something new.
I didn't say its new. I just recognized it now :-)
For reasoning, pls see other mail.
---
http://www.grobmeier.de
@grobmeier
GPG: 0xA5CC90DB
AW: [VOTE] Release Log4Net 1.2.13 based on RC3
Posted by Dominik Psenner <dp...@gmail.com>.
>> One no blocker which I just saw: the KEYS file is included in the
>> dist. Shouldn't it be left out?
>
>I think we've always done it that way in log4net and I know Ant has been
>doing so since 2000 - what's wrong with it?
They have been there also in 1.2.12 and 1.2.11. So this isn't something new.
Re: KEYS in dist (was Re: [VOTE] Release Log4Net 1.2.13 based on RC3)
Posted by Christian Grobmeier <gr...@gmail.com>.
On 21 Nov 2013, at 9:56, Stefan Bodewig wrote:
> On 2013-11-21, Christian Grobmeier wrote:
>
>> On 21 Nov 2013, at 8:15, Stefan Bodewig wrote:
>
>>> On 2013-11-21, Christian Grobmeier wrote:
>
>>>> One no blocker which I just saw: the KEYS file is included in the
>>>> dist. Shouldn't it be left out?
>
>>> I think we've always done it that way in log4net and I know Ant has been
>>> doing so since 2000 - what's wrong with it?
>
>> when somebody downloads it and opens the zip, it is tempting to
>> validate the package against the included KEYS file. But if somebody
>> could manipulate the content of the package, he also could manipulate
>> the KEYS file. For that reason the KEYS file should be on a different
>> location. This is the case, that's why I meant it's not critical. It
>> is on the other hand tempting to take the included one… nitpickery!
>> Thanks for pushing out the release!
>
> If this "somebody" downloaded the signature from the ASF and not from a
> mirror then the signature will not work if the zip has been modified, no
> matter which KEYS file it contains. Unless you think the attacker has
> modifie the signature, but then the KEYS file in the dist area would be
> as vulnerable as that.
Good point. Not sure if this is actually a problem or not.
When I have time I will ask one of the infra gurus.
cheers
Christian
>
> Stefan
---
http://www.grobmeier.de
@grobmeier
GPG: 0xA5CC90DB
Re: KEYS in dist (was Re: [VOTE] Release Log4Net 1.2.13 based on RC3)
Posted by Christian Grobmeier <gr...@gmail.com>.
On 21 Nov 2013, at 9:56, Stefan Bodewig wrote:
> On 2013-11-21, Christian Grobmeier wrote:
>
>> On 21 Nov 2013, at 8:15, Stefan Bodewig wrote:
>
>>> On 2013-11-21, Christian Grobmeier wrote:
>
>>>> One no blocker which I just saw: the KEYS file is included in the
>>>> dist. Shouldn't it be left out?
>
>>> I think we've always done it that way in log4net and I know Ant has been
>>> doing so since 2000 - what's wrong with it?
>
>> when somebody downloads it and opens the zip, it is tempting to
>> validate the package against the included KEYS file. But if somebody
>> could manipulate the content of the package, he also could manipulate
>> the KEYS file. For that reason the KEYS file should be on a different
>> location. This is the case, that's why I meant it's not critical. It
>> is on the other hand tempting to take the included one… nitpickery!
>> Thanks for pushing out the release!
>
> If this "somebody" downloaded the signature from the ASF and not from a
> mirror then the signature will not work if the zip has been modified, no
> matter which KEYS file it contains. Unless you think the attacker has
> modifie the signature, but then the KEYS file in the dist area would be
> as vulnerable as that.
Good point. Not sure if this is actually a problem or not.
When I have time I will ask one of the infra gurus.
cheers
Christian
>
> Stefan
---
http://www.grobmeier.de
@grobmeier
GPG: 0xA5CC90DB
KEYS in dist (was Re: [VOTE] Release Log4Net 1.2.13 based on RC3)
Posted by Stefan Bodewig <bo...@apache.org>.
On 2013-11-21, Christian Grobmeier wrote:
> On 21 Nov 2013, at 8:15, Stefan Bodewig wrote:
>> On 2013-11-21, Christian Grobmeier wrote:
>>> One no blocker which I just saw: the KEYS file is included in the
>>> dist. Shouldn't it be left out?
>> I think we've always done it that way in log4net and I know Ant has been
>> doing so since 2000 - what's wrong with it?
> when somebody downloads it and opens the zip, it is tempting to
> validate the package against the included KEYS file. But if somebody
> could manipulate the content of the package, he also could manipulate
> the KEYS file. For that reason the KEYS file should be on a different
> location. This is the case, that's why I meant it's not critical. It
> is on the other hand tempting to take the included one… nitpickery!
> Thanks for pushing out the release!
If this "somebody" downloaded the signature from the ASF and not from a
mirror then the signature will not work if the zip has been modified, no
matter which KEYS file it contains. Unless you think the attacker has
modifie the signature, but then the KEYS file in the dist area would be
as vulnerable as that.
Stefan
KEYS in dist (was Re: [VOTE] Release Log4Net 1.2.13 based on RC3)
Posted by Stefan Bodewig <bo...@apache.org>.
On 2013-11-21, Christian Grobmeier wrote:
> On 21 Nov 2013, at 8:15, Stefan Bodewig wrote:
>> On 2013-11-21, Christian Grobmeier wrote:
>>> One no blocker which I just saw: the KEYS file is included in the
>>> dist. Shouldn't it be left out?
>> I think we've always done it that way in log4net and I know Ant has been
>> doing so since 2000 - what's wrong with it?
> when somebody downloads it and opens the zip, it is tempting to
> validate the package against the included KEYS file. But if somebody
> could manipulate the content of the package, he also could manipulate
> the KEYS file. For that reason the KEYS file should be on a different
> location. This is the case, that's why I meant it's not critical. It
> is on the other hand tempting to take the included one… nitpickery!
> Thanks for pushing out the release!
If this "somebody" downloaded the signature from the ASF and not from a
mirror then the signature will not work if the zip has been modified, no
matter which KEYS file it contains. Unless you think the attacker has
modifie the signature, but then the KEYS file in the dist area would be
as vulnerable as that.
Stefan
Re: [VOTE] Release Log4Net 1.2.13 based on RC3
Posted by Christian Grobmeier <gr...@gmail.com>.
On 21 Nov 2013, at 8:15, Stefan Bodewig wrote:
> On 2013-11-21, Christian Grobmeier wrote:
>
>> +1
>
>> checked formalities, but didn't interpret the content b/c lack of
>> windows :-)
>
> thanks.
>
>> One no blocker which I just saw: the KEYS file is included in the
>> dist. Shouldn't it be left out?
>
> I think we've always done it that way in log4net and I know Ant has been
> doing so since 2000 - what's wrong with it?
when somebody downloads it and opens the zip, it is tempting to validate
the package against the included KEYS file. But if somebody could manipulate
the content of the package, he also could manipulate the KEYS file.
For that reason the KEYS file should be on a different location. This is the
case, that's why I meant it's not critical. It is on the other hand tempting
to take the included one… nitpickery! Thanks for pushing out the release!
> Stefan
---
http://www.grobmeier.de
@grobmeier
GPG: 0xA5CC90DB
Re: [VOTE] Release Log4Net 1.2.13 based on RC3
Posted by Christian Grobmeier <gr...@gmail.com>.
On 21 Nov 2013, at 8:15, Stefan Bodewig wrote:
> On 2013-11-21, Christian Grobmeier wrote:
>
>> +1
>
>> checked formalities, but didn't interpret the content b/c lack of
>> windows :-)
>
> thanks.
>
>> One no blocker which I just saw: the KEYS file is included in the
>> dist. Shouldn't it be left out?
>
> I think we've always done it that way in log4net and I know Ant has been
> doing so since 2000 - what's wrong with it?
when somebody downloads it and opens the zip, it is tempting to validate
the package against the included KEYS file. But if somebody could manipulate
the content of the package, he also could manipulate the KEYS file.
For that reason the KEYS file should be on a different location. This is the
case, that's why I meant it's not critical. It is on the other hand tempting
to take the included one… nitpickery! Thanks for pushing out the release!
> Stefan
---
http://www.grobmeier.de
@grobmeier
GPG: 0xA5CC90DB
Re: [VOTE] Release Log4Net 1.2.13 based on RC3
Posted by Stefan Bodewig <bo...@apache.org>.
On 2013-11-21, Christian Grobmeier wrote:
> +1
> checked formalities, but didn't interpret the content b/c lack of
> windows :-)
thanks.
> One no blocker which I just saw: the KEYS file is included in the
> dist. Shouldn't it be left out?
I think we've always done it that way in log4net and I know Ant has been
doing so since 2000 - what's wrong with it?
Stefan
Re: [VOTE] Release Log4Net 1.2.13 based on RC3
Posted by Stefan Bodewig <bo...@apache.org>.
On 2013-11-21, Christian Grobmeier wrote:
> +1
> checked formalities, but didn't interpret the content b/c lack of
> windows :-)
thanks.
> One no blocker which I just saw: the KEYS file is included in the
> dist. Shouldn't it be left out?
I think we've always done it that way in log4net and I know Ant has been
doing so since 2000 - what's wrong with it?
Stefan
Re: [VOTE] Release Log4Net 1.2.13 based on RC3
Posted by Gary Gregory <ga...@gmail.com>.
Including the KEYS file seems to defeat the purpose.
G
On Thu, Nov 21, 2013 at 1:17 AM, Christian Grobmeier <gr...@gmail.com>wrote:
> +1
>
> checked formalities, but didn't interpret the content b/c lack of windows
> :-)
> One no blocker which I just saw: the KEYS file is included in the dist.
> Shouldn't it be left out?
>
> Cheers
>
>
> On 18 Nov 2013, at 6:21, Stefan Bodewig wrote:
>
> Hi all,
>>
>> three times is a charm. :-)
>>
>> Changes over RC2 is a packaging change (the 3.5 assemblies now contain
>> the ILogExtensions) and two bug fixes.
>>
>> log4net 1.2.13 RC3 is available for review here:
>> https://dist.apache.org/repos/dist/dev/logging/log4net
>> (revision 3550)
>>
>> Details of changes since 1.2.12 are in the release notes:
>> http://logging.apache.org/log4net/log4net-1.2.13/
>> release/release-notes.html
>>
>> I have tested this with Mono and several .NET frameworks using NAnt.
>>
>> The tag is here:
>> https://svn.apache.org/repos/asf/logging/log4net/tags/1.2.13RC3
>> (revision 1542676)
>>
>> Site:
>> http://logging.apache.org/log4net/log4net-1.2.13/
>>
>> (this is revision 887035 of
>> https://svn.apache.org/repos/infra/websites/production/
>> logging/content/log4net/log4net-1.2.13)
>>
>> RAT Report:
>> http://logging.apache.org/log4net/log4net-1.2.13/rat-report.html
>>
>> Votes, please. This vote will close in 72 hours, 0530 GMT 21-Nov
>> 2013
>>
>> [ ] +1 Release these artifacts
>> [ ] +0 OK, but...
>> [ ] -0 OK, but really should fix...
>> [ ] -1 I oppose this release because...
>>
>> Thanks!
>>
>> Stefan
>>
>
>
> ---
> http://www.grobmeier.de
> @grobmeier
> GPG: 0xA5CC90DB
>
--
E-Mail: garydgregory@gmail.com | ggregory@apache.org
Java Persistence with Hibernate, Second Edition<http://www.manning.com/bauer3/>
JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
Spring Batch in Action <http://www.manning.com/templier/>
Blog: http://garygregory.wordpress.com
Home: http://garygregory.com/
Tweet! http://twitter.com/GaryGregory
Re: [VOTE] Release Log4Net 1.2.13 based on RC3
Posted by Christian Grobmeier <gr...@gmail.com>.
+1
checked formalities, but didn't interpret the content b/c lack of
windows :-)
One no blocker which I just saw: the KEYS file is included in the dist.
Shouldn't it be left out?
Cheers
On 18 Nov 2013, at 6:21, Stefan Bodewig wrote:
> Hi all,
>
> three times is a charm. :-)
>
> Changes over RC2 is a packaging change (the 3.5 assemblies now contain
> the ILogExtensions) and two bug fixes.
>
> log4net 1.2.13 RC3 is available for review here:
> https://dist.apache.org/repos/dist/dev/logging/log4net
> (revision 3550)
>
> Details of changes since 1.2.12 are in the release notes:
> http://logging.apache.org/log4net/log4net-1.2.13/release/release-notes.html
>
> I have tested this with Mono and several .NET frameworks using NAnt.
>
> The tag is here:
> https://svn.apache.org/repos/asf/logging/log4net/tags/1.2.13RC3
> (revision 1542676)
>
> Site:
> http://logging.apache.org/log4net/log4net-1.2.13/
>
> (this is revision 887035 of
> https://svn.apache.org/repos/infra/websites/production/logging/content/log4net/log4net-1.2.13)
>
> RAT Report:
> http://logging.apache.org/log4net/log4net-1.2.13/rat-report.html
>
> Votes, please. This vote will close in 72 hours, 0530 GMT 21-Nov
> 2013
>
> [ ] +1 Release these artifacts
> [ ] +0 OK, but...
> [ ] -0 OK, but really should fix...
> [ ] -1 I oppose this release because...
>
> Thanks!
>
> Stefan
---
http://www.grobmeier.de
@grobmeier
GPG: 0xA5CC90DB
[RESULT] Release Log4Net 1.2.13 based on RC3
Posted by Stefan Bodewig <bo...@apache.org>.
So I count three +1s by Dominik, Christian and myself with no other
votes.
As usual I'll publish the distro and give the mirrors some time to catch
up before sending out the announcement and updating the site.
Stefan
AW: [VOTE] Release Log4Net 1.2.13 based on RC3
Posted by Dominik Psenner <dp...@gmail.com>.
I've looked over the homepage, the SDK and checked the RAT report. If the
binaries are fine, it looks good.
+1
>-----Ursprüngliche Nachricht-----
>Von: Stefan Bodewig [mailto:bodewig@apache.org]
>Gesendet: Montag, 18. November 2013 06:22
>An: log4net-dev@logging.apache.org; general@logging.apache.org
>Betreff: [VOTE] Release Log4Net 1.2.13 based on RC3
>
>Hi all,
>
>three times is a charm. :-)
>
>Changes over RC2 is a packaging change (the 3.5 assemblies now contain
>the ILogExtensions) and two bug fixes.
>
>log4net 1.2.13 RC3 is available for review here:
> https://dist.apache.org/repos/dist/dev/logging/log4net
> (revision 3550)
>
>Details of changes since 1.2.12 are in the release notes:
> http://logging.apache.org/log4net/log4net-1.2.13/release/release-
>notes.html
>
>I have tested this with Mono and several .NET frameworks using NAnt.
>
>The tag is here:
> https://svn.apache.org/repos/asf/logging/log4net/tags/1.2.13RC3
> (revision 1542676)
>
>Site:
> http://logging.apache.org/log4net/log4net-1.2.13/
>
> (this is revision 887035 of
>
>https://svn.apache.org/repos/infra/websites/production/logging/content/lo
>g4net/log4net-1.2.13)
>
>RAT Report:
> http://logging.apache.org/log4net/log4net-1.2.13/rat-report.html
>
>Votes, please. This vote will close in 72 hours, 0530 GMT 21-Nov
>2013
>
>[ ] +1 Release these artifacts
>[ ] +0 OK, but...
>[ ] -0 OK, but really should fix...
>[ ] -1 I oppose this release because...
>
>Thanks!
>
> Stefan
Re: [VOTE] Release Log4Net 1.2.13 based on RC3
Posted by Christian Grobmeier <gr...@gmail.com>.
+1
checked formalities, but didn't interpret the content b/c lack of
windows :-)
One no blocker which I just saw: the KEYS file is included in the dist.
Shouldn't it be left out?
Cheers
On 18 Nov 2013, at 6:21, Stefan Bodewig wrote:
> Hi all,
>
> three times is a charm. :-)
>
> Changes over RC2 is a packaging change (the 3.5 assemblies now contain
> the ILogExtensions) and two bug fixes.
>
> log4net 1.2.13 RC3 is available for review here:
> https://dist.apache.org/repos/dist/dev/logging/log4net
> (revision 3550)
>
> Details of changes since 1.2.12 are in the release notes:
> http://logging.apache.org/log4net/log4net-1.2.13/release/release-notes.html
>
> I have tested this with Mono and several .NET frameworks using NAnt.
>
> The tag is here:
> https://svn.apache.org/repos/asf/logging/log4net/tags/1.2.13RC3
> (revision 1542676)
>
> Site:
> http://logging.apache.org/log4net/log4net-1.2.13/
>
> (this is revision 887035 of
> https://svn.apache.org/repos/infra/websites/production/logging/content/log4net/log4net-1.2.13)
>
> RAT Report:
> http://logging.apache.org/log4net/log4net-1.2.13/rat-report.html
>
> Votes, please. This vote will close in 72 hours, 0530 GMT 21-Nov
> 2013
>
> [ ] +1 Release these artifacts
> [ ] +0 OK, but...
> [ ] -0 OK, but really should fix...
> [ ] -1 I oppose this release because...
>
> Thanks!
>
> Stefan
---
http://www.grobmeier.de
@grobmeier
GPG: 0xA5CC90DB
[RESULT] Release Log4Net 1.2.13 based on RC3
Posted by Stefan Bodewig <bo...@apache.org>.
So I count three +1s by Dominik, Christian and myself with no other
votes.
As usual I'll publish the distro and give the mirrors some time to catch
up before sending out the announcement and updating the site.
Stefan