You are viewing a plain text version of this content. The canonical link for it is here.
Posted to j-users@xerces.apache.org by Mukul Gandhi <mu...@apache.org> on 2018/04/19 08:19:33 UTC
[VOTE]: Xerces-J 2.12.0 Release
Hi all,
I've uploaded Xerces-J 2.12.0 release candidates to [1] for review. In
this release candidate there are two sets of packages, the main release
built from the trunk [2] and the XML Schema 1.1 release built from the XML
Schema 1.1 development branch [3]. The change summary is available here [4]
in JIRA. 81 issues were resolved.
Test results have been looking good, so I'd like to call an official vote
now on the release.
To start, here's my +1.
Great work everyone.
[1] https://dist.apache.org/repos/dist/dev/xerces/j/2.12.0/
[2] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0/
[3]
http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0-xml-schema-1.1/
[4]
https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=10520&version=12336542
--
Regards,
Mukul Gandhi
Re: [VOTE]: Xerces-J 2.12.0 Release
Posted by Gary Gregory <ga...@gmail.com>.
On Thu, Apr 19, 2018 at 7:54 AM, Cantor, Scott <ca...@osu.edu> wrote:
> > To start, here's my +1.
>
> My project no longer allows use of Xerces-J, so I don't have any direct
> ability to test it, but from a PMC perspective I'll vote +1 given that the
> people who care have done their due diligence.
>
Do you feel it is responsible to VOTE without even downloading the RC,
checking hashes, and trying to build it?
Gary
>
> -- Scott
>
>
RE: [VOTE]: Xerces-J 2.12.0 Release
Posted by "Cantor, Scott" <ca...@osu.edu>.
> To start, here's my +1.
My project no longer allows use of Xerces-J, so I don't have any direct ability to test it, but from a PMC perspective I'll vote +1 given that the people who care have done their due diligence.
-- Scott
Re: [VOTE]: Xerces-J 2.12.0 Release
Posted by Michael Glavassevich <mr...@ca.ibm.com>.
Hi Mukul,
I noticed that the copyright year in the NOTICE file still says 2015. I'm
pretty sure that this needs to be updated.
There's also the discussion on the list about CVE-2018-2799 that we have
an opportunity to address.
I think we should stop the vote on this release candidate and respin with
fixes for these issues.
Thanks.
Michael Glavassevich
XML Technologies and WAS Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org
Mukul Gandhi <mu...@apache.org> wrote on 04/19/2018 04:19:33 AM:
> From: Mukul Gandhi <mu...@apache.org>
> To: j-dev@xerces.apache.org, private@xerces.apache.org, j-
> users@xerces.apache.org
> Date: 04/19/2018 04:21 AM
> Subject: [VOTE]: Xerces-J 2.12.0 Release
>
> Hi all,
> I've uploaded Xerces-J 2.12.0 release candidates to [1] for
> review. In this release candidate there are two sets of packages,
> the main release built from the trunk [2] and the XML Schema 1.1
> release built from the XML Schema 1.1 development branch [3]. The
> change summary is available here [4] in JIRA. 81 issues were resolved.
>
> Test results have been looking good, so I'd like to call an official
> vote now on the release.
>
> To start, here's my +1.
>
> Great work everyone.
>
> [1] https://dist.apache.org/repos/dist/dev/xerces/j/2.12.0/
> [2] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0/
> [3] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0-
> xml-schema-1.1/
> [4] https://issues.apache.org/jira/secure/ReleaseNote.jspa?
> projectId=10520&version=12336542
>
> --
> Regards,
> Mukul Gandhi
Re: [VOTE]: Xerces-J 2.12.0 Release
Posted by Mukul Gandhi <mu...@apache.org>.
Hi sebb,
On Thu, Apr 19, 2018 at 2:48 PM, sebb <se...@gmail.com> wrote:
>
>
>
> > [2] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0/
>
> Directory revision:1829504 (of 1829520)
>
> > [3]
> > http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_
> 12_0-xml-schema-1.1/
>
> Directory revision:1829505 (of 1829520)
>
I agree with these points. When I'm initiating the Vote mail next time,
I'll add these information as well.
--
Regards,
Mukul Gandhi
Re: [VOTE]: Xerces-J 2.12.0 Release
Posted by Gary Gregory <ga...@gmail.com>.
On Thu, Apr 19, 2018 at 7:59 AM, Mukul Gandhi <mu...@apache.org> wrote:
> Hi Gary,
>
> On Thu, Apr 19, 2018 at 6:34 PM, Gary Gregory <ga...@gmail.com>
> wrote:
>
>> Why not add SHA1 hashes?
>>
>>>
> Please see here about the Apache projects release signing procedure,
> relating to use of SHA,
>
> http://www.apache.org/dev/release-signing.html#sha-checksum
>
> It says,
> "Please note that further use of SHA-1 should be avoided.
>
> SHA512 is recommended."
>
> I hope this would answer the question.
>
Yes of course, I did see that, I just got my SHAs mixed up ;-)
Thank you for the clarification.
Gary
>
>
> --
> Regards,
> Mukul Gandhi
>
Re: [VOTE]: Xerces-J 2.12.0 Release
Posted by Mukul Gandhi <mu...@apache.org>.
Hi Gary,
On Thu, Apr 19, 2018 at 6:34 PM, Gary Gregory <ga...@gmail.com>
wrote:
> Why not add SHA1 hashes?
>
>>
Please see here about the Apache projects release signing procedure,
relating to use of SHA,
http://www.apache.org/dev/release-signing.html#sha-checksum
It says,
"Please note that further use of SHA-1 should be avoided.
SHA512 is recommended."
I hope this would answer the question.
--
Regards,
Mukul Gandhi
Re: [VOTE]: Xerces-J 2.12.0 Release
Posted by Gary Gregory <ga...@gmail.com>.
Why not add SHA1 hashes?
Gary
On Thu, Apr 19, 2018, 07:00 Mukul Gandhi <mu...@apache.org> wrote:
> Hi all,
> With respect to the below mail thread between "sebb" and me, IMHO I
> don't intend to restart the VOTE mail unless there is a more genuine reason
> for the same.
>
> If anyone wishes to verify the signature and hashes of archive files as
> published on the release candidates link, it would require downloading (or
> you may take an update from SVN) the KEYS file from here "
> https://svn.apache.org/repos/asf/xerces/java/trunk/KEYS" which has my
> public key. You'd need to add these public keys to your public key ring.
>
> Of course we're also looking for any functional feedbacks, about the
> release candidate.
>
> This vote mail would progress as already started. Looking forward to your
> votes.
>
> On Thu, Apr 19, 2018 at 3:16 PM, Mukul Gandhi <mu...@apache.org> wrote:
>
>> Hello,
>> Thanks for the feedback. I've written my thoughts below.
>>
>> On Thu, Apr 19, 2018 at 2:48 PM, sebb <se...@gmail.com> wrote:
>>
>>> MD5 hashes are now deprecated and should please be removed from the
>>> download area (and download page)
>>>
>>
>> If we look at the download area of Xerces, i.e
>> http://xerces.apache.org/mirrors.cgi
>>
>> The previous Xerces-J release (2.11.0) has published a MD5 hash, that's
>> why I included it. But you're right in saying, " MD5 hashes are now
>> deprecated". The release signing information at,
>> http://www.apache.org/dev/release-signing.html#md5 says,
>> "Please note that the security of MD5 is now questionable and is only
>> useful as part of a defense in depth.". I think, this wording still gives
>> us permission to use MD5 hashes (via this, " and is only useful as part
>> of a defense in depth").
>>
>>
>>> Tags are not immutable, so for definiteness please include the
>>> revision in VOTE mails;
>>>
>>> for example
>>>
>>> Last Changed Rev: 26416
>>>
>>>
>>> > [2] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0/
>>>
>>> Directory revision:1829504 (of 1829520)
>>>
>>> > [3]
>>> >
>>> http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0-xml-schema-1.1/
>>>
>>> Directory revision:1829505 (of 1829520)
>>>
>>>
>> I used this mail as template for the VOTE mail,
>> https://markmail.org/message/clmyb53ju4jtghb4 that Michael Glavassevich
>> wrote for the 2.10.0 release. This mentions only the URLs of the Tag
>> locations. No revision information is mentioned over there.
>>
>
>
>
> --
> Regards,
> Mukul Gandhi
>
Re: [VOTE]: Xerces-J 2.12.0 Release
Posted by Mukul Gandhi <mu...@apache.org>.
Hi all,
With respect to the below mail thread between "sebb" and me, IMHO I
don't intend to restart the VOTE mail unless there is a more genuine reason
for the same.
If anyone wishes to verify the signature and hashes of archive files as
published on the release candidates link, it would require downloading (or
you may take an update from SVN) the KEYS file from here "
https://svn.apache.org/repos/asf/xerces/java/trunk/KEYS" which has my
public key. You'd need to add these public keys to your public key ring.
Of course we're also looking for any functional feedbacks, about the
release candidate.
This vote mail would progress as already started. Looking forward to your
votes.
On Thu, Apr 19, 2018 at 3:16 PM, Mukul Gandhi <mu...@apache.org> wrote:
> Hello,
> Thanks for the feedback. I've written my thoughts below.
>
> On Thu, Apr 19, 2018 at 2:48 PM, sebb <se...@gmail.com> wrote:
>
>> MD5 hashes are now deprecated and should please be removed from the
>> download area (and download page)
>>
>
> If we look at the download area of Xerces, i.e http://xerces.apache.org/
> mirrors.cgi
>
> The previous Xerces-J release (2.11.0) has published a MD5 hash, that's
> why I included it. But you're right in saying, " MD5 hashes are now
> deprecated". The release signing information at,
> http://www.apache.org/dev/release-signing.html#md5 says,
> "Please note that the security of MD5 is now questionable and is only
> useful as part of a defense in depth.". I think, this wording still gives
> us permission to use MD5 hashes (via this, " and is only useful as part
> of a defense in depth").
>
>
>> Tags are not immutable, so for definiteness please include the
>> revision in VOTE mails;
>>
>> for example
>>
>> Last Changed Rev: 26416
>>
>>
>> > [2] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0/
>>
>> Directory revision:1829504 (of 1829520)
>>
>> > [3]
>> > http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_
>> 0-xml-schema-1.1/
>>
>> Directory revision:1829505 (of 1829520)
>>
>>
> I used this mail as template for the VOTE mail, https://markmail.org/
> message/clmyb53ju4jtghb4 that Michael Glavassevich wrote for the 2.10.0
> release. This mentions only the URLs of the Tag locations. No revision
> information is mentioned over there.
>
--
Regards,
Mukul Gandhi
Re: [VOTE]: Xerces-J 2.12.0 Release
Posted by Mukul Gandhi <mu...@apache.org>.
Hello,
Thanks for the feedback. I've written my thoughts below.
On Thu, Apr 19, 2018 at 2:48 PM, sebb <se...@gmail.com> wrote:
> MD5 hashes are now deprecated and should please be removed from the
> download area (and download page)
>
If we look at the download area of Xerces, i.e
http://xerces.apache.org/mirrors.cgi
The previous Xerces-J release (2.11.0) has published a MD5 hash, that's why
I included it. But you're right in saying, " MD5 hashes are now
deprecated". The release signing information at,
http://www.apache.org/dev/release-signing.html#md5 says,
"Please note that the security of MD5 is now questionable and is only
useful as part of a defense in depth.". I think, this wording still gives
us permission to use MD5 hashes (via this, " and is only useful as part of
a defense in depth").
> Tags are not immutable, so for definiteness please include the
> revision in VOTE mails;
>
> for example
>
> Last Changed Rev: 26416
>
>
> > [2] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0/
>
> Directory revision:1829504 (of 1829520)
>
> > [3]
> > http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_
> 12_0-xml-schema-1.1/
>
> Directory revision:1829505 (of 1829520)
>
>
I used this mail as template for the VOTE mail,
https://markmail.org/message/clmyb53ju4jtghb4 that Michael Glavassevich
wrote for the 2.10.0 release. This mentions only the URLs of the Tag
locations. No revision information is mentioned over there.
--
Regards,
Mukul Gandhi
Re: [VOTE]: Xerces-J 2.12.0 Release
Posted by sebb <se...@gmail.com>.
On 19 April 2018 at 09:19, Mukul Gandhi <mu...@apache.org> wrote:
> Hi all,
> I've uploaded Xerces-J 2.12.0 release candidates to [1] for review. In
> this release candidate there are two sets of packages, the main release
> built from the trunk [2] and the XML Schema 1.1 release built from the XML
> Schema 1.1 development branch [3]. The change summary is available here [4]
> in JIRA. 81 issues were resolved.
>
> Test results have been looking good, so I'd like to call an official vote
> now on the release.
>
> To start, here's my +1.
>
> Great work everyone.
>
> [1] https://dist.apache.org/repos/dist/dev/xerces/j/2.12.0/
MD5 hashes are now deprecated and should please be removed from the
download area (and download page)
[No need to re-run the VOTE for this.]
Tags are not immutable, so for definiteness please include the
revision in VOTE mails;
for example
Last Changed Rev: 26416
> [2] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0/
Directory revision:1829504 (of 1829520)
> [3]
> http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0-xml-schema-1.1/
Directory revision:1829505 (of 1829520)
> [4]
> https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=10520&version=12336542
>
>
>
> --
> Regards,
> Mukul Gandhi
---------------------------------------------------------------------
To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: j-dev-help@xerces.apache.org
RE: [EXTERNAL] Re: [VOTE]: Xerces-J 2.12.0 Release
Posted by David Dillard <Da...@veritas.com>.
Hi,
Can someone please get a CVE for the readObject issue? I don’t know what the internal ASF process is for that, but ASF is its own CNA so it seems there must be one.
Also, it’d be good to issue a security advisory concurrent with the release announcement.
Regards,
David
From: Mukul Gandhi [mailto:mukulg@apache.org]
Sent: Saturday, April 21, 2018 1:05 AM
To: j-dev@xerces.apache.org
Cc: private@xerces.apache.org; j-users@xerces.apache.org
Subject: [EXTERNAL] Re: [VOTE]: Xerces-J 2.12.0 Release
Hi Michael & all,
I've fixed all the below mentioned issues that were found in previous RC, within the revised RC for 2.12.0 release. I'll shortly be writing a separate mail, for the Vote for new RC.
On Fri, Apr 20, 2018 at 2:29 AM, Michael Glavassevich <mr...@ca.ibm.com>> wrote:
Should fix the copyright years in the docs too. It currently has: 1999-2014 in the footer of all the pages.
Michael Glavassevich <mr...@ca.ibm.com>> wrote on 04/19/2018 04:40:16 PM:
> Hi Mukul,
>
> I noticed that the copyright year in the NOTICE file still says
> 2015. I'm pretty sure that this needs to be updated.
>
> There's also the discussion on the list about CVE-2018-2799 that we
> have an opportunity to address.
>
> I think we should stop the vote on this release candidate and respin
> with fixes for these issues.
>
> Thanks.
>
> Michael Glavassevich
> XML Technologies and WAS Development
> IBM Toronto Lab
> E-mail: mrglavas@ca.ibm.com<ma...@ca.ibm.com>
> E-mail: mrglavas@apache.org<ma...@apache.org>
--
Regards,
Mukul Gandhi
RE: [EXTERNAL] Re: [VOTE]: Xerces-J 2.12.0 Release
Posted by David Dillard <Da...@veritas.com>.
Hi,
Can someone please get a CVE for the readObject issue? I don’t know what the internal ASF process is for that, but ASF is its own CNA so it seems there must be one.
Also, it’d be good to issue a security advisory concurrent with the release announcement.
Regards,
David
From: Mukul Gandhi [mailto:mukulg@apache.org]
Sent: Saturday, April 21, 2018 1:05 AM
To: j-dev@xerces.apache.org
Cc: private@xerces.apache.org; j-users@xerces.apache.org
Subject: [EXTERNAL] Re: [VOTE]: Xerces-J 2.12.0 Release
Hi Michael & all,
I've fixed all the below mentioned issues that were found in previous RC, within the revised RC for 2.12.0 release. I'll shortly be writing a separate mail, for the Vote for new RC.
On Fri, Apr 20, 2018 at 2:29 AM, Michael Glavassevich <mr...@ca.ibm.com>> wrote:
Should fix the copyright years in the docs too. It currently has: 1999-2014 in the footer of all the pages.
Michael Glavassevich <mr...@ca.ibm.com>> wrote on 04/19/2018 04:40:16 PM:
> Hi Mukul,
>
> I noticed that the copyright year in the NOTICE file still says
> 2015. I'm pretty sure that this needs to be updated.
>
> There's also the discussion on the list about CVE-2018-2799 that we
> have an opportunity to address.
>
> I think we should stop the vote on this release candidate and respin
> with fixes for these issues.
>
> Thanks.
>
> Michael Glavassevich
> XML Technologies and WAS Development
> IBM Toronto Lab
> E-mail: mrglavas@ca.ibm.com<ma...@ca.ibm.com>
> E-mail: mrglavas@apache.org<ma...@apache.org>
--
Regards,
Mukul Gandhi
Re: [VOTE]: Xerces-J 2.12.0 Release
Posted by Mukul Gandhi <mu...@apache.org>.
Hi Michael & all,
I've fixed all the below mentioned issues that were found in previous
RC, within the revised RC for 2.12.0 release. I'll shortly be writing a
separate mail, for the Vote for new RC.
On Fri, Apr 20, 2018 at 2:29 AM, Michael Glavassevich <mr...@ca.ibm.com>
wrote:
> Should fix the copyright years in the docs too. It currently has:
> 1999-2014 in the footer of all the pages.
> Michael Glavassevich <mr...@ca.ibm.com> wrote on 04/19/2018 04:40:16
> PM:
>
> > Hi Mukul,
> >
> > I noticed that the copyright year in the NOTICE file still says
> > 2015. I'm pretty sure that this needs to be updated.
> >
> > There's also the discussion on the list about CVE-2018-2799 that we
> > have an opportunity to address.
> >
> > I think we should stop the vote on this release candidate and respin
> > with fixes for these issues.
> >
> > Thanks.
> >
> > Michael Glavassevich
> > XML Technologies and WAS Development
> > IBM Toronto Lab
> > E-mail: mrglavas@ca.ibm.com
> > E-mail: mrglavas@apache.org
--
Regards,
Mukul Gandhi
Re: [VOTE]: Xerces-J 2.12.0 Release
Posted by Mukul Gandhi <mu...@apache.org>.
Hi Michael,
Thanks for looking at the release candidate (RC), and your comments.
I'll attempt to fix the points raised by you.
I'll also look at the issues discussed about CVE-2018-2799, in the other
thread. I'll apply the patch suggested by David, for CVE-2018-2799 and run
my tests again to see how that works.
In view of these findings with the RC, I declare that this vote stands
stopped.
After working on the issues raised & preparing a revised RC, I'll start
another vote.
On Fri, Apr 20, 2018 at 2:29 AM, Michael Glavassevich <mr...@ca.ibm.com>
wrote:
> Should fix the copyright years in the docs too. It currently has:
> 1999-2014 in the footer of all the pages.
>
> Michael Glavassevich <mr...@ca.ibm.com> wrote on 04/19/2018 04:40:16
> PM:
>
> > Hi Mukul,
> >
> > I noticed that the copyright year in the NOTICE file still says
> > 2015. I'm pretty sure that this needs to be updated.
> >
> > There's also the discussion on the list about CVE-2018-2799 that we
> > have an opportunity to address.
> >
> > I think we should stop the vote on this release candidate and respin
> > with fixes for these issues.
>
--
Regards,
Mukul Gandhi
Re: [VOTE]: Xerces-J 2.12.0 Release
Posted by Mukul Gandhi <mu...@apache.org>.
Hi Michael & all,
I've fixed all the below mentioned issues that were found in previous
RC, within the revised RC for 2.12.0 release. I'll shortly be writing a
separate mail, for the Vote for new RC.
On Fri, Apr 20, 2018 at 2:29 AM, Michael Glavassevich <mr...@ca.ibm.com>
wrote:
> Should fix the copyright years in the docs too. It currently has:
> 1999-2014 in the footer of all the pages.
> Michael Glavassevich <mr...@ca.ibm.com> wrote on 04/19/2018 04:40:16
> PM:
>
> > Hi Mukul,
> >
> > I noticed that the copyright year in the NOTICE file still says
> > 2015. I'm pretty sure that this needs to be updated.
> >
> > There's also the discussion on the list about CVE-2018-2799 that we
> > have an opportunity to address.
> >
> > I think we should stop the vote on this release candidate and respin
> > with fixes for these issues.
> >
> > Thanks.
> >
> > Michael Glavassevich
> > XML Technologies and WAS Development
> > IBM Toronto Lab
> > E-mail: mrglavas@ca.ibm.com
> > E-mail: mrglavas@apache.org
--
Regards,
Mukul Gandhi
Re: [VOTE]: Xerces-J 2.12.0 Release
Posted by Michael Glavassevich <mr...@ca.ibm.com>.
Should fix the copyright years in the docs too. It currently has:
1999-2014 in the footer of all the pages.
Michael Glavassevich
XML Technologies and WAS Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org
Michael Glavassevich <mr...@ca.ibm.com> wrote on 04/19/2018 04:40:16
PM:
> Hi Mukul,
>
> I noticed that the copyright year in the NOTICE file still says
> 2015. I'm pretty sure that this needs to be updated.
>
> There's also the discussion on the list about CVE-2018-2799 that we
> have an opportunity to address.
>
> I think we should stop the vote on this release candidate and respin
> with fixes for these issues.
>
> Thanks.
>
> Michael Glavassevich
> XML Technologies and WAS Development
> IBM Toronto Lab
> E-mail: mrglavas@ca.ibm.com
> E-mail: mrglavas@apache.org
>
> Mukul Gandhi <mu...@apache.org> wrote on 04/19/2018 04:19:33 AM:
>
> > From: Mukul Gandhi <mu...@apache.org>
> > To: j-dev@xerces.apache.org, private@xerces.apache.org, j-
> > users@xerces.apache.org
> > Date: 04/19/2018 04:21 AM
> > Subject: [VOTE]: Xerces-J 2.12.0 Release
> >
> > Hi all,
> > I've uploaded Xerces-J 2.12.0 release candidates to [1] for
> > review. In this release candidate there are two sets of packages,
> > the main release built from the trunk [2] and the XML Schema 1.1
> > release built from the XML Schema 1.1 development branch [3]. The
> > change summary is available here [4] in JIRA. 81 issues were resolved.
> >
> > Test results have been looking good, so I'd like to call an official
> > vote now on the release.
> >
> > To start, here's my +1.
> >
> > Great work everyone.
> >
> > [1] https://dist.apache.org/repos/dist/dev/xerces/j/2.12.0/
> > [2] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0/
> > [3] http://svn.apache.org/viewvc/xerces/java/tags/Xerces-J_2_12_0-
> > xml-schema-1.1/
> > [4] https://issues.apache.org/jira/secure/ReleaseNote.jspa?
> > projectId=10520&version=12336542
> >
> > --
> > Regards,
> > Mukul Gandhi