You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@turbine.apache.org by Jeffery Painter <je...@jivecast.com> on 2017/10/25 17:44:47 UTC
Re: Antwort: [VOTE] Release Turbine-Core 4.0 based on staged repository
Hi Georg,
I was able to build from source and there were zero failed tests. My
build environment is Ubuntu 17.04, Maven 3.5.0 and JDK 1.8.0_144
[x] +1 release it
[ ] +0 go ahead I don't care
[ ] -1 no, do not release it because
I updated the maven archetype to point to my local repo install of this
artifact, and I was able to successfully launch a new app (with some
minor modifications required to get the database stuff working and
Tomcat / Eclipse ) - otherwise, it looks good to me.
There were a couple of NVD-CVE's reported (jython and javax.mail I
recall), but not sure if those are worth holding back on the release
for.
Thanks!
Jeff
On 2017-10-25 8:02 am, Georg Kallidis wrote:
> my vote:
>
> [x] +1 release it
> [ ] +0 go ahead I don't care
> [ ] -1 no, do not release it because
>
> -Georg
>
>
>
> Von: "Georg Kallidis" <gk...@cedis.fu-berlin.de>
> An: "Turbine Developers List" <de...@turbine.apache.org>,
> private@turbine.apache.org
> Datum: 25.10.2017 14:00
> Betreff: [VOTE] Release Turbine-Core 4.0 based on staged
> repository
>
>
>
> Hi Turbine Devs,
>
> a release candidate for the Turbine Core Component, version 4.0 has
> been
> prepared.
>
> It contains performance, security fixes, version updates, cleanups,
> etc.,
> cft. to the changes report in the generated project report:
> http://turbine.apache.org/turbine/turbine-4.0/changes-report.html
>
> o Updated dependencies
> - fulcrum-security to 1.1.1
> - fulcrum-intake to 1.2.2
> o New dependencies
> - slf4j-api 1.7.25
> - slf4j-log4j12 1.7.25 (delegate slf4j to log4j)
> - jcl-over-slf4j 1.7.25 (redirect jcl to slf4j)
> o Removed dependencies
> - xstream
> - excalibur
>
> Tests
> o New dependencies
> - Mockito 2.0.2-beta
> o Removed dependencies
> - Mockobjects
>
> Please verify this release candidate carefully and vote.
>
> Tag:
> https://svn.apache.org/repos/asf/turbine/core/tags/turbine-4.0
>
> Artifacts:
> https://repository.apache.org/content/repositories/orgapacheturbine-1024
>
> Site:
> http://turbine.apache.org/turbine/turbine-4.0/
>
> ---------------------------------------
> Wiki:
> https://wiki.apache.org/turbine
>
> Main Turbine site:
> http://turbine.apache.org/
>
> Current Development site:
> http://turbine.apache.org/turbine/development/turbine-4.1/
>
> ... will be updated after the release is done.
>
> Help always welcome!
> ----------------------------------------
>
> [ ] +1 release it
> [ ] +0 go ahead I don't care
> [ ] -1 no, do not release it because
>
> Thanks!
>
> Best regards, Georg.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@turbine.apache.org
> For additional commands, e-mail: dev-help@turbine.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@turbine.apache.org
> For additional commands, e-mail: dev-help@turbine.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@turbine.apache.org
For additional commands, e-mail: dev-help@turbine.apache.org
Antwort: Re: Antwort: [VOTE] Release Turbine-Core 4.0 based on staged
repository
Posted by Georg Kallidis <gk...@cedis.fu-berlin.de>.
Hi Jeff,
hey, thanks a lot! This is great plus, that the archetype release also
seems to fit as a follow-up release!
The NVD-CVE vulnerability checks/report warnings have to be always
rechecked (they are just hints and may be suppressed). I think the two
warnings (mail, jython) do not apply, except may be CVE-2016-4000,
published July 06, 2017 (Jython):
"Jython before 2.7.1rc1 allows attackers to execute arbitrary code via a
crafted serialized PyFunction object."
- the site http://www.jython.org/latest.html lists Jython 2.7rc3 (NOT
2.7.1) as the latest release and under downloads
"The most current stable release of Jython is 2.7.0. For production
purposes, please use this version.").
As it seems the recommended version is not yet released until now (as a
maven dependency).
But anyway Jython is just an optional dependency and must be included
explicitely. The warning should be considered, if needed, as a hint, what
to do ..
Best regards, Georg
Von: Jeffery Painter <je...@jivecast.com>
An: Turbine Developers List <de...@turbine.apache.org>
Kopie: Georg Kallidis <gk...@cedis.fu-berlin.de>
Datum: 25.10.2017 19:44
Betreff: Re: Antwort: [VOTE] Release Turbine-Core 4.0 based on
staged repository
Hi Georg,
I was able to build from source and there were zero failed tests. My
build environment is Ubuntu 17.04, Maven 3.5.0 and JDK 1.8.0_144
[x] +1 release it
[ ] +0 go ahead I don't care
[ ] -1 no, do not release it because
I updated the maven archetype to point to my local repo install of this
artifact, and I was able to successfully launch a new app (with some
minor modifications required to get the database stuff working and
Tomcat / Eclipse ) - otherwise, it looks good to me.
There were a couple of NVD-CVE's reported (jython and javax.mail I
recall), but not sure if those are worth holding back on the release
for.
Thanks!
Jeff
On 2017-10-25 8:02 am, Georg Kallidis wrote:
> my vote:
>
> [x] +1 release it
> [ ] +0 go ahead I don't care
> [ ] -1 no, do not release it because
>
> -Georg
>
>
>
> Von: "Georg Kallidis" <gk...@cedis.fu-berlin.de>
> An: "Turbine Developers List" <de...@turbine.apache.org>,
> private@turbine.apache.org
> Datum: 25.10.2017 14:00
> Betreff: [VOTE] Release Turbine-Core 4.0 based on staged
> repository
>
>
>
> Hi Turbine Devs,
>
> a release candidate for the Turbine Core Component, version 4.0 has
> been
> prepared.
>
> It contains performance, security fixes, version updates, cleanups,
> etc.,
> cft. to the changes report in the generated project report:
> http://turbine.apache.org/turbine/turbine-4.0/changes-report.html
>
> o Updated dependencies
> - fulcrum-security to 1.1.1
> - fulcrum-intake to 1.2.2
> o New dependencies
> - slf4j-api 1.7.25
> - slf4j-log4j12 1.7.25 (delegate slf4j to log4j)
> - jcl-over-slf4j 1.7.25 (redirect jcl to slf4j)
> o Removed dependencies
> - xstream
> - excalibur
>
> Tests
> o New dependencies
> - Mockito 2.0.2-beta
> o Removed dependencies
> - Mockobjects
>
> Please verify this release candidate carefully and vote.
>
> Tag:
> https://svn.apache.org/repos/asf/turbine/core/tags/turbine-4.0
>
> Artifacts:
> https://repository.apache.org/content/repositories/orgapacheturbine-1024
>
> Site:
> http://turbine.apache.org/turbine/turbine-4.0/
>
> ---------------------------------------
> Wiki:
> https://wiki.apache.org/turbine
>
> Main Turbine site:
> http://turbine.apache.org/
>
> Current Development site:
> http://turbine.apache.org/turbine/development/turbine-4.1/
>
> ... will be updated after the release is done.
>
> Help always welcome!
> ----------------------------------------
>
> [ ] +1 release it
> [ ] +0 go ahead I don't care
> [ ] -1 no, do not release it because
>
> Thanks!
>
> Best regards, Georg.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@turbine.apache.org
> For additional commands, e-mail: dev-help@turbine.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@turbine.apache.org
> For additional commands, e-mail: dev-help@turbine.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@turbine.apache.org
For additional commands, e-mail: dev-help@turbine.apache.org