You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@commons.apache.org by A Mohamed Sarjoon <a....@ericsson.com.INVALID> on 2022/12/29 14:15:57 UTC
Apache Commons 4 release roadmap/ future plans
Hi Team,
I am Sarjoon from Ericsson India Global Private Limited, we are using commons collections in our product. As per our company's policy, it is advised to use an active open source library mainly for the reason that security vulnerabilities, if any reported, will be addressed at the earliest.
The lastest release of apache commons collections4 is on July 2019, Could you please share the roadmap/future plans for commons collections4 releases? Also how any security vulnerabilities on the apache commons4 will be addressed?
Any details on the release plans will be of much help to us. Kindly help us by providing those details. Thanks in advance.
Regard,
Sarjoon
Re: [Text & Collections] sha512 issue?
Posted by po...@icloud.com.INVALID.
I’m not currently subscribed to the “dev”, but will do so. Thanks.
> On Dec 30, 2022, at 4:13 PM, Gilles Sadowski <gi...@gmail.com> wrote:
>
> Le ven. 30 déc. 2022 à 20:53, <po...@icloud.com.invalid> a écrit :
>>
>> BTW: Some of the Apache Commons SHA download links include a properly formatted file such that, e.g. the shasum command in MacOS can perform the check automatically instead of having to eyeball the signature for a match. A concrete example of a properly formatted SHA file would be:
>> 4c5e1b9c8430d5e198c666ebda094dda0fdf6bd62a06884c35d07cbe53f6156dc0a6d46ff8b00e9c01079b908ea5636d3888d8efc703afc5afdcc1cdb5c5af2c commons-text-1.10.0-bin.tar.gz
>>
>> and not just as it is now:
>> 4c5e1b9c8430d5e198c666ebda094dda0fdf6bd62a06884c35d07cbe53f6156dc0a6d46ff8b00e9c01079b908ea5636d3888d8efc703afc5afdcc1cdb5c5af2c
>>
>> That would help avoid errors. Just a suggestion.
>
> +1
>
> See e.g.
> https://markmail.org/message/gph76xiapoqxqifr
>
> Are you subscribed to the "dev" ML?
> It's the place for such discussions, and, maybe, to agree on how
> to modify the current templates/plugins so that that file is generated
> as part of the release process.
>
> Regards,
> Gilles
>
>> [...]
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
> For additional commands, e-mail: user-help@commons.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org
Re: [Text & Collections] sha512 issue?
Posted by Gilles Sadowski <gi...@gmail.com>.
Le ven. 30 déc. 2022 à 20:53, <po...@icloud.com.invalid> a écrit :
>
> BTW: Some of the Apache Commons SHA download links include a properly formatted file such that, e.g. the shasum command in MacOS can perform the check automatically instead of having to eyeball the signature for a match. A concrete example of a properly formatted SHA file would be:
> 4c5e1b9c8430d5e198c666ebda094dda0fdf6bd62a06884c35d07cbe53f6156dc0a6d46ff8b00e9c01079b908ea5636d3888d8efc703afc5afdcc1cdb5c5af2c commons-text-1.10.0-bin.tar.gz
>
> and not just as it is now:
> 4c5e1b9c8430d5e198c666ebda094dda0fdf6bd62a06884c35d07cbe53f6156dc0a6d46ff8b00e9c01079b908ea5636d3888d8efc703afc5afdcc1cdb5c5af2c
>
> That would help avoid errors. Just a suggestion.
+1
See e.g.
https://markmail.org/message/gph76xiapoqxqifr
Are you subscribed to the "dev" ML?
It's the place for such discussions, and, maybe, to agree on how
to modify the current templates/plugins so that that file is generated
as part of the release process.
Regards,
Gilles
> [...]
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org
Re: [Text & Collections] sha512 issue?
Posted by po...@icloud.com.INVALID.
BTW: Some of the Apache Commons SHA download links include a properly formatted file such that, e.g. the shasum command in MacOS can perform the check automatically instead of having to eyeball the signature for a match. A concrete example of a properly formatted SHA file would be:
4c5e1b9c8430d5e198c666ebda094dda0fdf6bd62a06884c35d07cbe53f6156dc0a6d46ff8b00e9c01079b908ea5636d3888d8efc703afc5afdcc1cdb5c5af2c commons-text-1.10.0-bin.tar.gz
and not just as it is now:
4c5e1b9c8430d5e198c666ebda094dda0fdf6bd62a06884c35d07cbe53f6156dc0a6d46ff8b00e9c01079b908ea5636d3888d8efc703afc5afdcc1cdb5c5af2c
That would help avoid errors. Just a suggestion. (And of course I could just do that manually to the downloaded SHA file…)
Regards
Pete
> On Dec 30, 2022, at 11:25 AM, poetry_press.0o@icloud.com.invalid wrote:
>
> They do work for me now too, but that was not what I was getting yesterday from:
> https://dlcdn.apache.org//commons/collections/binaries/commons-collections4-4.4-bin.tar.gz
>
> Perhaps my own error on those two. Thanks for checking.
>
> Regards
> Pete
>
>> On Dec 30, 2022, at 10:14 AM, Gilles Sadowski <gi...@gmail.com> wrote:
>>
>> Hi.
>>
>> Le ven. 30 déc. 2022 à 19:13, Gary Gregory <ga...@gmail.com> a écrit :
>>>
>>> I think you're just going to a third party mirror through the dlcdn name?
>>
>> That's how the *ASF* download page works.
>>
>>>
>>> What matters is what is on our servers at
>>> https://archive.apache.org/dist/commons/collections/ as sebb point is out.
>>
>> If there were an issue on the other servers, that would matter too.
>> [But there isn't, as noted in my previous mail.]
>>
>> Gilles
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
>> For additional commands, e-mail: user-help@commons.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
> For additional commands, e-mail: user-help@commons.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org
Re: [Text & Collections] sha512 issue?
Posted by po...@icloud.com.INVALID.
They do work for me now too, but that was not what I was getting yesterday from:
https://dlcdn.apache.org//commons/collections/binaries/commons-collections4-4.4-bin.tar.gz
Perhaps my own error on those two. Thanks for checking.
Regards
Pete
> On Dec 30, 2022, at 10:14 AM, Gilles Sadowski <gi...@gmail.com> wrote:
>
> Hi.
>
> Le ven. 30 déc. 2022 à 19:13, Gary Gregory <ga...@gmail.com> a écrit :
>>
>> I think you're just going to a third party mirror through the dlcdn name?
>
> That's how the *ASF* download page works.
>
>>
>> What matters is what is on our servers at
>> https://archive.apache.org/dist/commons/collections/ as sebb point is out.
>
> If there were an issue on the other servers, that would matter too.
> [But there isn't, as noted in my previous mail.]
>
> Gilles
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
> For additional commands, e-mail: user-help@commons.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org
Re: [Text & Collections] sha512 issue?
Posted by Gilles Sadowski <gi...@gmail.com>.
Hi.
Le ven. 30 déc. 2022 à 19:13, Gary Gregory <ga...@gmail.com> a écrit :
>
> I think you're just going to a third party mirror through the dlcdn name?
That's how the *ASF* download page works.
>
> What matters is what is on our servers at
> https://archive.apache.org/dist/commons/collections/ as sebb point is out.
If there were an issue on the other servers, that would matter too.
[But there isn't, as noted in my previous mail.]
Gilles
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org
Re: [Text & Collections] sha512 issue?
Posted by Gary Gregory <ga...@gmail.com>.
I think you're just going to a third party mirror through the dlcdn name?
What matters is what is on our servers at
https://archive.apache.org/dist/commons/collections/ as sebb point is out.
Gary
On Fri, Dec 30, 2022, 11:55 Gilles Sadowski <gi...@gmail.com> wrote:
> Le ven. 30 déc. 2022 à 17:29, Gary Gregory <ga...@gmail.com> a
> écrit :
> >
> > That's the download page, not what you are downloading. What URL are
> > you actually using for the files.
>
> I confirm that
>
> https://dlcdn.apache.org//commons/collections/binaries/commons-collections4-4.4-bin.tar.gz
> does not match the checksum in
>
> https://www.apache.org/dist/commons/collections/binaries/commons-collections4-4.4-bin.tar.gz.sha512
> (both links taken from the "download_collections.cgi" page).
>
> Gilles
>
> >
> > Gary
> >
> > On Fri, Dec 30, 2022 at 11:26 AM <po...@icloud.com.invalid>
> wrote:
> > >
> > > Hi Gary,
> > >
> > > I use the links for the binaries (tar.gz) at:
> > >
> https://commons.apache.org/proper/commons-collections/download_collections.cgi
> > > https://commons.apache.org/proper/commons-text/download_text.cgi
> > >
> > >
> > > > On Dec 30, 2022, at 4:13 AM, Gary Gregory <ga...@gmail.com>
> wrote:
> > > >
> > > > Hello Pete,
> > > >
> > > > What are the URLs you are downloading?
> > > >
> > > > Gary
> > > >
> > > > On Thu, Dec 29, 2022, 22:57 <po...@icloud.com.invalid>
> wrote:
> > > >
> > > >> I downloaded (multiple times) the two subject bin archives and did a
> > > >> sha-512 check. They did not check. Others, like math, checked
> correctly.
> > > >> Is there an issue with those archives? Thanks.
> > > >>
> > > >> Regards
> > > >> Pete
> > > >>
> > > >> PS I do a pgp verification on the signatures but don’t have them
> trusted
> > > >> in my keyring so I like to check the sha signatures.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
> For additional commands, e-mail: user-help@commons.apache.org
>
>
Re: [Text & Collections] sha512 issue?
Posted by Gilles Sadowski <gi...@gmail.com>.
Le ven. 30 déc. 2022 à 19:02, sebb <se...@gmail.com> a écrit :
>
> On Fri, 30 Dec 2022 at 16:55, Gilles Sadowski <gi...@gmail.com> wrote:
> >
> > Le ven. 30 déc. 2022 à 17:29, Gary Gregory <ga...@gmail.com> a écrit :
> > >
> > > That's the download page, not what you are downloading. What URL are
> > > you actually using for the files.
> >
> > I confirm that
> > https://dlcdn.apache.org//commons/collections/binaries/commons-collections4-4.4-bin.tar.gz
> > does not match the checksum in
> > https://www.apache.org/dist/commons/collections/binaries/commons-collections4-4.4-bin.tar.gz.sha512
> > (both links taken from the "download_collections.cgi" page).
>
> Works OK for me; I get sha512 of
>
> 678068a958aed983926a8852b25470ab1dcce637856f85e3b3f07fae28b25da6f2326b87d123395c4f531abfc88b74f847dbcaba9a71824adab6d52ca2568395
Me too; sorry (I was checking the wrong file) for the noise.
I've now checked all 4 files on the download page. No problem.
Regards,
Gilles
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org
Re: [Text & Collections] sha512 issue?
Posted by sebb <se...@gmail.com>.
On Fri, 30 Dec 2022 at 16:55, Gilles Sadowski <gi...@gmail.com> wrote:
>
> Le ven. 30 déc. 2022 à 17:29, Gary Gregory <ga...@gmail.com> a écrit :
> >
> > That's the download page, not what you are downloading. What URL are
> > you actually using for the files.
>
> I confirm that
> https://dlcdn.apache.org//commons/collections/binaries/commons-collections4-4.4-bin.tar.gz
> does not match the checksum in
> https://www.apache.org/dist/commons/collections/binaries/commons-collections4-4.4-bin.tar.gz.sha512
> (both links taken from the "download_collections.cgi" page).
Works OK for me; I get sha512 of
678068a958aed983926a8852b25470ab1dcce637856f85e3b3f07fae28b25da6f2326b87d123395c4f531abfc88b74f847dbcaba9a71824adab6d52ca2568395
> Gilles
>
> >
> > Gary
> >
> > On Fri, Dec 30, 2022 at 11:26 AM <po...@icloud.com.invalid> wrote:
> > >
> > > Hi Gary,
> > >
> > > I use the links for the binaries (tar.gz) at:
> > > https://commons.apache.org/proper/commons-collections/download_collections.cgi
> > > https://commons.apache.org/proper/commons-text/download_text.cgi
> > >
> > >
> > > > On Dec 30, 2022, at 4:13 AM, Gary Gregory <ga...@gmail.com> wrote:
> > > >
> > > > Hello Pete,
> > > >
> > > > What are the URLs you are downloading?
> > > >
> > > > Gary
> > > >
> > > > On Thu, Dec 29, 2022, 22:57 <po...@icloud.com.invalid> wrote:
> > > >
> > > >> I downloaded (multiple times) the two subject bin archives and did a
> > > >> sha-512 check. They did not check. Others, like math, checked correctly.
> > > >> Is there an issue with those archives? Thanks.
> > > >>
> > > >> Regards
> > > >> Pete
> > > >>
> > > >> PS I do a pgp verification on the signatures but don’t have them trusted
> > > >> in my keyring so I like to check the sha signatures.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
> For additional commands, e-mail: user-help@commons.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org
Re: [Text & Collections] sha512 issue?
Posted by Gilles Sadowski <gi...@gmail.com>.
Le ven. 30 déc. 2022 à 17:29, Gary Gregory <ga...@gmail.com> a écrit :
>
> That's the download page, not what you are downloading. What URL are
> you actually using for the files.
I confirm that
https://dlcdn.apache.org//commons/collections/binaries/commons-collections4-4.4-bin.tar.gz
does not match the checksum in
https://www.apache.org/dist/commons/collections/binaries/commons-collections4-4.4-bin.tar.gz.sha512
(both links taken from the "download_collections.cgi" page).
Gilles
>
> Gary
>
> On Fri, Dec 30, 2022 at 11:26 AM <po...@icloud.com.invalid> wrote:
> >
> > Hi Gary,
> >
> > I use the links for the binaries (tar.gz) at:
> > https://commons.apache.org/proper/commons-collections/download_collections.cgi
> > https://commons.apache.org/proper/commons-text/download_text.cgi
> >
> >
> > > On Dec 30, 2022, at 4:13 AM, Gary Gregory <ga...@gmail.com> wrote:
> > >
> > > Hello Pete,
> > >
> > > What are the URLs you are downloading?
> > >
> > > Gary
> > >
> > > On Thu, Dec 29, 2022, 22:57 <po...@icloud.com.invalid> wrote:
> > >
> > >> I downloaded (multiple times) the two subject bin archives and did a
> > >> sha-512 check. They did not check. Others, like math, checked correctly.
> > >> Is there an issue with those archives? Thanks.
> > >>
> > >> Regards
> > >> Pete
> > >>
> > >> PS I do a pgp verification on the signatures but don’t have them trusted
> > >> in my keyring so I like to check the sha signatures.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org
Re: [Text & Collections] sha512 issue?
Posted by Gary Gregory <ga...@gmail.com>.
That's the download page, not what you are downloading. What URL are
you actually using for the files.
Gary
On Fri, Dec 30, 2022 at 11:26 AM <po...@icloud.com.invalid> wrote:
>
> Hi Gary,
>
> I use the links for the binaries (tar.gz) at:
> https://commons.apache.org/proper/commons-collections/download_collections.cgi
> https://commons.apache.org/proper/commons-text/download_text.cgi
>
>
> > On Dec 30, 2022, at 4:13 AM, Gary Gregory <ga...@gmail.com> wrote:
> >
> > Hello Pete,
> >
> > What are the URLs you are downloading?
> >
> > Gary
> >
> > On Thu, Dec 29, 2022, 22:57 <po...@icloud.com.invalid> wrote:
> >
> >> I downloaded (multiple times) the two subject bin archives and did a
> >> sha-512 check. They did not check. Others, like math, checked correctly.
> >> Is there an issue with those archives? Thanks.
> >>
> >> Regards
> >> Pete
> >>
> >> PS I do a pgp verification on the signatures but don’t have them trusted
> >> in my keyring so I like to check the sha signatures.
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
> >> For additional commands, e-mail: user-help@commons.apache.org
> >>
> >>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
> For additional commands, e-mail: user-help@commons.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org
Re: [Text & Collections] sha512 issue?
Posted by po...@icloud.com.INVALID.
Hi Gary,
I use the links for the binaries (tar.gz) at:
https://commons.apache.org/proper/commons-collections/download_collections.cgi
https://commons.apache.org/proper/commons-text/download_text.cgi
> On Dec 30, 2022, at 4:13 AM, Gary Gregory <ga...@gmail.com> wrote:
>
> Hello Pete,
>
> What are the URLs you are downloading?
>
> Gary
>
> On Thu, Dec 29, 2022, 22:57 <po...@icloud.com.invalid> wrote:
>
>> I downloaded (multiple times) the two subject bin archives and did a
>> sha-512 check. They did not check. Others, like math, checked correctly.
>> Is there an issue with those archives? Thanks.
>>
>> Regards
>> Pete
>>
>> PS I do a pgp verification on the signatures but don’t have them trusted
>> in my keyring so I like to check the sha signatures.
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
>> For additional commands, e-mail: user-help@commons.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org
Re: [Text & Collections] sha512 issue?
Posted by Gary Gregory <ga...@gmail.com>.
Hello Pete,
What are the URLs you are downloading?
Gary
On Thu, Dec 29, 2022, 22:57 <po...@icloud.com.invalid> wrote:
> I downloaded (multiple times) the two subject bin archives and did a
> sha-512 check. They did not check. Others, like math, checked correctly.
> Is there an issue with those archives? Thanks.
>
> Regards
> Pete
>
> PS I do a pgp verification on the signatures but don’t have them trusted
> in my keyring so I like to check the sha signatures.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
> For additional commands, e-mail: user-help@commons.apache.org
>
>
[Text & Collections] sha512 issue?
Posted by po...@icloud.com.INVALID.
I downloaded (multiple times) the two subject bin archives and did a sha-512 check. They did not check. Others, like math, checked correctly. Is there an issue with those archives? Thanks.
Regards
Pete
PS I do a pgp verification on the signatures but don’t have them trusted in my keyring so I like to check the sha signatures.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org
Re: Apache Commons 4 release roadmap/ future plans
Posted by Gary Gregory <ga...@gmail.com>.
The Commons Collections' upcoming 4.5 main feature will be the
addition of Bloom filters. We can consider a release whenever that's
considered fully baked.
Gary
On Thu, Dec 29, 2022 at 1:22 PM A Mohamed Sarjoon
<a....@ericsson.com.invalid> wrote:
>
> Hi Team,
>
> I am Sarjoon from Ericsson India Global Private Limited, we are using commons collections in our product. As per our company's policy, it is advised to use an active open source library mainly for the reason that security vulnerabilities, if any reported, will be addressed at the earliest.
>
> The lastest release of apache commons collections4 is on July 2019, Could you please share the roadmap/future plans for commons collections4 releases? Also how any security vulnerabilities on the apache commons4 will be addressed?
>
> Any details on the release plans will be of much help to us. Kindly help us by providing those details. Thanks in advance.
>
> Regard,
> Sarjoon
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org
Re: Apache Commons 4 release roadmap/ future plans
Posted by Gilles Sadowski <gi...@gmail.com>.
Hello.
Le jeu. 29 déc. 2022 à 19:22, A Mohamed Sarjoon
<a....@ericsson.com.invalid> a écrit :
>
> Hi Team,
>
> I am Sarjoon from Ericsson India Global Private Limited, we are using commons collections in our product. As per our company's policy, it is advised to use an active open source library mainly for the reason that security vulnerabilities, if any reported, will be addressed at the earliest.
This is what happens at the ASF, in general: Non-active projects
are retired and vulnerabilities are addressed.
>
> The lastest release of apache commons collections4 is on July 2019, Could you please share the roadmap/future plans for commons collections4 releases?
As the project's contributors are all volunteers, there is no strict roadmap.
A release happens when someone deems it necessary, and puts in the
necessary work to make it happen.
> Also how any security vulnerabilities on the apache commons4 will be addressed?
There is no such thing as "commons4"; the "Commons" project provides
several components. They are listed at
https://commons.apache.org/
Security information is here:
https://commons.apache.org/security.html
>
> Any details on the release plans will be of much help to us. Kindly help us by providing those details. Thanks in advance.
Wouldn't it be helpful if you'd provide a detailed list of requirements
for a programming project to be tagged as an "active open source
library"?
Regards,
Gilles
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@commons.apache.org
For additional commands, e-mail: user-help@commons.apache.org