directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shawn McKinney <smckin...@apache.org>
Subject Re: [VOTE] Apache Fortress 2.0.1 release
Date Mon, 09 Jul 2018 20:20:15 GMT

> On Jul 9, 2018, at 3:07 PM, Stefan Seelmann <mail@stefan-seelmann.de> wrote:
> 
> Two findings:
> 
> * Selenium is now included in fortress-web as runtime dependency, I
> guess it is only requried as test dependency? License wise that's fine
> and not a blocker because it uses Apache License. However it increases
> the WAR file size from 26MB to 34MB and adds many more libs which may
> increase attack surface. I let you decide if that should be considered
> as blocker.

Good eye Stefan!  Updated in trunk.  I don’t believe this is a show-stopper, more of an
annoyance, and will proceed unless there are objections from others.

> 
> On Jul 9, 2018, at 3:07 PM, Stefan Seelmann <mail@stefan-seelmann.de> wrote:
> 
> Two findings:
> 
> * Future releases should not include md5 checksums, please see mail from
> Henk with subject "checksum file Release Distribution Policy" and
> https://www.apache.org/dev/release-distribution#sigs-and-sums. But
> currently it's still allowed, right?

Ah OK.  I’ll make note of that in my release procedures. I suppose we can still exclude
right?  Just remove from the maven staging repo and won’t load into SVN dist.

Let me know if that doesn’t sound right.


> On Jul 9, 2018, at 3:07 PM, Stefan Seelmann <mail@stefan-seelmann.de> wrote:
> 
> Otherwise +1 from me:
> 
> * Verified checksums and signatures of the source packages
> * Checked license and notice files
> * Built all 4 source packages with OpenJDK 1.8.0_172 on Linux
> * Run fortress core integration tests against ApacheDS and OpenLDAP

Cool, thanks!!

—Shawn

> 
> On Jul 9, 2018, at 3:07 PM, Stefan Seelmann <mail@stefan-seelmann.de> wrote:
> 
> Two findings:
> 
> * Selenium is now included in fortress-web as runtime dependency, I
> guess it is only requried as test dependency? License wise that's fine
> and not a blocker because it uses Apache License. However it increases
> the WAR file size from 26MB to 34MB and adds many more libs which may
> increase attack surface. I let you decide if that should be considered
> as blocker.
> * Future releases should not include md5 checksums, please see mail from
> Henk with subject "checksum file Release Distribution Policy" and
> https://www.apache.org/dev/release-distribution#sigs-and-sums. But
> currently it's still allowed, right?
> 
> 
> Otherwise +1 from me:
> 
> * Verified checksums and signatures of the source packages
> * Checked license and notice files
> * Built all 4 source packages with OpenJDK 1.8.0_172 on Linux
> * Run fortress core integration tests against ApacheDS and OpenLDAP




Mime
View raw message