directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Seelmann <m...@stefan-seelmann.de>
Subject Re: [VOTE] Apache Fortress 2.0.1 release
Date Mon, 09 Jul 2018 20:07:13 GMT
Two findings:

* Selenium is now included in fortress-web as runtime dependency, I
guess it is only requried as test dependency? License wise that's fine
and not a blocker because it uses Apache License. However it increases
the WAR file size from 26MB to 34MB and adds many more libs which may
increase attack surface. I let you decide if that should be considered
as blocker.
* Future releases should not include md5 checksums, please see mail from
Henk with subject "checksum file Release Distribution Policy" and
https://www.apache.org/dev/release-distribution#sigs-and-sums. But
currently it's still allowed, right?


Otherwise +1 from me:

* Verified checksums and signatures of the source packages
* Checked license and notice files
* Built all 4 source packages with OpenJDK 1.8.0_172 on Linux
* Run fortress core integration tests against ApacheDS and OpenLDAP


Kind Regards,
Stefan



On 07/09/2018 04:41 PM, Shawn McKinney wrote:
> Hello,
> 
> I’m happy to announce that after a year’s worth of work we’ve managed to put together
a new release.  Just to set expectations, it won’t be another before the next one.
> 
> There are some interesting items that need out. Yudhi’s High availability being one
of them.
> 
> Also I should mention a few patches security related, i.e. ++versions on artifacts from
apache cxf and others which make this release particularly important.
> 
> For those new to *testing* Fortress releases, I highly recommend using one of the DOCKER
quick starts listed below.  Run the steps up to and including ‘integration tests’.  On
a linux machine that has preqs (docker, java8, mvn, git) should take < 10 minutes to complete.
 Do not hesitate to prompt me on our ml if you have questions or doubts.
> 
> Lastly, apologize in advance.  Wrt to improving the fortress source bundling/staging
to simplify *your* job testing the releases.  Both Stefan and Colm kindly offered suggestions
last year, but the ball got dropped.  We’ll get ‘er right by next time.
> 
> Now the release…
> 
> *********************
> 
> This is an announcement to vote for the next Apache Directory Fortress. 
> 
> The version, 2.0.1, has a tag created in git: ‘2.0.1’.
> 
> and the sources may be pulled using git commands:
> git clone --branch 2.0.1 https://git-wip-us.apache.org/repos/asf/directory-fortress-core.git
> git clone --branch 2.0.1 https://git-wip-us.apache.org/repos/asf/directory-fortress-realm.git
> git clone --branch 2.0.1 https://git-wip-us.apache.org/repos/asf/directory-fortress-enmasse.git
> git clone --branch 2.0.1 https://git-wip-us.apache.org/repos/asf/directory-fortress-commander.git
> 	
> with their associated checksums:
> - core:  4009d2d0a5cc7b6d2a5a2e744a7dabab52c64e65
> - realm: dc23b6cbb93d1d0e998f0dcd03e7665df8c97475
> - rest:  1189b666a66176731c745c7c8be984f76f59a76d
> - web:   0423ea8b8dc3a6a410e84908ba9272661bcadb63
> 
> Or, source distros may be downloaded from this location:
> http://home.apache.org/~smckinney/
> 
> The staging repos on Nexus:
> - core: https://repository.apache.org/content/repositories/orgapachedirectory-1159
> - realm: https://repository.apache.org/content/repositories/orgapachedirectory-1160
> - rest: https://repository.apache.org/content/repositories/orgapachedirectory-1161
> - web: https://repository.apache.org/content/repositories/orgapachedirectory-1162
> 
> Test using one of these:
>  * https://github.com/apache/directory-fortress-core/blob/master/README-QUICKSTART-DOCKER-APACHEDS.md
>  * https://github.com/apache/directory-fortress-core/blob/master/README-QUICKSTART-APACHEDS.md
>  * https://github.com/apache/directory-fortress-core/blob/master/README-QUICKSTART-DOCKER-SLAPD.md
>  * https://github.com/apache/directory-fortress-core/blob/master/README-QUICKSTART-SLAPD.md
> 
> - Choose one of the above.  Complete (only) the sections leading up to and including
the SECTION entitled: 'Apache Fortress Core Integration Test’
> - Choose the docker quickstart & save time.  Won't have to install an LDAP server
for the integration tests.
> 
> 2.0.1 includes:
> * Update to use Apache LDAP API v1.0.2
> * FC-235 Add support for runtime constraints to be placed on activated roles
> * FC-102 [fortress-web] fix problems with group page
> * FC-108 Add support for RFC2307 BIS
> * FC-217 Option to disable role occupants
> * FC-226 ehcache masking security exceptions
> * FC-227 Exclude xml-apis from LDAP api
> * FC-228 [fortress-rest] CVE-2017-12624: Apache CXF web services that process attachments
are vulnerable to Denial of Service (DoS) attacks
> * FC-233 [FORTRESS-REST] Upgrade to Spring 5 and latest CXF
> * FC-232 [fortress-web] to Spring 5 and Wicket 7.9
> 
> * The complete list from JIRA: https://issues.apache.org/jira/browse/FC-232?jql=project%20%3D%2012315921%20AND%20fixVersion%20%3D%2012338782%20ORDER%20BY%20priority%20DESC%2C%20key%20ASC
> 
> Please vote:
> 
> [ ] +1 | Release Fortress core, realm, rest and web 2.0.1
> [ ] +/-0 | Abstain
> [ ] -1 | Do *NOT* Release Fortress core, realm, rest and web 2.0.1
> 
> Shawn
> 
> 
> 
> 
> 


Mime
View raw message