On Sun, Jul 27, 2025 at 8:01 AM Piotr P. Karwasz <pi...@mailing.copernik.eu> wrote:
> Hi Gary, > > On 26.07.2025 23:04, Gary Gregory wrote: > > JApiCmp Report (compared to 1.27.1): > > > > > https://dist.apache.org/repos/dist/dev/commons/compress/1.28.0-RC1/site/japicmp.html > > +1 (binding): release the artifacts. > > I conducted the following checks: > > - Verified checksums and signatures for source and binary archives. > > - Reproduced the Maven artifacts using: Debian 12, Maven 3.9.9, JDK 21, > TZ=UTC, and umask 0022. > > - Ran unit tests successfully. > > - Reviewed the RAT (license) report. > > - Reviewed API compatibility using JApiCmp and confirmed results with > BND Baseline. > > The JApiCmp report is somewhat tricky to interpret, as it lists several > methods as `REMOVED`: > > > https://dist.apache.org/repos/dist/dev/commons/compress/1.28.0-RC1/site/japicmp.html > > In reality, these methods have been *relocated*, not removed: > > - `ArchiveOutputStream` and `CompressorOutputStream`: methods were moved > to the new `CompressFilterOutputStream` class. > > - `LZ77Compressor.BackReference`, `LiteralBlock`, and `EOD`: affected > methods were moved to `LZ77Compressor.AbstractReference`. > > Note: The Javadoc for `AbstractReference` appears to be copy-pasted and > lacks an `@since 1.28.0` annotation. > Fixed! > > To confirm binary compatibility, I ran a BND Baseline check, and the > results were satisfactory. > > Comments on the release notes: > > - The notes are extremely detailed, listing individual additions like > `GzipParameters.getModificationInstant` and `setModificationInstant`. > > - They also include minor documentation and Javadoc improvements. > > - While this level of granularity might be appreciated by contributors, > it may be hard for users outside the project to quickly assess the > significance of the release. Some grouping would be very appreciated. > The grouping by type is set by changes.xml, within a group, I list each action (usually) in chronological order. To help group issues, a while back, I created https://issues.apache.org/jira/projects/MCHANGES/issues/MCHANGES-412 > Since this release indirectly “addresse” a *non-exploitable* CVE in > `commons-lang3`, it may be helpful to highlight changes such as > deprecations, especially for users who enforce strict policies against > using deprecated methods. > I added the following to changes.xml and RELEASE-NOTES.txt: This release updates Apache Commons Lang to 3.18.0 to pick up the fix for CVE-2025-48924 (https://nvd.nist.gov/vuln/detail/CVE-2025-48924), but is not affected by it. TY! Gary > > Best regards, > Piotr > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
