b.com/apache/commons-ognl
https://github.com/apache/commons-proxy
I've filed https://issues.apache.org/jira/browse/INFRA-26952
Kind regards,
--
Arnout Engelen
ASF Security Response
Apache Pekko PMC member, ASF Member
NixOS Committer
Independent Open Source consultant
r VOTE reply.
> To gather OS information from a command line:
> Windows: ver
> Linux: uname -a
>
> 4b) Check reproducibility
>
> To check that a build is reproducible, run:
>
> mvn clean verify artifact:compare -DskipTests
> -Dreference.repo=https://repository.apache.org
instead of packaged.
>
> mvn site
> Check the site reports in:
> - Windows: target\site\index.html
> - Linux: target/site/index.html
>
> 6) Build the site for a multi-module project
>
> mvn site
> mvn site:stage
> Check the site reports in:
> - Windows: target\site\index.html
> - Linux: tar
well...
> If you want to pick up on Gilles' offer for mathy components, then go for
> it I suppose but I really prefer the current setup for the others.
Happy to start there, but if you're "a priori" rejecting the whole
idea regardless of how that experiment would wor
unintentional).
WDYT? Perhaps at least worth trying out on a pilot component?
Kind regards,
Arnout
> On Fri, May 9, 2025, 07:44 Arnout Engelen wrote:
>
> > Hello Commons Dev,
> >
> > I noticed that, for many commons components, our GitHub Actions build
> > matrix
erstand what these jobs are for, and see if we can find an
approach that avoids those distracting build failures?
Kind regards,
--
Arnout Engelen
ASF Security Response
Apache Pekko PMC member, ASF Member
NixOS Committer
Independent Open Source consultant
mentioned)
this should not prevent you from upgrading to the latest version.
Kind regards,
Arnout Engelen
On 2025/02/12 15:08:19 sebb wrote:
> > On Wed, 12 Feb 2025 at 14:53, Volodymyr Siedlecki
> wrote:
> > >
> > > Hello,
> > >
> > > I don't see it e
On Mon, Feb 10, 2025 at 11:45 AM Gilles Sadowski
wrote:
> Le lun. 10 févr. 2025 à 11:25, Arnout Engelen a
> écrit :
> > Do you mean we should leave out the whole line or just the "Thanks to
> > Dependabot" part?
>
> The whole line.
>
> > I tried
://gitbox.apache.org/repos/asf/commons-math.git
> >
> >
> > The following commit(s) were added to refs/heads/master by this push:
> > new aa1efd86a Update changes.xml
> > aa1efd86a is described below
> >
> > commit aa1efd86a6ab5f229a3b579db16191d8e9672bf5
&
On Thu, Feb 6, 2025 at 11:09 PM Arnout Engelen wrote:
> * I did not test the artifacts against any project
>
(I have also ran the jackrabbit-vfs-ext unit tests with the staged version
now, no surprises)
Arnout
> On Mon, Feb 3, 2025 at 12:27 AM Gary Gregory
> wrote:
>
>>
gt;
> This step is not required if the site includes a RAT report page which
> you then must check.
> This check should be included in the default Maven build, but you can
> check it with:
>
> mvn apache-rat:check
>
> 3) Check binary compatibility
>
> This step is no
act:compare -DskipTests
> -Dreference.repo=
> https://repository.apache.org/content/repositories/staging/
> '-Dbuildinfo.ignore=*/*.spdx.json'
>
> Note that this excludes SPDX files from the check.
>
> 5) Build the site for a single module project
>
> Note: Some plugins require the components to be installed instead of
> packaged.
>
> mvn site
> Check the site reports in:
> - Windows: target\site\index.html
> - Linux: target/site/index.html
>
> -the end-
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>
>
--
Arnout Engelen
ASF Security Response
Apache Pekko PMC member, ASF Member
NixOS Committer
Independent Open Source consultant
e.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>
>
--
Arnout Engelen
ASF Security Response
Apache Pekko PMC member, ASF Member
NixOS Committer
Independent Open Source consultant
ormation from a command line:
> Windows: ver
> Linux: uname -a
>
> 4b) Check reproducibility
>
> To check that a build is reproducible, run:
>
> mvn clean verify artifact:compare -DskipTests
> -Dreference.repo=
> https://repository.apache.org/content/repositories/staging/
> '-Dbuildinfo.ignore=*/*.spdx.json'
>
> Note that this excludes SPDX files from the check.
>
> 5) Build the site for a single module project
>
> Note: Some plugins require the components to be installed instead of
> packaged.
>
> mvn site
> Check the site reports in:
> - Windows: target\site\index.html
> - Linux: target/site/index.html
>
> -the end-
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>
>
--
Arnout Engelen
ASF Security Response
Apache Pekko PMC member, ASF Member
NixOS Committer
Independent Open Source consultant
command line:
> Windows: ver
> Linux: uname -a
>
> 4b) Check reproducibility
>
> To check that a build is reproducible, run:
>
> mvn clean verify artifact:compare -DskipTests
> -Dreference.repo=
> https://repository.apache.org/content/repositories/staging/
> '-Dbuildinfo.ignore=*/*.spdx.json'
>
> Note that this excludes SPDX files from the check.
>
> 5) Build the site for a single module project
>
> Note: Some plugins require the components to be installed instead of
> packaged.
>
> mvn site
> Check the site reports in:
> - Windows: target\site\index.html
> - Linux: target/site/index.html
>
> -the end-
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>
>
--
Arnout Engelen
ASF Security Response
Apache Pekko PMC member, ASF Member
NixOS Committer
Independent Open Source consultant
-DskipTests -P japicmp japicmp:cmp
>
> 4) Build the package
>
> mvn -V clean package
>
> You can record the Maven and Java version produced by -V in your VOTE reply.
> To gather OS information from a command line:
> Windows: ver
> Linux: uname -a
>
> 5) Build the site for a single module project
cmp
>
> 4) Build the package
>
> mvn -V clean package
>
> You can record the Maven and Java version produced by -V in your VOTE reply.
> To gather OS information from a command line:
> Windows: ver
> Linux: uname -a
>
> 5) Build the site for a single module project
re, I think we should define the
behavior in a way that all implementations can follow - which the
super type does nicely ('If csq is null, then characters will be
appended as if csq contained the four characters "null".'). I don't
see a strong reason to leave it up to t
se.
>
> TY!
> Gary
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>
>
--
Arnout Engelen
ASF Security Response
Apache Pekko PMC member, ASF Member
NixOS Committer
Independent Open Source consultant
.18+10, 11.0.17+8, 11.0.16+101, 11.0.16+8, 11.0.15+10
> >
> > So it looks like goodbye Java 8 on GitHub.
> >
> > Gary
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> > For additional commands, e-mail: dev-h...@comm
t;
> mvn -V clean package
>
> You can record the Maven and Java version produced by -V in your VOTE
> reply.
> To gather OS information from a command line:
> Windows: ver
> Linux: uname -a
>
> 5) Build the site for a single module project
>
> Note: Some plugins require the components to be installed instead of
> packaged.
>
> mvn site
> Check the site reports in:
> - Windows: target\site\index.html
> - Linux: target/site/index.html
>
> -the end-
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>
>
--
Arnout Engelen
ASF Security Response
Podling Project Management Committee member on Apache Pekko
Committer on NixOS
Independent Open Source consultant
On Thu, Dec 14, 2023 at 2:00 PM Elliotte Rusty Harold
wrote:
> On Thu, Dec 14, 2023 at 6:09 AM Arnout Engelen wrote:
> > * I'd say parsing/decompression/decoding should never allow malicious
> input
> > to trigger arbitrary code execution(?)
>
> Do any of these prod
;yes', we should also decide whether we intend to treat such
issues as security problems (that should be fixed with some priority and,
after release, disclosed in an advisory) or bugs/improvements (where we can
possibly take more of an 'issues and patches welcome' position).
ts to be provided through
alternative ways (such as GitHub Private Vulnerability Reporting) is
definitely on our radar. We're working out some challenges to fit it into
the rest of our workflow, though, and it will depend on the project whether
they choose to use it.
Kind regards,
--
Arnout Engelen
ASF Security Response
ob/master/src/site/xdoc/security.xml)
> if you want to update the details.
> > >
> > > TY!
> > >
> > > On Tue, Oct 18, 2022, 09:52 Arnout Engelen wrote:
> > >>
> > >> Hello Commons,
> > >>
> > >> As you might k
Hello Commons,
As you might know Commons Text recently published a CVE. It seems there is
a fair bit of confusion about its severity online, so it seems like a good
idea to publish a statement around that on the website.
I've proposed one at https://github.com/apache/commons-text/pull/374 and
I'd
26 matches
Mail list logo
