Re: [Dbutil] Java 8 -> 11

This sounds a lot like what was discussed back when components went through Java 6 -> 7 and later Java 7 -> 8 upgrades. So far, we’ve only made Java requirement updates in the minor version, not the patch version, and as Gary is saying, we wouldn’t bump the major version without renaming the ent

Re: [ALL] Eventually, soon, Java 11

How about using multi-release jars? That way we can include module-info files and version-specific additions while still supporting Java 8 for a while. It could require a newer Java compiler while still targeting the Java 8 bytecode version. — Matt Sicker > On Apr 23, 2023, at 08:46, G

Re: Correctly configuring Apache Commons components for oss-fuzz

Yes, please use the existing fuzz-testing list. It’s basically a notifications list at this point due to differences in memory safety between Java and the C family making fuzzing a little trickier to reproduce security issues. — Matt Sicker > On Nov 23, 2022, at 08:58, Mark Thomas wr

Re: [VOTE] Release Apache Commons Compress 1.22 based on RC1

+1 from me With that, this vote passes with 3 +1 binding votes from me, Gary, and Bruno. I’ll continue the release. — Matt Sicker > On Oct 30, 2022, at 13:16, Matt Sicker wrote: > > Looks like this vote will end up passing. I’ll make my vote and finish up the > vote thread eit

Re: [VOTE] Release Apache Commons Compress 1.22 based on RC1

(other releases have), and shows as not released yet (normally it has the >> vote release date, I think). Can be fixed later, other reports look OK. >> >> Manually inspected files from dist area (source and binaries), and also >> checked signatures. Everything looks OK!

Re: [VOTE] Release Apache Commons Compress 1.22 based on RC1

above report notes several errors. >>These are considered OK for the reasons stated below. >>These exceptions are also noted in the Changes and Release Notes. >> >>Errors reported: >>- removal of checked exceptions in various methods >>

Re: [VOTE] Release Apache Commons Compress 1.22 based on RC1

I did; I just forgot to remove the markers. — Matt Sicker > On Oct 25, 2022, at 15:43, Gary Gregory wrote: > > Matt, > > You are suppose to edit what is in between ××× ... > > Gary > > On Tue, Oct 25, 2022, 16:05 Matt Sicker wrote: > >> We have f

[VOTE] Release Apache Commons Compress 1.22 based on RC1

close no sooner than 72 hours from now. [ ] +1 Release these artifacts [ ] +0 OK, but... [ ] -0 OK, but really should fix... [ ] -1 I oppose this release because... Thank you, Matt Sicker, Release Manager (using key 0x031EE010CA15D1EE) For following is intended as a helper and refres

Re: [VOTE] Release Apache Commons BCEL 6.6.1 based on RC1

, platform encoding: UTF-8 OS name: "mac os x", version: "12.6", arch: "aarch64", family: "mac" — Matt Sicker > On Oct 23, 2022, at 09:58, Gary Gregory wrote: > > We have fixed one bug since Apache Commons BCEL 6.6.0 was released, so > I would

Re: [VOTE] Release Apache Commons BCEL 6.6.0 based on RC1

+1 Tested with Java versions 8.0.322-zulu, 11.0.15-zulu, and 17.0.2-zulu. Apache Maven 3.8.5 OS name: "mac os x", version: "12.6", arch: "aarch64", family: “mac" — Matt Sicker > On Oct 8, 2022, at 07:35, Gary Gregory wrote: > > We have fixed a few b

Re: [jxpath] reported CVE and path forward

eone added jxpath to oss-fuzz here: > >> > https://github.com/google/oss-fuzz/pull/7582 > >> > > >> > The initial oss-fuzz for ASF was, if I recall correctly, all put under a > >> > single project: > >> > https://github.com/google/oss-fuz

Re: Re: [jxpath] reported CVE and path forward

I get emails about some of the Commons fuzzing things, but I was only aware of it being enabled for compress and imaging. On Mon, Oct 10, 2022 at 1:37 PM Roman Wagner wrote: > > Hi all, > > I am working for Code Intelligence we did our best to find a maintainer for > the oss-fuzz project. Unfortu

Re: Integration of commons-math into oss-fuzz

I'm one of the PMC members already in our oss-fuzz project. Please feel free to add commons-math! On Thu, Jul 21, 2022 at 3:23 PM Bruno Kinoshita wrote: > > Hi > > There is an oss-fuzz project for commons where multiple modules are hosted > (I am sure Imaging is there, and I think Compress too).

Re: [CRYPTO] Problem with JNA on macOS and Windows

The only OpenSSL fork I know of in macOS is BoringSSL which is also used by Chrome. This fork maintains some level of compatibility though. — Matt Sicker > On Jun 29, 2022, at 20:03, Alex Remily wrote: > > Which Mac OS version did you use? Since I upgraded to BigSur (OS 11) my

Re: [ALL] Add *.json to RAT excludes in parent POM ?

Some JSON parsers do support comments. Some use cases could potentially use YAML or similar. Otherwise, yeah, might as well exclude where comments can’t be added. — Matt Sicker > On Jun 27, 2022, at 08:42, Gilles Sadowski wrote: > > Hello. > >> Le lun. 27 juin 2022 à 15:3

Re: [Crypto] What is it ?

AWS offers macOS VMs. GitHub Actions support macOS which presumably uses something similar. I don’t think Apple offers an equivalent service, but there are more companies that do offer macOS VMs in the cloud. — Matt Sicker > On Jun 16, 2022, at 12:05, Jochen Wiedmann wrote: > > On

Re: [Crypto] What is it ?

You can run Windows in a VM on macOS, but that’s starting to sound fairly complicated if macOS is itself in a VM. — Matt Sicker > On Jun 15, 2022, at 18:03, sebb wrote: > > On Wed, 15 Jun 2022 at 17:32, Matt Sicker wrote: >> >> We could always request a Windows VM fr

Re: [Crypto] What is it ?

We could always request a Windows VM from Infra if necessary for building releases. Same for a Mac VM or Linux VM, though the Linux one can be done fairly easily via Docker on any OS (even FreeBSD supports Linux containers now). — Matt Sicker > On Jun 15, 2022, at 05:10, sebb wrote: >

Re: [codec] 1.16 release progress

The issue with the previous RC required an updated version of the Commons release plugin. I don’t remember if that’s been done yet. — Matt Sicker > On Jun 14, 2022, at 05:12, Alex Herbert wrote: > > On Mon, 13 Jun 2022 at 17:46, Matt Sicker wrote: > >> I haven’t had

Re: [codec] 1.16 release progress

I haven’t had a chance to try a second RC. I’ve been out sick the past few days as well. If you’d like to help make the release, let me know! — Matt Sicker > On Jun 13, 2022, at 11:15, Alex Herbert wrote: > > A RC1 cut was made for codec 1.16 in January 2022: > >> g

Re: [collections] Add a list/deque faster than TreeList?

suppose that doesn’t surprise me too much. — Matt Sicker > On Jun 11, 2022, at 12:25, Rodion Efremov wrote: > > Hi Matt and community, > > About thread safety: I keep an int counting modifications (called > modCount). Now, spliterator/iterator/sublist check that modCount ==

Re: [collections] Add a list/deque faster than TreeList?

as well, that sort of process is fairly long term, so I’d imagine that Collections would be a great place for it. If you’re trying to donate this to multiple projects, then Eclipse also has a collections library that might like it, and Guava might like it, too. — Matt Sicker > On Jun 10, 2

Re: [configuration] Jakarta mailapi 2.0.1

Seems reasonable to me given the use case. — Matt Sicker > On Jun 9, 2022, at 20:23, Matt Juntunen wrote: > > Hello, > > We are slowly getting closer to a 2.8.0 release for > commons-configuration. One remaining item on the list is a PR [1] for > bumping the com.sun.

Re: [Validator] Update to Java 8 and from Apache Commons Collections 3.x to 4.x

Seems reasonable to me. Anyone still using Java 7 probably isn’t too concerned about CVEs as I hope that type of software is not internet connected! — Matt Sicker > On Jun 6, 2022, at 09:09, Melloware wrote: > > +1 from me on that Gary! > > >> On 6/6/2022 9:43 AM, Gary

Re: [lang] how to submit a proposal for a new component?

It hasn’t had activity in over 10 years, but there’s also https://commons.apache.org/sandbox/commons-graph/ as a potential component to revive. — Matt Sicker > On Apr 27, 2022, at 10:43, Bernd Eckenfels wrote: > > I think 20 classes is not small, so probably not good for -lang.

Re: [BeanUtils] JPMS

Now that sounds like a good reason for beanutils2, too. Module splits to allow for minimal module dependencies is a great idea IMO, though I may be biased since we already started the same idea in Log4j for 3.x a while ago, too. On Mon, Apr 25, 2022 at 6:55 AM Gary Gregory wrote: > > Hi All, > >

Re: [beanutils]

manage releases is a great way to get invited into the PMC, too, so keep that in mind. On Wed, Apr 20, 2022 at 10:36 PM Xeno Amess wrote: > > @Matt Sicker > > Like what I said before, there be no current active commons committers who > interested in developing bean-utils. > > For

Re: [beanutils]

I don’t see why that couldn’t have been done here. There’s no need to fork Commons projects when they’re fairly open to contributors. — Matt Sicker > On Apr 20, 2022, at 16:19, Melloware Inc wrote: > > It was supposed to be temporary until Apache released 2.0. It’s been over 5

Re: Re: New component proposal: commons-plugins

Yes, at this point, it would help to see what aspects of this would be useful or welcomed as a library. In the meantime, I've been asked if I could port the log4j DI system back to 2.x, so I may end up working on that in the near term and defer any work to extract code to Commons until we have a be

Re: New component proposal: commons-plugins

At this point, I'd be most willing to start up a repo and codebase for this only if it would be useful for Commons, too. In this scenario, I can begin by porting over the relevant code from log4j to form a starting point for the library (mainly an API, and annotation processor, and default implemen

Re: New component proposal: commons-plugins

on feature to Quarkus but without the non-DI features). On Fri, Apr 8, 2022 at 12:06 PM Romain Manni-Bucau wrote: > > Le ven. 8 avr. 2022 à 18:50, Matt Sicker a écrit : > > > I suspect at this point that most of the remaining slowness in startup > > on Log4j is related to code t

Re: New component proposal: commons-plugins

I suspect at this point that most of the remaining slowness in startup on Log4j is related to code that _doesn't_ use plugins. There are some strategies that configure on startup in log4j-api based on system properties and service loaders which are provided for improved steady-state performance (or

Re: New component proposal: commons-plugins

One of the issues I've found with loading classes eagerly is that many ClassLoader implementations rely on fairly broad locks. Deferred class loading can avoid some of this lock contention. On Thu, Apr 7, 2022 at 12:57 PM Ralph Goers wrote: > > > > > On Apr 7, 2022, at 2:52 AM, Peter Verhas wrot

Re: New component proposal: commons-plugins

d not tied to the plugin system. > > Ralph > > > On Apr 4, 2022, at 8:39 AM, Matt Sicker wrote: > > > > I used to work on the Jenkins project for a few years, so yes, I'm > > fairly familiar with those difficulties. I've also used OSGi in the >

Re: New component proposal: commons-plugins

>>>> wrote: > > > >>>>> > > > >>>>> Hi Matt, > > > >>>>> > > > >>>>> This is quite timely since I've spent the past week researching > > > >>>>> frameworks to modularize a monolithic ap

Re: New component proposal: commons-plugins

ins. Everything I've looked at so far is > > >>>>> larger and more complicated than I need (e.g. OSGi, Spring, etc) so I > > >>>>> was seriously considering writing my own, perhaps based on select > > >>>>> components from the Plexus proj

Re: New component proposal: commons-plugins

Perhaps? I’d have to investigate how commons configuration works to be sure. And thanks, Ralph, for answering the questions here. I’ll write up a more detailed proposal we can discuss. — Matt Sicker > On Apr 3, 2022, at 21:25, Gary Gregory wrote: > > So in a Commons centric fanta

New component proposal: commons-plugins

ps://github.com/apache/logging-log4j2/tree/master/log4j-plugins> — Matt Sicker

Re: [Codec] Staged 1.16-RC and danggling?

Ah, I didn't get a chance to start the next release as I was finishing up some work on Log4j over the weekend. On Thu, Mar 17, 2022 at 6:58 PM Gary Gregory wrote: > > Anytime ;) > > On Thu, Mar 17, 2022, 19:56 Matt Sicker wrote: > > > Then I’ll work on a new relea

Re: [Codec] Staged 1.16-RC and danggling?

Then I’ll work on a new release candidate over the next couple days. Thanks! — Matt Sicker > On Mar 17, 2022, at 14:04, Gary Gregory wrote: > > I just released the plugin today, it might not have made it to Maven > Central yet though... > > Gary > >> On Thu, Mar

Re: [Codec] Staged 1.16-RC and danggling?

I needed a new release of the commons release plugin to cut a second release candidate. This first one can be dropped as the vote was cancelled. On Thu, Mar 17, 2022 at 8:28 AM Gary Gregory wrote: > > Matt, > > I see on https://repository.apache.org/#stagingRepositories a Commons Codec > 1.16-RC1

Re: [All] Maintenance (Re: [GitHub] [... PR] #104: Maven Wrapper [...])

The same applies to changing access modifiers. JUnit 5 encourages use of package private everything as it’s the least typing and now supported (as in v5 will reflectively allow access to your test code if it’s not public). — Matt Sicker > On Feb 17, 2022, at 19:59, Gary Gregory wr

Re: [All] Maintenance (Re: [GitHub] [... PR] #104: Maven Wrapper [...])

IntelliJ has a useful feature for helping automate migration of JUnit tests. Works wherever you have tests that don't use rules or parameterized tests (those need to be manually migrated still). On Wed, Feb 16, 2022 at 9:17 AM Alex Herbert wrote: > > On Wed, 16 Feb 2022 at 14:30, Gilles Sadowski

Re: [All] GSoC 2022

I think this would be a great idea. There's even some potential work that can be done related to fuzz testing if we want to expand our OSS-Fuzz coverage. I imagine we have plenty of interesting Jira tickets that could make for GSoC projects, too. On Wed, Jan 26, 2022 at 7:16 AM Gilles Sadowski wr

Re: [VOTE] Release Apache Commons Codec 1.16 based on RC1

Yes, this vote is cancelled. I’d like to see if we can update the parent pom first so that we get the correct build timestamp. Otherwise, I’ve updated the other parts in master which will go into RC2. — Matt Sicker > On Jan 24, 2022, at 06:50, Gary Gregory wrote: > > Hi Matt, >

Re: [VOTE] Release Apache Commons Codec 1.16 based on RC1

well to pick that up. — Matt Sicker > On Jan 22, 2022, at 15:33, Gary Gregory wrote: > > The copyright year is derived from POM properties or can be hard coded. > Trying to have a reproducible build can further muck things up where you > end up with 1969 as then end year as I re

Re: [VOTE] Release Apache Commons Codec 1.16 based on RC1

for the javadoc copyright year, do you know where this gets specified? I figured it was auto-generated at build time. — Matt Sicker > On Jan 22, 2022, at 08:10, Gary Gregory wrote: > > Thank you for cutting the RC! :-) > > Maybe blocker: > > The Javadoc end copyright ye

[VOTE] Release Apache Commons Codec 1.16 based on RC1

] -0 OK, but really should fix... [ ] -1 I oppose this release because... Thank you, Matt Sicker, Release Manager (using key 748F15B2CF9BA8F024155E6ED7C92B70FA1C814D) For following is intended as a helper and refresher for reviewers. Validating a release candidate

Re: [CODEC] Looking to make a release, having some issues with release instructions

Thanks, that did the trick. I’ll have a release candidate soon. — Matt Sicker > On Jan 21, 2022, at 23:14, Gary Gregory wrote: > > I think you have to go back to Maven 3.6.x because Maven broke > compatibility with plugins, see > https://issues.apache.org/jira/browse/MNG-7316 &g

[CODEC] Looking to make a release, having some issues with release instructions

ime: /Library/Java/JavaVirtualMachines/zulu-8.jdk/Contents/Home/jre Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "12.1", arch: "aarch64", family: "mac" [1]: https://commons.apache.org/releases/prepare.html — Matt Sicker

Fwd: Significant change to US Export Controls Guide

This is the relevant bit about how we no longer need to worry about reporting cryptography code. Thus, we're clear to make a commons-codec release as soon as I can find some release instructions. -- Forwarded message - From: Roman Shaposhnik Date: Thu, Jul 15, 2021 at 6:05 PM Subj

Re: can we get rid of dependabot?

<https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates> -- Matt Sicker > On Dec 30, 2021, at 16:48, Rob Tompkins wrote: > > > >> On Dec 30, 2021, at 5:37 PM, sebb &g

Re: can we get rid of dependabot?

All these version pins, notification settings, etc., are all configurable in the Dependabot config file. -- Matt Sicker > On Dec 29, 2021, at 09:22, Romain Manni-Bucau wrote: > > @Rob: not sure dependabot would get commits permissions anytime soon, it is > really an automotion

Re: [MATH][GENETICS][PR-199] Decision on the use of Logging functionality

I’d be +1 for Log4j2 as the API particularly due to the more active development community and licensing. SLF4J is mostly reliant on the heroic efforts of its sole maintainer which is a bit of an anti-pattern at Apache. If there’s a desire to support the Java module system, the only versions of S

Re: Pull Request Reviews/Feedback Please

Updates that help with testing in newer JDKs while still supporting older ones (which version tends to depend on the specific component; most have been or can be upgraded to JDK 8 at least). With Java 17 coming out, some developers will make the jump from 11 to 17. On Sat, Sep 11, 2021 at 11:49 AM

Re: [VOTE] Release Apache Commons Pool 2.11.1 based on RC1

+1 Verified signatures and builds via a few JDKs: Apache Maven 3.8.2 (ea98e05a04480131370aa0c110b8c54cf726c06f) Maven home: /usr/local/Cellar/maven/3.8.2/libexec Java version: 11.0.10, vendor: Oracle Corporation, runtime: /usr/local/Cellar/openjdk@11/11.0.10/libexec/openjdk.jdk/Contents/Home Defa

Re: [VOTE] Release Apache Commons DBCP 2.9.0 based on RC1

+1 Signatures, reports, etc. validated. Built and tested on: Apache Maven 3.8.1 (05c21c65bdfed0f71a2f2ada8b84da59348c4c5d) Maven home: /usr/local/Cellar/maven/3.8.1/libexec Java version: 16.0.1, vendor: Homebrew, runtime: /usr/local/Cellar/openjdk/16.0.1/libexec/openjdk.jdk/Contents/Home Default

Re: Can we put together some sort of contributors guide for release requesters?

att, > > Il Ven 9 Lug 2021, 18:25 Matt Sicker ha scritto: > > > There seems to be an increased interest from users around making > > releases of various components in order to clean up their security > > checklists mandated from above. Since making releases is somewhat &

Can we put together some sort of contributors guide for release requesters?

There seems to be an increased interest from users around making releases of various components in order to clean up their security checklists mandated from above. Since making releases is somewhat standardized here, would it make sense to create some sort of guide for volunteers who want releases

Re: [compress] Dealing with uncaught RuntimeExceptions (again)

Perhaps the key point here is throwing a more specific exception than RuntimeException? Even if it's a subclass of it. Adding the javadocs for which exceptions are allowed to be thrown might be sufficient to cover the DoS attacks. On Sun, Jun 27, 2021 at 12:05 PM Torsten Curdt wrote: > > > > > >

Re: [compress] Dealing with uncaught RuntimeExceptions (again)

Checked exceptions are also used when the error isn’t a programmer error. >From an aesthetic perspective, I prefer the unchecked exceptions unless an API already established them. Subclassing IOException is fairly common for example. On Sun, Jun 27, 2021 at 10:37 Torsten Curdt wrote: > > Can you

Re: Welcome back Henri Biestro to the PMC

Welcome back, Henri! Glad to see you again! On Sun, Jun 13, 2021 at 08:52 Gary Gregory wrote: > Let's welcome back Henri Biestro to the PMC. > > Gary >

Re: [VOTE] Release Apache Commons IO 2.10.0 based on RC1

+1 Signatures good, builds and tests good. Verified on: Apache Maven 3.8.1 (05c21c65bdfed0f71a2f2ada8b84da59348c4c5d) Maven home: /usr/local/Cellar/maven/3.8.1/libexec Java version: 16.0.1, vendor: Homebrew, runtime: /usr/local/Cellar/openjdk/16.0.1/libexec/openjdk.jdk/Contents/Home Default local

Re: [compress] Dealing with RuntimeExceptions While Parsing Archives

Ah, I see. These exceptions could derive from UncheckedIOException perhaps? On Sun, 6 Jun 2021 at 15:56, Gilles Sadowski wrote: > > Le dim. 6 juin 2021 à 22:32, Matt Sicker a écrit : > > > > Well, if there's a parse error decompressing a file, that makes sense > > a

Re: [compress] Dealing with RuntimeExceptions While Parsing Archives

Well, if there's a parse error decompressing a file, that makes sense as an IOException of some sort. On Sun, 6 Jun 2021 at 12:01, Gilles Sadowski wrote: > > Le dim. 6 juin 2021 à 07:51, Stefan Bodewig a écrit : > > > > Hi > > > > I'm thinking about a specific IOException subclass that is thrown

Re: [VOTE] Release Apache Commons JEXL 3.2 based on RC1

+1 Signatures good, reports good, built and tested on the following: Apache Maven 3.8.1 (05c21c65bdfed0f71a2f2ada8b84da59348c4c5d) Maven home: /usr/local/Cellar/maven/3.8.1/libexec Java version: 16.0.1, vendor: Homebrew, runtime: /usr/local/Cellar/openjdk/16.0.1/libexec/openjdk.jdk/Contents/Home

Re: [VOTE] Release Apache Commons Pool 2.10.0 based on RC1

+1 Signatures are good on everything. Spot checks on basic release stuff are all good (license, notice, rat check etc.). Built and tested fine on the following (Java 11, 15, 16): Apache Maven 3.8.1 (05c21c65bdfed0f71a2f2ada8b84da59348c4c5d) Maven home: /usr/local/Cellar/maven/3.8.1/libexec Java v

Re: OSS-Fuzz issues are being reported as vulnerabilities

There's also a bit of an issue of fixing these types of vulnerabilities at the library level. The library itself typically won't have much in the way of a security model until you integrate it into an application. For example, if you only use commons-compress on trusted input, then even high availa

Re: [all] OSS Fuzz

I see that now. Thanks for handling the ticket! On Tue, 20 Apr 2021 at 11:38, sebb wrote: > > On Tue, 20 Apr 2021 at 17:22, Matt Sicker wrote: > > > > I've tried adding that email to the allow-subscribe list for that > > mailing list. Let's see if the

Re: [all] OSS Fuzz

I've tried adding that email to the allow-subscribe list for that mailing list. Let's see if the next messages get through without moderation now. On Tue, 20 Apr 2021 at 10:46, Matt Sicker wrote: > > I've accepted all the moderation requests so far, though I also get >

Re: [all] OSS Fuzz

the variable part, so normal moderation rules > can be applied) > > > On Tue, Apr 20, 2021, 17:30 Matt Sicker wrote: > > > > > Guess we'll have to ask infra then. They probably have a way to filter > > > based on regex or something. &

Re: [all] OSS Fuzz

Guess we'll have to ask infra then. They probably have a way to filter based on regex or something. On Tue, 20 Apr 2021 at 10:05, sebb wrote: > > On Tue, 20 Apr 2021 at 15:53, Matt Sicker wrote: > > > Looks like we need to add the bot email as an allowed sender to the list.

Re: [all] OSS Fuzz

Looks like we need to add the bot email as an allowed sender to the list. Otherwise, I’ve seen the alerts start already 😁 On Tue, Apr 20, 2021 at 09:27 Fabian Meumertzheim < meumertzh...@code-intelligence.com> wrote: > The first OSS-Fuzz build passed and some bugs have already been created. > Eve

Re: [all] OSS Fuzz

Can we make a Google group or shared Google account for the commons PMC? On Sat, Apr 17, 2021 at 17:43 sebb wrote: > On Sat, 17 Apr 2021 at 18:05, Fabian Meumertzheim > wrote: > > > > On Sat, Apr 17, 2021 at 3:58 PM Stefan Bodewig > wrote: > > > > > > I'm not sure I understand this. AFAIU I co

Re: [all] OSS Fuzz

I have a Google account I can be CC’d on. I do security engineering professionally, so I have some experience in the area as well. On Sat, Apr 17, 2021 at 08:58 Stefan Bodewig wrote: > On 2021-04-15, Fabian Meumertzheim wrote: > > > Just to keep the following in mind: Full access to bug reports

Re: [all] OSS Fuzz

Would the undeclared runtime exceptions be "fixable" for the fuzzing tool if the methods declared their runtime exceptions being thrown? Or the javadocs? As in, this tool is looking for exceptional conditions that don't appear to be intentional? I've briefly looked at OSS-Fuzz, and it certainly lo

Re: Re: [exec][email] Java 7 to 8

Calling it technical debt is pretty useful, too, because just like monetary debt, it can be useful to accumulate some in the short term for productive reasons, but if you don't pay it off and manage it properly, the interest payments begin to dominate expenses. Interest on technical debt comes in t

Re: [lang] Failing test on Java 16-EA.

And the two linked bugs in Java15BugFastDateParserTest.java are marked fixed already: https://bugs.openjdk.java.net/browse/JDK-8248655 https://bugs.openjdk.java.net/browse/JDK-8248434 On Sun, 21 Mar 2021 at 10:26, Matt Sicker wrote: > > Looks related to some locale changes most likely? The

Re: [lang] Failing test on Java 16-EA.

Looks related to some locale changes most likely? There are also a couple test failures that are likely due to illegal reflective access. Case in point, one of the tests has an InaccessibleObject error message. Tested on: openjdk version "16" 2021-03-16 OpenJDK Runtime Environment AdoptOpenJDK (b

Re: [COMPRESS] OSS-Fuzz integration

Perhaps the output of this tool won't have nearly as much spam as Dependabot et al? If so, we could just use the security list. On Tue, 9 Mar 2021 at 15:48, sebb wrote: > > On Tue, 9 Mar 2021 at 21:38, Gary Gregory wrote: > > > > What if we make the existing notification list private? Who uses t

Re: [crypto] Interest in adding support for cryptographic hash function?

s need > only have libcrypto installed locally. > > > > On Sun, Feb 28, 2021 at 6:21 PM Matt Sicker wrote: > > > That's why I'm interested in proper benchmarks before supporting a > > release of something with platform-specific code. The CPU extensions

Re: [COMPRESS] OSS-Fuzz integration

We could create another private list for static analysis alerts perhaps? On Sun, 7 Mar 2021 at 03:51, Stefan Bodewig wrote: > > On 2021-03-07, Fabian Meumertzheim wrote: > > > On Sat, Mar 6, 2021 at 10:08 PM Stefan Bodewig wrote: > > >> OTOH I'm not sure I understand the requirements of OSS-Fuzz

Re: [VOTE] Release Apache Commons VFS Project 2.8.0 based on RC1

+1 Signatures good, tested on macOS with Java 1.8, 11, and 15. On Sun, 7 Mar 2021 at 09:30, Arturo Bernal wrote: > > Hi All, > > Build OK from the tag '4fbaade0’ with ‘mvn test’ > > > > Maven home: /opt/apache-maven-3.6.3 > Java version: 1.8.0_275, vendor: AdoptOpenJDK, runtime: > /Library/Jav

Re: [crypto] Interest in adding support for cryptographic hash function?

select the assembler-optimized variants), but if JNI overhead negates the gains there, then I'd agree that sticking to pure Java code here would be optimal. On Sun, 28 Feb 2021 at 17:18, sebb wrote: > > On Sun, 28 Feb 2021 at 20:14, Matt Sicker wrote: > > > > I'd also be int

Re: [crypto] Interest in adding support for cryptographic hash function?

(blake2b is the default hash used in libsodium, a popular C crypto library). Some links: https://github.com/BLAKE3-team/BLAKE3 https://www.blake2.net/ Specs: https://github.com/BLAKE3-team/BLAKE3-specs/blob/master/blake3.pdf On Sun, 28 Feb 2021 at 14:14, Matt Sicker wrote: > > I

Re: [crypto] Interest in adding support for cryptographic hash function?

I'd also be interested in benchmarking comparisons as I've been working on a proof of concept using Blake3 to do similarly (I have a pure Java implementation and a JNI version that ultimately invokes the reference C implementation, though I've also wondered about linking the reference Rust implemen

Re: [VOTE] Release Apache Commons Lang 3.12.0 based on RC1

+1 Tested with: Apache Maven 3.6.3 (cecedd343002696d0abb50b32b541b8a6ba2883f) Maven home: /usr/local/Cellar/maven/3.6.3_1/libexec Java version: 15.0.1, vendor: N/A, runtime: /usr/local/Cellar/openjdk/15.0.1/libexec/openjdk.jdk/Contents/Home Default locale: en_US, platform encoding: UTF-8 OS name:

Re: [lang] Introduce @NonNull, and @Nullable

Provided dependencies typically mean that the dependency is copied into another dependency (think Java EE APIs typically) and doesn't need to be added by a runtime dependency. It's kind of the opposite of the runtime scope which doesn't add it at compile time but does at runtime. On Thu, 4 Feb 202

Re: [lang] Introduce @NonNull, and @Nullable

a in order to compile. > > > On Mon, Feb 1, 2021, 17:22 sebb wrote: > > > > > On Mon, 1 Feb 2021 at 17:56, Matt Sicker wrote: > > > > > > > > Compile time annotations would only be necessary to build the commons > > > > componen

Re: [lang] Introduce @NonNull, and @Nullable

Compile time annotations would only be necessary to build the commons component. Unless they're runtime scope, but even that can work without class loader errors provided you're not reflecting on it. On Mon, 1 Feb 2021 at 11:45, sebb wrote: > > On Mon, 1 Feb 2021 at 16:52, Tomo Suzuki wrote: > >

Re: [math] FastMath isn't fast...

Are we even allowed to use the intrinsic annotation in user code? Java 9 introduces modules in that they wish to hide internal details, and this sounds like an internal detail? On Wed, 27 Jan 2021 at 10:39, Erik Svensson wrote: > > Hello all! > > I work for a fintech company and we do a lot of ri

Re: [ALL] year to 2021 in NOTICE.txt

The fact that it's in a single file rather than in the copyright header of every file as is typically done already reduces the number of things to update at least. :) Maybe there's a thing in the commons maven plugin? On Sun, 10 Jan 2021 at 11:01, Xeno Amess wrote: > > In nearly all repos in our

Re: Commons-logging status

This library has largely been superseded by log4j-api in Log4j2. Some details here: https://logging.apache.org/log4j/2.x/manual/api.html On Mon, 14 Dec 2020 at 10:45, Elliotte Rusty Harold wrote: > > Hello, > > I wanted to check on the status of commons-logging. It hasn't been > updated since 201

Re: [All] draft board report 2020-12

LGTM, thanks, Gary! On Tue, 8 Dec 2020 at 11:11, Gary Gregory wrote: > > Here is our draft board report: > > ## Description: > The mission of Apache Commons is the creation and maintenance of Java > focused > reusable libraries and components > > ## Issues: > There are no issues requiring board a

Re: Log4j JSON layout template Uris enum

Wrong list? On Tue, 17 Nov 2020 at 12:23, Gary Gregory wrote: > > Hi all, > > Why is this an enum and not a class? > > Hary - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@c

Re: [CLI] CLI for Scala

t be trivial to > > port this code to Java; but maybe some of the ideas could be > > incorporated into [CLI]? > > > > Thanks > > Oliver > > > > [1] https://github.com/oheger/scli > > [2] https://github.com/oheger/scli/blob/master/Tutorial.adoc > > > > > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > -- Matt Sicker

Re: No more dependabot

Branches have green checks on them too. Every commit does unless you push more than one at a time to a single branch (then they’re batched). This applies to both Jenkins and GH Actions. On Thu, Sep 17, 2020 at 19:39 Gary Gregory wrote: > On Thu, Sep 17, 2020 at 12:23 PM Matt Sicker wr

Re: No more dependabot

Do they show up as branches before or after the PR? If it’s before, maybe we can disable the PR and just use the branches. On Wed, Sep 16, 2020 at 20:53 Gary Gregory wrote: > On Wed, Sep 16, 2020 at 8:53 PM Matt Sicker wrote: > > > > > > Don’t Dependabot PRs show up as

Re: No more dependabot

r additional commands, e-mail: dev-h...@commons.apache.org > > > >> > > > > > > > > - > > > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > > > > > > > - > > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > -- Matt Sicker

Re: No more dependabot

body text including text analysis [...] > ---CUT--- > > Gilles > > ----- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org &

  1   2   3   4   5   6   >