Post by Johan SjöbergGreetings.
Those filters seems to include 11 issues where 3 are reported as Bug. Of
these two should IMO be checked, COCOON-2253 and COCOON-2246.
Thanks for the review. Hopefully a committer can do those.
I have not looked at other filters to see any suggested enhancements.
Post by Johan SjöbergSo, the important thing would perhaps be to find consensus about what's
gonna be in 2.1.13, is it branded as a library upgrade and Java 8 support
release or that plus some new features?
There are some new features already. If others would like
to add or enhance anything then please provide patches.
Upgrading some supporting products would be good. We did do some
last time. For some (IIRC e.g. FOP) we would need to raise our
minimum Java version. Upgrading Ant would be good.
Also need to review the recent commits and patch $COCOON_HOME/status.xml
to notify any worthy changes.
Post by Johan SjöbergAre most who would like to see a
2.1.13 release waiting for official Java 8 support?
Deciding the minimum Java version is one of the early release
process steps. It would be better to have a separate mail thread.
Also we should review such discussion from last time.
I am not sure what you mean by "Java 8 support".
The main demos on our vm are okay:
http://cocoon.zones.apache.org
The HEAD of the current 2.1 branch does work for me,
but i did need to add this recently:
http://svn.apache.org/r1623915
Enable 'java' to be found on a modern Mac OS X.
Post by Johan SjöbergAll in all, it doesn't
look too bad. IOW, not too much stuff todo.
Additionally I think it would be nice to have a configurable
SaxParserFactory and a configurable DocumentBuilderFactory, to prevent some
XEE attacks. I didn't find any in the code, but I might have missed it of
course. That's low prio though, as it can be achieved with external
implementations of the Factories registered in cocoon.xconf.
If someone can provide such an enhancement then that would be useful.
We should also provide some documentation to warn about such problems,
As alluded to earlier, our documentation system is busted.
So perhaps a Wiki page (could be moved to docs later).
e.g. remind to not process source xml docs that you do not control;
e.g. remind that Catalog Entity Resolver can assist; etc.
and link to articles like these:
Managing XML data: XML catalogs
http://www.ibm.com/developerworks/library/x-mxd3/
and
Tip: Configure SAX parsers for secure processing
Prevent entity resolution vulnerabilities and overflow attacks
http://www.ibm.com/developerworks/xml/library/x-tipcfsx
... Oh crikey, it is 404. So need rescue of wayback machine
or find something similar.
-David
Post by Johan SjöbergThoughts?
Cheers,
Johan
Post by David CrossleyReferring to David’s message on the "user" list, there seems to be plans
for Cocoon-2.1 and Cocoon-2.2 releases. That’s great!
Thanks for your interest.
It is a loose use of the term "plans", but yeah, these are the first steps.
What would be needed
from "outsiders" to help with these, patches and testing, more?
https://issues.apache.org/jira/issues/?filter=12310771
COCOON-open-with-patch
... twiddle that filter to restrict to "Affects Version".
https://issues.apache.org/jira/issues/?filter=12335814
COCOON-affects-2_1_12-and-2_1_13
... general issues affecting recent 2.1
Also, there would be some documentation tweaks needed.
However i am not clear about the state of our system.
Personally
I would be interested in an official release of the 2.1 branch and will
check what possible local changes I might have.
I too am mainly interested in Cocoon-2.1
Yes please do add to our JIRA issue tracker any changes that you
reckon are useful.
You might need to be added to JIRA permissions. If so then please
contact the "private" mail list and tell us your JIRA username.
Thanks again. Hopefully your efforts will encourage others.
-David