cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chip Childers <>
Subject Re: [VOTE][RESULTS] Release Apache CloudStack 4.1.0 (fifth round)
Date Mon, 03 Jun 2013 13:39:11 GMT
On Mon, Jun 03, 2013 at 03:40:04PM +0530, Prasanna Santhanam wrote:
> On Sat, Jun 01, 2013 at 01:35:06PM -0400, Chip Childers wrote:
> > The vote has *passed* with the following results (binding PMC votes
> > indicated with a "*" next to their name:
> > 
> > +1 : Edison*, Hugo*, Marcus*, David*, Wido*, Ilya, Animesh, Milamber,
> >      Joe*, Simon, Prasanna*
> > -0 : John
> > -1 : Ove
> > 
> > I'm going to proceed with moving the release into the distribution repo
> > now, and will do the DEB / RPM builds to push Wido's repo site / push
> > cloudmonkey to pypi on Monday.
> > 
> > I do note Ove's -1, due to upstream Tomcat changes.  I know Prasanna
> > mentioned that he was going to check with that project to see why the
> > change happened.  We will need to discuss what (if anything) this
> > project should do to resolve the issue for users.  This issue will block
> > users of all prior versions as well, so it's nothing *in* our code that
> > causes the bug.  This is my logic for not cancelling the vote.
> > 
> I couldn't find a reasonably good solution for this. The vulnerability
> is fixed in Tomcat more than a year ago and it was applied only
> recently, as Ove pointed, in the distros. While this doesn't affect
> those upgrading, it is problematic for those installing CloudStack
> afresh.  Any version - 3.0.2, ($insert_commercial_version), 4.0,
> 4.0.1, 4.0.2, 4.1 and even the 4.2-SNAPSHOT RPMs.
> I've applied a fix on master (54127f8) that I think is reasonable by
> changing the permissions on the file so it is owned by user `cloud`
> which is the user cloudstack-management will run as. To understand why
> this is not an obvious hack please see [1]. If there's an even elegant
> way, please let the list know.

This seems like a reasonable fix to me.  I'll cherry-pick it over to

> I'm also not quite sure how and when the deb packages will be
> affected. It looked like the debian users haven't reported this
> problem yet. We started seeing issues of this right after May 25th,
> should've paid more attention then (/me facepalm)

CLOUDSTACK-2758 should probably stay open, pending a DEB fix to pre-empt
the issue occurring in those distros.

> It's an awkward situation, so I'm not sure what will be the next
> course of action since our src release is ready to be published.
> The options are:
> a) Publish workaround of giving `cloud` permissions to catalina.out
> b) Release a new source package with fix cherry-picked to 4.1 and
> whereever applicable. 
> b. shouldn't take longer - just testing the packaging should be
> sufficient. CloudStack's overall functionality is satisfactory from
> the tests done so far.

Unfortunately, perhaps I made a big mistake by not cancelling the VOTE
and performing the release copy.  At this point, 4.0.0 is *frozen* from
changes per ASF release policies (we can't change the bits after I put
them in the release dir).

So...  I'm actually going to propose 2 things:

1) I'm going to build the RPM's that we'll host from Wido's repo server
*with* the fix Prasanna provided.

2) Someone (not me, due to vacation starting Wed) needs to spin a 4.1.1 release
ASAP to include the fix for this.

> [1]
> -- 
> Prasanna.,
> ------------------------
> Powered by

View raw message