cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcus Sorensen <shadow...@gmail.com>
Subject Re: [VOTE] 2nd round of voting for ASF 4.2.1 RC
Date Thu, 05 Dec 2013 04:09:03 GMT
Yes, a schema fix in point release is kind of messy. If it has to be
that way then perhaps we just flag it in the known issues so people
can skip 4.2.x if they utilize the acls api calls.

 5214 doesn't really require a schema change, just a fix to how the
schema is upgraded. Adding 'IF NOT EXISTS' won't change the end
result, so that's probably ok to put into 4.2.1.

On Wed, Dec 4, 2013 at 1:29 PM, Sebastien Goasguen <runseb@gmail.com> wrote:
>
> On Dec 4, 2013, at 4:33 AM, Abhinandan Prateek <Abhinandan.Prateek@citrix.com>
wrote:
>
>> Was trying to understand the issue. It seems there is no account
>> information in network_acl or network_acl_item table.
>> A proper fix will mean including that information and that means schema
>> change. Since this is a maintenance release we will like to avoid schema
>> changes as much as possible.
>
> it sounds like a pretty big issue IMHO, if not even a security risk.
>
> In addition there was this bug:
> https://issues.apache.org/jira/browse/CLOUDSTACK-5214
>
> reported by milamber on 4.2.1 upgrade. He raise it as a blocker.
>
> if both need a db schema fix, then maybe we need to bite the bullet...
>
>>
>> A temporary fix (i.e. Till we fix schema in next big release) could mean
>> fetching vpc list for a user from vpc table and then use the vpc ids to
>> get the acls. *Marcus* you want to try out this fix ?
>>
>> -abhi
>>
>> On 04/12/13 3:28 am, "Marcus Sorensen" <shadowsor@gmail.com> wrote:
>>
>>> Running the same API call on versions lower than 4.2.0 yields correct
>>> results, since 4.2.0 the API call returns incorrect data. The API
>>> itself is compatible, but for example if an application or user
>>> consuming the API makes those calls it will get incorrect data. For
>>> example, you now may get a hundred entries for port 22 open to
>>> 0.0.0.0/0 in your response, when only one of them is owned by you.
>>>
>>> On Tue, Dec 3, 2013 at 2:48 PM, Daan Hoogland <daan.hoogland@gmail.com>
>>> wrote:
>>>> H Marcus,
>>>>
>>>> It breaks behavior of the API, you say. Is this in comparison to 4.2
>>>> or to prior versions?
>>>>
>>>> thanks,
>>>> Daan
>>>>
>>>> On Tue, Dec 3, 2013 at 6:40 PM, Chip Childers <chipchilders@apache.org>
>>>> wrote:
>>>>> On Tue, Dec 3, 2013 at 7:48 AM, sebgoa <runseb@gmail.com> wrote:
>>>>>>
>>>>>> Can you be more specific ? what fixes required a re-vote ?
>>>>>
>>>>> There was a security vulnerability reported in the release of
>>>>> sufficient severity to cause the security team to request Abhi hold
>>>>> off on publishing the release and to re-spin.
>>
>

Mime
View raw message