continuum-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brett Porter <br...@apache.org>
Subject Re: [VOTE] Release Continuum 1.2 (take 3)
Date Wed, 17 Sep 2008 21:28:13 GMT
Given all this, I will release Redback 1.1.1 now with just this fix  
included so we can roll another 1.2 (take 4) immediately.

- Brett

On 18/09/2008, at 7:21 AM, Emmanuel Venisse wrote:

> I don't consider it as a bloker issue for the majority of installs  
> but it is
> one for vmbuild.
> IMO, we can release it with this issue and release 1.2.1 in few week  
> with
> redback 1.2 (not tested yet brett's changes) and some other fixes,  
> but I'm
> ok for a take 4 too :-)
>
> Emmanuel
>
> On Wed, Sep 17, 2008 at 10:19 PM, Olivier Lamy <olamy@apache.org>  
> wrote:
>
>> As I understand here we depend on a redback 1.2 release to fix that ?
>> When this one will be released ?
>> Perso, I don't have any objections to try an other release (take 4)  
>> if
>> the next rednack release which fix that is available at the end of  
>> the
>> week. (Now I know exactly what to do to cut a continuum releases all
>> scripts are ready ;-) ).
>> I consider this issue as blocker if we want to update the continuum
>> instance in vmbuild.
>>
>> Thoughts ?
>>
>> Thanks,
>> --
>> Olivier
>>
>>
>> 2008/9/17 Wendy Smoak <wsmoak@gmail.com>:
>>> On Mon, Sep 15, 2008 at 3:59 AM, Olivier Lamy <olamy@apache.org>  
>>> wrote:
>>>
>>>> The last release is 9 months and no one has been done since the TLP
>> graduation.
>>>> I'd like to release continuum 1.2.
>>>> We fixed 128 issues :
>>>>
>> http://jira.codehaus.org/secure/ReleaseNote.jspa?version=13779&styleName=Html&projectId=10540&Create=Create
>>>>
>>>> The staging repo is here :
>> http://people.apache.org/~olamy/staging-repo/<http://people.apache.org/%7Eolamy/staging-repo/

>> >
>>>
>>> If you're using project group permissions, there's a fairly serious
>>> security issue in 1.2.  Any project group admin can grant roles all
>>> the way up to system administrator, to himself and others.
>>> (CONTINUUM-1867)
>>>
>>> I'm conflicted about releasing this as-is.  On one hand, if you're
>>> depending on the roles to prevent access to projects, it's seriously
>>> broken.  On the other hand... most people I've talked to aren't  
>>> using
>>> this feature, and even if the roles *are* working, any developer can
>>> check in a script, which runs as the Continuum user, and do pretty
>>> much anything they want.
>>>
>>> Thoughts?
>>>
>>> --
>>> Wendy
>>>
>>

--
Brett Porter
brett@apache.org
http://blogs.exist.com/bporter/


Mime
View raw message