continuum-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ken Liu" <ken....@gmail.com>
Subject Re: [VOTE] Release Continuum 1.2 (take 3)
Date Wed, 17 Sep 2008 17:47:07 GMT
I am the continuum admin for my team and would be ok with this, and I am
eager to start using 1.2. Perhaps just make sure that this is problem is
mentioned in the release notes, and then start working an immediate bugfix
(1.2.1) release? I think those people who would have a problem with the
security hole could just wait a few weeks until the next release.

just my $.02

Ken

On Wed, Sep 17, 2008 at 12:11 PM, Wendy Smoak <wsmoak@gmail.com> wrote:

> On Mon, Sep 15, 2008 at 3:59 AM, Olivier Lamy <olamy@apache.org> wrote:
>
> > The last release is 9 months and no one has been done since the TLP
> graduation.
> > I'd like to release continuum 1.2.
> > We fixed 128 issues :
> >
> http://jira.codehaus.org/secure/ReleaseNote.jspa?version=13779&styleName=Html&projectId=10540&Create=Create
> >
> > The staging repo is here : http://people.apache.org/~olamy/staging-repo/<http://people.apache.org/%7Eolamy/staging-repo/>
>
> If you're using project group permissions, there's a fairly serious
> security issue in 1.2.  Any project group admin can grant roles all
> the way up to system administrator, to himself and others.
> (CONTINUUM-1867)
>
> I'm conflicted about releasing this as-is.  On one hand, if you're
> depending on the roles to prevent access to projects, it's seriously
> broken.  On the other hand... most people I've talked to aren't using
> this feature, and even if the roles *are* working, any developer can
> check in a script, which runs as the Continuum user, and do pretty
> much anything they want.
>
> Thoughts?
>
> --
> Wendy
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message