continuum-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Olivier Lamy" <ol...@apache.org>
Subject Re: [VOTE] Release Continuum 1.2 (take 3)
Date Wed, 17 Sep 2008 20:19:30 GMT
As I understand here we depend on a redback 1.2 release to fix that ?
When this one will be released ?
Perso, I don't have any objections to try an other release (take 4) if
the next rednack release which fix that is available at the end of the
week. (Now I know exactly what to do to cut a continuum releases all
scripts are ready ;-) ).
I consider this issue as blocker if we want to update the continuum
instance in vmbuild.

Thoughts ?

Thanks,
--
Olivier


2008/9/17 Wendy Smoak <wsmoak@gmail.com>:
> On Mon, Sep 15, 2008 at 3:59 AM, Olivier Lamy <olamy@apache.org> wrote:
>
>> The last release is 9 months and no one has been done since the TLP graduation.
>> I'd like to release continuum 1.2.
>> We fixed 128 issues :
>> http://jira.codehaus.org/secure/ReleaseNote.jspa?version=13779&styleName=Html&projectId=10540&Create=Create
>>
>> The staging repo is here : http://people.apache.org/~olamy/staging-repo/
>
> If you're using project group permissions, there's a fairly serious
> security issue in 1.2.  Any project group admin can grant roles all
> the way up to system administrator, to himself and others.
> (CONTINUUM-1867)
>
> I'm conflicted about releasing this as-is.  On one hand, if you're
> depending on the roles to prevent access to projects, it's seriously
> broken.  On the other hand... most people I've talked to aren't using
> this feature, and even if the roles *are* working, any developer can
> check in a script, which runs as the Continuum user, and do pretty
> much anything they want.
>
> Thoughts?
>
> --
> Wendy
>

Mime
View raw message