continuum-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hotmail" <bmad1...@hotmail.com>
Subject RE: [VOTE] Release Continuum 1.2 (take 3)
Date Wed, 17 Sep 2008 18:00:58 GMT
I am a Continuum admin and do make use of the project group permissions. In
my case any person that I give group permissions to I trust enough not to
exploit this. I agree with Ken, as long as this is fixed quickly I won't
mind waiting for a 1.2.1. 

Bryan

-----Original Message-----
From: Ken Liu [mailto:ken.liu@gmail.com] 
Sent: Wednesday, September 17, 2008 12:47 PM
To: dev@continuum.apache.org
Subject: Re: [VOTE] Release Continuum 1.2 (take 3)

I am the continuum admin for my team and would be ok with this, and I am
eager to start using 1.2. Perhaps just make sure that this is problem is
mentioned in the release notes, and then start working an immediate bugfix
(1.2.1) release? I think those people who would have a problem with the
security hole could just wait a few weeks until the next release.

just my $.02

Ken

On Wed, Sep 17, 2008 at 12:11 PM, Wendy Smoak <wsmoak@gmail.com> wrote:

> On Mon, Sep 15, 2008 at 3:59 AM, Olivier Lamy <olamy@apache.org> wrote:
>
> > The last release is 9 months and no one has been done since the TLP
> graduation.
> > I'd like to release continuum 1.2.
> > We fixed 128 issues :
> >
>
http://jira.codehaus.org/secure/ReleaseNote.jspa?version=13779&styleName=Htm
l&projectId=10540&Create=Create
> >
> > The staging repo is here :
http://people.apache.org/~olamy/staging-repo/<http://people.apache.org/%7Eol
amy/staging-repo/>
>
> If you're using project group permissions, there's a fairly serious
> security issue in 1.2.  Any project group admin can grant roles all
> the way up to system administrator, to himself and others.
> (CONTINUUM-1867)
>
> I'm conflicted about releasing this as-is.  On one hand, if you're
> depending on the roles to prevent access to projects, it's seriously
> broken.  On the other hand... most people I've talked to aren't using
> this feature, and even if the roles *are* working, any developer can
> check in a script, which runs as the Continuum user, and do pretty
> much anything they want.
>
> Thoughts?
>
> --
> Wendy
>


Mime
View raw message