continuum-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hotmail" <>
Subject RE: [VOTE] Release Continuum 1.2 (take 3)
Date Wed, 17 Sep 2008 18:00:58 GMT
I am a Continuum admin and do make use of the project group permissions. In
my case any person that I give group permissions to I trust enough not to
exploit this. I agree with Ken, as long as this is fixed quickly I won't
mind waiting for a 1.2.1. 


-----Original Message-----
From: Ken Liu [] 
Sent: Wednesday, September 17, 2008 12:47 PM
Subject: Re: [VOTE] Release Continuum 1.2 (take 3)

I am the continuum admin for my team and would be ok with this, and I am
eager to start using 1.2. Perhaps just make sure that this is problem is
mentioned in the release notes, and then start working an immediate bugfix
(1.2.1) release? I think those people who would have a problem with the
security hole could just wait a few weeks until the next release.

just my $.02


On Wed, Sep 17, 2008 at 12:11 PM, Wendy Smoak <> wrote:

> On Mon, Sep 15, 2008 at 3:59 AM, Olivier Lamy <> wrote:
> > The last release is 9 months and no one has been done since the TLP
> graduation.
> > I'd like to release continuum 1.2.
> > We fixed 128 issues :
> >
> >
> > The staging repo is here :<
> If you're using project group permissions, there's a fairly serious
> security issue in 1.2.  Any project group admin can grant roles all
> the way up to system administrator, to himself and others.
> (CONTINUUM-1867)
> I'm conflicted about releasing this as-is.  On one hand, if you're
> depending on the roles to prevent access to projects, it's seriously
> broken.  On the other hand... most people I've talked to aren't using
> this feature, and even if the roles *are* working, any developer can
> check in a script, which runs as the Continuum user, and do pretty
> much anything they want.
> Thoughts?
> --
> Wendy

View raw message