continuum-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wendy Smoak" <wsm...@gmail.com>
Subject Re: [VOTE] Release Continuum 1.2 (take 3)
Date Wed, 17 Sep 2008 16:11:48 GMT
On Mon, Sep 15, 2008 at 3:59 AM, Olivier Lamy <olamy@apache.org> wrote:

> The last release is 9 months and no one has been done since the TLP graduation.
> I'd like to release continuum 1.2.
> We fixed 128 issues :
> http://jira.codehaus.org/secure/ReleaseNote.jspa?version=13779&styleName=Html&projectId=10540&Create=Create
>
> The staging repo is here : http://people.apache.org/~olamy/staging-repo/

If you're using project group permissions, there's a fairly serious
security issue in 1.2.  Any project group admin can grant roles all
the way up to system administrator, to himself and others.
(CONTINUUM-1867)

I'm conflicted about releasing this as-is.  On one hand, if you're
depending on the roles to prevent access to projects, it's seriously
broken.  On the other hand... most people I've talked to aren't using
this feature, and even if the roles *are* working, any developer can
check in a script, which runs as the Continuum user, and do pretty
much anything they want.

Thoughts?

-- 
Wendy

Mime
View raw message