couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filipe David Manana <fdman...@apache.org>
Subject Re: Issues blocking the 1.2.0 release
Date Wed, 22 Feb 2012 06:39:52 GMT
I think COUCHDB-1413 wouldn't hurt to have for 1.2.0, after all it's
about correct query results. 1.2.1 is also aceptable.
If no objections, I'll push the fix to 1.2.x as well.

On Tue, Feb 21, 2012 at 6:32 PM, Jason Smith <jhs@iriscouch.com> wrote:
> My reading of the JIRA ticket (FWIW) is that Paul explained pretty
> convincingly why this is only a minor bug if at all. For this release,
> Paul had a simple fix; although I do not see it in 1.2.x nor JIRA and
> don't recall offhand what it was exactly.
>
> On Tue, Feb 21, 2012 at 10:50 PM, Robert Newson <rnewson@apache.org> wrote:
>> heh, actually I don't think we did.
>>
>> On 21 February 2012 22:41, Paul Davis <paul.joseph.davis@gmail.com> wrote:
>>> Did we fix the original JSON thing that started this whole broughaha?
>>>
>>> On Tue, Feb 21, 2012 at 3:57 PM, Noah Slater <nslater@tumbolia.org> wrote:
>>>> Thanks.
>>>>
>>>> On Tue, Feb 21, 2012 at 9:46 PM, Jan Lehnardt <jan@apache.org> wrote:
>>>>
>>>>> On 21.02.2012, at 22:38, Robert Newson <rnewson@apache.org> wrote:
>>>>>
>>>>> > I resolved the ipv6 ticket as 'cannot reproduce' given that two
>>>>> > committers have verified ipv6 replication with 1.2.x. Time for round
>>>>> > 2?
>>>>>
>>>>> +1
>>>>>
>>>>>
>>>>> >
>>>>> > On 21 February 2012 21:11, Noah Slater <nslater@tumbolia.org>
wrote:
>>>>> >> Are we blocked on anything else? Are we good to go?
>>>>> >>
>>>>> >> On Tue, Feb 21, 2012 at 7:21 PM, Jan Lehnardt <jan@apache.org>
wrote:
>>>>> >>
>>>>> >>> Thanks guys, committed.
>>>>> >>>
>>>>> >>> Noah, 1.2.0 is unblocked on this one.
>>>>> >>>
>>>>> >>> On Feb 21, 2012, at 20:13 , Paul Davis wrote:
>>>>> >>>
>>>>> >>>> +1 on the patch to require admin for _changes.
>>>>> >>>>
>>>>> >>>> On Tue, Feb 21, 2012 at 3:36 AM, Jan Lehnardt <jan@apache.org>
wrote:
>>>>> >>>>> *nudge*
>>>>> >>>>>
>>>>> >>>>> I don't feel very confident with a single opinion
(thanks Robert),
>>>>> and
>>>>> >>> would love your input on this one.
>>>>> >>>>>
>>>>> >>>>> Cheers
>>>>> >>>>> Jan
>>>>> >>>>> --
>>>>> >>>>>
>>>>> >>>>>
>>>>> >>>>> On Feb 16, 2012, at 16:12 , Jan Lehnardt wrote:
>>>>> >>>>>
>>>>> >>>>>>
>>>>> >>>>>> On Feb 14, 2012, at 13:14 , Noah Slater wrote:
>>>>> >>>>>>
>>>>> >>>>>>> Devs,
>>>>> >>>>>>>
>>>>> >>>>>>> Please outline:
>>>>> >>>>>>>
>>>>> >>>>>>>  - What remains to be fixed for regression
purposes
>>>>> >>>>>>
>>>>> >>>>>> I want to bring up one more thing (sorry :).
>>>>> >>>>>>
>>>>> >>>>>> /_users/_changes is currently end-user readable.
While
>>>>> >>> /_users/_changes?include_docs=true will not fetch docs the
requesting
>>>>> user
>>>>> >>> doesn't have access to, it still gets all doc ids in the
/_users db and
>>>>> >>> thus easily can generate a list of all users.
>>>>> >>>>>>
>>>>> >>>>>> I'd like to propose to make /_user/_changes
also admin-only before
>>>>> we
>>>>> >>> ship 1.2.0. Again, I'm happy to revisit and make things
configurable
>>>>> down
>>>>> >>> the road.
>>>>> >>>>>>
>>>>> >>>>>> Note that the information that a particular
user is registered is
>>>>> >>> leaked (a user can't sign up with a username that is already
taken,
>>>>> from
>>>>> >>> that it can be deduced that that particular username is
already
>>>>> >>> registered). This is in line with most signup systems. Making
>>>>> >>> /_users/_changes admin-only doesn't prevent all leakage
of what users
>>>>> have
>>>>> >>> signed up, but it stops bulk-leakage of *all* users in one
swoop.
>>>>> >>>>>>
>>>>> >>>>>> What do you think?
>>>>> >>>>>>
>>>>> >>>>>> Cheers
>>>>> >>>>>> Jan
>>>>> >>>>>> --
>>>>> >>>>>>
>>>>> >>>>>>
>>>>> >>>>>
>>>>> >>>
>>>>> >>>
>>>>>
>
>
>
> --
> Iris Couch



-- 
Filipe David Manana,

"Reasonable men adapt themselves to the world.
 Unreasonable men adapt the world to themselves.
 That's why all progress depends on unreasonable men."

Mime
View raw message