geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Sisson <jrsis...@gmail.com>
Subject Re: 1.1.1 - Ready or not ? Soliciting input
Date Wed, 09 Aug 2006 00:52:40 GMT
Kevan Miller wrote:
>
> On Aug 8, 2006, at 12:42 PM, Aaron Mulder wrote:
>
>> On 8/8/06, Kevan Miller <kevan.miller@gmail.com> wrote:
>>> Inline...
>>>
>>> On Aug 8, 2006, at 12:08 PM, Aaron Mulder wrote:
>>>
>>> > Here are the issues that bother me most in 1.1.1.  I believe they are
>>> > all also issues in 1.1.
>>> >
>>> > DEPLOYMENT
>>> >
>>> > http://issues.apache.org/jira/browse/GERONIMO-2270
>>> > - Redeploy broken when module ID does not include a type (patch
>>> > available)
>>> >
>>> > http://issues.apache.org/jira/browse/GERONIMO-2269
>>> > - Redeploy broken when module ID does not include a version and app
>>> > uses JNDI (patch available)
>>> >
>>> > I also just found a deploy problem with web apps with a plan with no
>>> > environment, but I haven't investigated much yet.
>>>
>>> Why haven't the patches been committed? They need a Release Manager
>>> go ahead? I certainly wouldn't classify either problem as a BLOCKER.
>>> They could be fixed in 1.1.x.
>>
>> They haven't been committed to 1.1.1 because the release manager nixed
>> it.  They'll be in 1.1.2 no matter what.
>>
>> In any case, we clearly need to standardize our definition of blocker.
>> I think that quality issues can be blockers, and it sounds like you
>> don't.  Which is OK, I guess we just need some way to decide what
>> we're willing to ship with, whether that's a vote or the decision of
>> the release manager or whatever.  Probably more responses to this
>> thread would help.
>
> Yes, I've noted a difference in our definitions for some time. Here 
> are some definitions from the Jira system --
> http://issues.apache.org/jira/ShowConstantsHelp.jspa?decorator=popup#PriorityLevels 
>
>
> I find the Priority Level definitions to be reasonably close to my own.
I also would prefer we stick to the JIRA definitions of priority, 
otherwise it will be too confusing.
>
> Quality issues can be blockers, but your redeploy problems are not. 
> I'd put them as Major or Minor. By the Jira definitions, they are 
> Minor. Users have a pretty reasonable work-around (Redeploy fails, 
> Users can easily undeploy, then deploy).
>
> I put some SECURITY issues in the BLOCKER category. If a user has 
> followed the rules and believes that he/she has properly secured some 
> resource and Geronimo permits unauthorized/unauthenticated access to 
> that resource, then that's a BLOCKER...
>
Agree.

There are some users who are waiting for the 1.1.1 release to fix bugs 
they have run into in 1.1.  Instead of making them wait longer, I would 
prefer we aim to get 1.1.1 out with blockers fixed and no regressions or 
compliance issues.  Releasing often enables our user base to start using 
our code (as they may have had been unable to do so in a previous 
release due to issues they hit) and possibly get more up to date 
feedback from the users for the next release. 

These are only my views and it is the community that will decide.

Regards,
John
> --kevan
>

>>
>>> > SECURITY
>>> >
>>> > http://issues.apache.org/jira/browse/GERONIMO-2294
>>> > - For a security realm with multiple login modules, we do not handle
>>> > the JAAS Control Flags correctly (e.g. we do not call the login
>>> > modules using the correct logic).  Code to reproduce available. Alan
>>> > had claimed a predecessor to this issue; I'm not sure if he's 
>>> planning
>>> > on working on this one.
>>>
>>> Does this problem allow unauthorized/unauthenticated access to
>>> secured resources? If not, then I wouldn't categorize it as a BLOCKER.
>>>
>>> >
>>> > http://issues.apache.org/jira/browse/GERONIMO-2295
>>> > - For a web app, if the security url-patterns don't exactly match the
>>> > servlet-mapping url-patterns, we apply no security at all.  Code to
>>> > reproduce available.  Alan has claimed this issue.
>>>
>>> That certainly seems like a must-fix BLOCKER to me...
>>>
>>> >
>>> > http://issues.apache.org/jira/browse/GERONIMO-1053
>>> > - Likely not still a problem (reported against M5), but if it is, it
>>> > sounds serious.
>>>
>>> Even if it does still exist, doesn't seem like a BLOCKER.
>>>
>>> >
>>> > There are a large number of other issues out there in the "security"
>>> > category, but I don't think they're all as urgent (e.g. 
>>> GEORNIMO-1747,
>>> > GERONIMO-2274, GERONIMO-2275, and GERONIMO-2279 probably ought to be
>>> > addressed in 1.1.2 but I don't think need to hold up 1.1.1).
>>> >
>>> > Thanks,
>>> >     Aaron
>>> >
>>> > On 8/8/06, Matt Hogstrom <matt@hogstrom.org> wrote:
>>> >> 1.1.1 is in a form that we can get ready to release it.  I was
>>> >> talking with Aaron and he mentioned
>>> >> that there were some security issues he was concerned about.  I
>>> >> would like to use this thread to
>>> >> identify any issues that should be considered show stoppers and
>>> >> make the decision on how to move
>>> >> forward.
>>> >>
>>> >> Please use this thread to provide that information.  What I think
>>> >> we'll need to make an appropriate
>>> >> assessement is:
>>> >>
>>> >> Issue Description
>>> >> How long have we had it?  (has it existed in earlier releases and
>>> >> we knew it)
>>> >> Exposure
>>> >> JIRA issue number tracking the issue.
>>> >>
>>> >> Please provide your input as quickly as possible so we can assess
>>> >> how to proceed with 1.1.1.
>>> >>
>>> >> Thanks.
>>> >>
>>>
>>>
>
>


Mime
View raw message