Mailing-List: contact esme-dev-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: esme-dev@incubator.apache.org
Received-SPF: pass (athena.apache.org: domain of sig.rinde@gmail.com
 designates 209.85.218.227 as permitted sender)
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:sender:in-reply-to:references:date
         :x-google-sender-auth:message-id:subject:from:to:content-type
         :content-transfer-encoding;
        b=kZvdnPzb35L+q5TKWo9OJydqPNR40XjaIsuRql4XDwvmFdNIjVKZ8+Ob4iV6z+JDdF
         0n3aAws5Rv8Y2sC/UH1umVP8Yy7rZkYGJlPcFaWzqMNGddmKG3pewmejhWNDXYiAzTNn
         gVjxtcY4qR6OnegzDdn9Tkq/VTg3XAVsqRfyw=
MIME-Version: 1.0
Sender: sig.rinde@gmail.com
In-Reply-To: <68f4a0e81002210855y7fbbf6b5n9369044f86ddc4c8@mail.gmail.com>
References: <fa2d9f451002171103r7f65187cka3a4957d2d1a718e@mail.gmail.com>
	 <fa2d9f451002201110j675f50e4y7c8066e16d48b4e4@mail.gmail.com>
	 <9cbd74ac1002201121q358cd2d8vea381630e07ad785@mail.gmail.com>
	 <fa2d9f451002201128g6951ebd7wd5dc4f5a76b24ff8@mail.gmail.com>
	 <68f4a0e81002201203x2065f265k9a0d61ace30c4cde@mail.gmail.com>
	 <f767f0601002201310i31d9fee1sb9d03b7bbdf94592@mail.gmail.com>
	 <fa2d9f451002201346x2097deccs594329b0e11af71a@mail.gmail.com>
	 <68f4a0e81002201549i6b17876fxba33aab7cd4c18f1@mail.gmail.com>
	 <fa2d9f451002210808w7daf446dm74cbc4d328efefb6@mail.gmail.com>
	 <68f4a0e81002210855y7fbbf6b5n9369044f86ddc4c8@mail.gmail.com>
Date: Sun, 21 Feb 2010 18:22:13 +0100
Message-ID: <9cbd74ac1002210922y14df971fy2540a73182e9d6c5@mail.gmail.com>
Subject: Re: [VOTE] Approve the release of apache-esme-incubating-1.0 - (Yes
	Again :->)
From: Sig Rinde <sig@rinde.com>
To: esme-dev <esme-dev@incubator.apache.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Great work folks, interesting process to follow I must say!

And sorry for messing up, keep in mind for next time I'm really good
at stumbling over bugs, i.e. mess up, so set me to test work early =3D)

Sig

On 21 February 2010 17:55, Ethan Jewett <esjewett@gmail.com> wrote:
> Hi,
>
> Thanks for humoring my concerns, and again for all the work you're doing =
Dick.
>
> I've checked out the new tag and tested it. It passes all unit tests,
> search is working out of the box, and the security hole is closed.
> From my point of view, we're ready for a vote.
>
> Thanks,
> Ethan
>
> On Sun, Feb 21, 2010 at 10:08 AM, Richard Hirsch <hirsch.dick@gmail.com> =
wrote:
>> OK.
>>
>> I've tagged a new Release Candidate:
>> https://svn.apache.org/repos/asf/incubator/esme/tags/apache-esme-1.0-inc=
ubating/
>>
>> This means that we have to vote again (sigh!) -.
>>
>> This time I suggest we test the tagged RC before we do a vote.
>>
>> D.
>>
>> On Sun, Feb 21, 2010 at 12:49 AM, Ethan Jewett <esjewett@gmail.com> wrot=
e:
>>> Hi all,
>>>
>>> For the original issue, where doing nothing simply results in a loss
>>> of functionality, I would agree. However, I think this is a major
>>> security hole that requires that the person deploying the software to
>>> take a specific action. If they don't take this action, then their
>>> deployment is vulnerable. I'm not comfortable putting the ESME stamp
>>> on a release that we know has this kind of issue. I think it's worth
>>> spending the extra time to address this issue and set the precedent
>>> that we don't release software with known security holes.
>>>
>>> I'm sticking with my -1 at this point. I'm not trying to veto (I don't
>>> even know if I can :-), so if a majority have voted for release after
>>> 72 hours (which I think is the case), then feel free to go ahead.
>>>
>>> Ethan
>>>
>>> On Sat, Feb 20, 2010 at 3:46 PM, Richard Hirsch <hirsch.dick@gmail.com>=
 wrote:
>>>> I agree with Bertrand.
>>>>
>>>> I'd like to get this release out and then do a another release soon to
>>>> fix the errors.
>>>>
>>>> Right now, there are the two issues that have to be changed and Ethan
>>>> has already changed them in SVN.
>>>>
>>>>>I believe that this will happen on any system and I think the fact tha=
t search and the API2 doesn't work out of the box will really
>>>>>confuse people.
>>>> The fact that search doesn't work is IMHO the lesser of the two
>>>> errors. Does the API2 not work at all or is the problem more the
>>>> security one associated with the "role.api_test=3Dintegration-admin"
>>>> setting?
>>>>
>>>> I'm reluctant to cut a new release , because then we'd have to start
>>>> over again. Like I've said, I see this first release as a learning
>>>> experience. No release will be perfect and will always include a few
>>>> bugs. I'd rather get this release out and then do another release in 2
>>>> weeks time with the bug fixes. =A0Now that we know how to do create
>>>> releases it will be easier the next time. =A0We should get used to
>>>>
>>>> I'd rather describe the two changes that have to made in the resource
>>>> files in a blog post or on the wiki and then push for a new release.
>>>>
>>>> Anyone else have thoughts on this
>>>>
>>>> D.
>>>>
>>>>
>>>>
>>>> On Sat, Feb 20, 2010 at 10:10 PM, Bertrand Delacretaz
>>>> <bdelacretaz@apache.org> wrote:
>>>>> On Sat, Feb 20, 2010 at 9:03 PM, Ethan Jewett <esjewett@gmail.com> wr=
ote:
>>>>>> ...Maybe making this two-line change to one file is small enough tha=
t we
>>>>>> don't have to revote. I'm not sure. Maybe the mentors can weigh in..=
..
>>>>>
>>>>> Anything that changes the release artifacts needs a new vote.
>>>>>
>>>>> On the other hand, if there's a workaround (IIUC people can change
>>>>> something manually to get things to work?) I suggest releasing as is.
>>>>>
>>>>> Nothing prevents you from making another release soon, if needed.
>>>>> Getting used to releasing is good progress towards graduation ;-)
>>>>>
>>>>> -Bertrand
>>>>>
>>>>
>>>
>>
>