manifoldcf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jack Krupansky" <>
Subject Re: Release?
Date Fri, 10 Dec 2010 14:50:31 GMT
At this point in the discussion maybe what we need is a clearly stated Jira 
on the issue and what specifically is needed. Whether it is needed for 0.1 
is another matter. It sounds like (potentially) a definite 1.0 issue, but 
could we get by with a clear "statement of vulnerability" for a 0.x release 
(if in fact there is an actual vulnerability)?

It sounds like there may be a distinction between "actual" vulnerability and 
"potential" vulnerability. Whether such a distinction really matters is 
another matter.

-- Jack Krupansky

-----Original Message----- 
From: Grant Ingersoll
Sent: Friday, December 10, 2010 9:36 AM
Subject: Re: Release?

I think if there are known vulnerabilities, we need to fix them.

On Dec 10, 2010, at 6:01 AM, Karl Wright wrote:

> You can be serious about security without agreeing on the remediation.
> This software certainly adhered to MetaCarta standards and was
> audited by government agencies as well.  I understand your position,
> but I don't know if everyone will see it in a similar way, since a
> code audit highlights no problems at this time, because quoteSQLString
> is used only on constant values.  What do others think?  If the
> incubator would prohibit release on this basis, how in the heck did
> solr ever get released?
> Karl
> On Fri, Dec 10, 2010 at 8:50 AM, Robert Muir <> wrote:
>> On Fri, Dec 10, 2010 at 8:42 AM, Karl Wright <> wrote:
>>>  Do you believe that this is a
>>> requirement for an initial release?  If so, I believe we should
>>> suspend plans for that release and revisit it in February or March.
>> I'll certainly go along with whatever everyone feels on this one... it
>> was just always my impression that Apache was pretty serious about
>> security, but I'm not really sure how this applies to incubating
>> projects etc.
>> I thought it was relevant especially since the Solr Wiki says: The
>> recommended way to add document level security to your search is
>> through Apache Lucene Connector Framework (LCF).

View raw message