Hi John, Great news, thanks for confirming.
Regards, Remi > On 13 Nov 2015, at 20:53, John Burwell <john.burw...@shapeblue.com> wrote: > > Rafeal, > > Excellent news. Since we found the fix in master, I withdraw my -1 and any > concerns. > > Per the steps I listed, I simply checked that the commit was pulled forward. > Since I wrote the patch, I didn’t actually apply the changes to 4.5 or master > — the reviewer performed these actions. I agree that those applying fixes > from other release branches to master must properly fast forward to maintain > traceability. > > Thanks, > -John > > --- > John Burwell (@john_burwell) > VP of Software Engineering, ShapeBlue > (571) 403-2411 | +44 20 3603 0542 > http://www.shapeblue.com | @ShapeBlue > 53 Chandos Place, Covent Garden, London, WC2N 4HS > > > >> On Nov 13, 2015, at 2:40 PM, Rafael Weingärtner >> <rafaelweingart...@gmail.com> wrote: >> >> Hi John Burwell, >> Did you test the RC? Or you just checked if the commit was present? >> >> I have just checked and your changes that were introduced using the commit >> "3a48171bd8a70c6012afce32c7636afffc1d2f7d" to the tag 4.5.2 are indeed in >> master. The point here is that, when you do a rebase, a new commit is >> created. Your changes were introduced to master using the commit >> "ef44c7d305567c99eb1b0ec411a64b4d3582db75" >> >> There is no need to stop the release process because of that. >> >> On Fri, Nov 13, 2015 at 5:23 PM, John Burwell <john.burw...@shapeblue.com> >> wrote: >> >>> All, >>> >>> I realize when I reported my issue, I failed to state my methodology for >>> determining the fix was not present in RC2. I performed the following >>> steps: >>> >>> 1. git fetch origin >>> 2. git checkout master >>> 3. git rebase origin/master >>> 4. git tag --contains 3a48171b >>> >>> Steps 2 and 3 shouldn’t be necessary, but belts and suspenders. The >>> result of these steps was that only the 4.5.2 tag came back as containing >>> the 3a48171b commit. There is always the chance that I mucked up the >>> check, and someone should double check my work before we go through the >>> effort of pulling back an approved RC. >>> >>> Thanks, >>> -John >>> >>> --- >>> John Burwell (@john_burwell) >>> VP of Software Engineering, ShapeBlue >>> (571) 403-2411 | +44 20 3603 0542 >>> http://www.shapeblue.com | @ShapeBlue >>> 53 Chandos Place, Covent Garden, London, WC2N 4HS >>> >>> >>> >>>>> On Nov 13, 2015, at 2:07 PM, John Burwell <john.burw...@shapeblue.com> >>>> wrote: >>>> >>>> Wilder, >>>> >>>> For now, I am just concerned with averting the security nightmare of >>> shipping a CVE regression. In terms of process, I don’t know how we >>> proceed. Were the vote still open, a single binding -1 would abort the >>> RC. We can either all decide by consensus not to pull back the RC or I can >>> open a vote thread. Personally, I would prefer consensus. >>>> >>>> After 4.6.0, there is no doubt we need to assess how this CVE (and >>> potentially others) were not merged forward. I am thinking we shift back >>> through the git log to find all known CVE fixes and add each hash to a file >>> representing the commits that must be present. Our release tests then >>> perform a git tag —contains for each has to ensure that no CVE fixes have >>> been missed. >>>> >>>> Thanks, >>>> -John >>>> >>>> --- >>>> John Burwell (@john_burwell) >>>> VP of Software Engineering, ShapeBlue >>>> (571) 403-2411 | +44 20 3603 0542 >>>> http://www.shapeblue.com | @ShapeBlue >>>> 53 Chandos Place, Covent Garden, London, WC2N 4HS >>>> >>>> >>>> >>>>> On Nov 13, 2015, at 1:58 PM, Wilder Rodrigues < >>> wrodrig...@schubergphilis.com> wrote: >>>>> >>>>> Hi John, >>>>> >>>>> If that actually goes agains a community/industry standard, I will >>> support you. It is not in my bucket list to be part of a group that >>> released something that was already destined to fail. >>>>> >>>>> However, I would like to make 2 points in this whole thing: >>>>> >>>>> 1. it’s a big shame to see that it was only fixed on the 4.5.x and not >>> pushed towards master. We have to stop this. >>>>> 2. Would be nice to dedicate some time to check the emails around a >>> release cycle to avoid things like that. Cancelling it now means that many >>> people will have to go and redo many tests to make sure everything is fine! >>> Nobody wants a release that was half test only because a few lines of code >>> changed. >>>>> >>>>> If you agree with me, we can cancel it and start the RC3 cycle on the >>> 23rd November. We just need to get the other member of the community to >>> agree on that as well. >>>>> >>>>> We just ask Shape Blue to run some tests on the 23rd, that’s all. >>>>> >>>>> Cheers, >>>>> Wilder >>>>> >>>>> >>>>>> On 13 Nov 2015, at 19:25, John Burwell <john.burw...@shapeblue.com> >>> wrote: >>>>>> >>>>>> Wilder, >>>>>> >>>>>> As a community, we cannot knowingly ship a release containing a CVE >>> regression. The industry best practice in this circumstance would be pull >>> the release and notify users not to use it. Luckily, the release hasn’t >>> shipped yet, we can simply abort and create a new RC with CVE fix(es) >>> included. >>>>>> >>>>>> Thanks, >>>>>> -John >>>>>> >>>>>> --- >>>>>> John Burwell (@john_burwell) >>>>>> VP of Software Engineering, ShapeBlue >>>>>> (571) 403-2411 | +44 20 3603 0542 >>>>>> http://www.shapeblue.com | @ShapeBlue >>>>>> 53 Chandos Place, Covent Garden, London, WC2N 4HS >>>>>> >>>>>> >>>>>> >>>>>>> On Nov 13, 2015, at 1:11 PM, Wilder Rodrigues < >>> wrodrig...@schubergphilis.com> wrote: >>>>>>> >>>>>>> :( >>>>>>> >>>>>>> Sad to hear that just that late in the release process, John. Even >>> worse to hear that it was already happening in 4.5.2 - released some months >>> ago. But no worries! With our new release process, we can do things, in a >>> proper way, quicker than before. The ACS 4.6.1 RC1 will be out within 2 >>> weeks from now, fully tested and with the fixes - Redundant VPC >>> split-brain, S3 and you sec issue - included. We will increase the release >>> cycle, not because we release broken stuff, but because we want to decrease >>> the number of open issues. >>>>>>> >>>>>>> Our goal is to make ACS better than any cloud platform in the market! >>>>>>> >>>>>>> Cheers, >>>>>>> Wilder >>>>>>> >>>>>>> >>>>>>>> On 13 Nov 2015, at 18:45, John Burwell <john.burw...@shapeblue.com> >>> wrote: >>>>>>>> >>>>>>>> All, >>>>>>>> >>>>>>>> I realize my vote is coming in after the vote has closed. However, >>> I found that a fix [1] for at least one CVE that shipped in 4.5.2, CVE >>> 2015-3251, is not present in 4.6.0. I just happened to notice because >>> someone asked me within the last half hour about the availability of that >>> fix. I apologize for the late -1 (binding), but, in my opinion, we should >>> never knowingly ship a regression of a CVE fix. There were other CVEs >>> addressed in 4.5.2, and I am concerned they also may be missing from 4.6.0. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> -John >>>>>>>> >>>>>>>> [1]: https://github.com/apache/cloudstack/commit/3a48171b >>>>>>>> >>>>>>>> --- >>>>>>>> John Burwell (@john_burwell) >>>>>>>> VP of Software Engineering, ShapeBlue >>>>>>>> (571) 403-2411 | +44 20 3603 0542 >>>>>>>> http://www.shapeblue.com | @ShapeBlue >>>>>>>> 53 Chandos Place, Covent Garden, London, WC2N 4HS >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> On Nov 13, 2015, at 11:11 AM, Nux! <n...@li.nux.ro> wrote: >>>>>>>>> >>>>>>>>> Good job, everyone! :-) >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Sent from the Delta quadrant using Borg technology! >>>>>>>>> >>>>>>>>> Nux! >>>>>>>>> www.nux.ro >>>>>>>>> >>>>>>>>> ----- Original Message ----- >>>>>>>>>> From: "Remi Bergsma" <rberg...@schubergphilis.com> >>>>>>>>>> To: dev@cloudstack.apache.org >>>>>>>>>> Sent: Friday, 13 November, 2015 15:16:33 >>>>>>>>>> Subject: [RESULT] [VOTE] Apache CloudStack 4.6.0 >>>>>>>>> >>>>>>>>>> Hi all, >>>>>>>>>> >>>>>>>>>> After 72 hours, the vote for CloudStack 4.6.0 [1] *passes* with 7 >>> PMC + 2 >>>>>>>>>> non-PMC votes. >>>>>>>>>> >>>>>>>>>> +1 (PMC / binding) >>>>>>>>>> * Wilder >>>>>>>>>> * Nux (Lucian) >>>>>>>>>> * Rajani >>>>>>>>>> * Daan >>>>>>>>>> * Milamber (Bruno) >>>>>>>>>> * Wido >>>>>>>>>> * Remi >>>>>>>>>> >>>>>>>>>> +1 (non binding) >>>>>>>>>> * Raja >>>>>>>>>> * Boris >>>>>>>>>> >>>>>>>>>> 0 >>>>>>>>>> none >>>>>>>>>> >>>>>>>>>> -1 >>>>>>>>>> none >>>>>>>>>> >>>>>>>>>> A huge Thank You to everyone participating! :-) >>>>>>>>>> >>>>>>>>>> I will now prepare the release announcement to go out after the >>> weekend. In the >>>>>>>>>> mean time the mirrors have time to catch up and we have time to >>> update the >>>>>>>>>> documentation and put everything in place. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> [1] http://cloudstack.markmail.org/message/pah6mhj7qgxewvx2 >>>>>>>> >>>>>>>> Find out more about ShapeBlue and our range of CloudStack related >>> services >>>>>>>> >>>>>>>> IaaS Cloud Design & Build< >>> http://shapeblue.com/iaas-cloud-design-and-build//> >>>>>>>> CSForge – rapid IaaS deployment framework< >>> http://shapeblue.com/csforge/> >>>>>>>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> >>>>>>>> CloudStack Software Engineering< >>> http://shapeblue.com/cloudstack-software-engineering/> >>>>>>>> CloudStack Infrastructure Support< >>> http://shapeblue.com/cloudstack-infrastructure-support/> >>>>>>>> CloudStack Bootcamp Training Courses< >>> http://shapeblue.com/cloudstack-training/> >>>>>>>> >>>>>>>> This email and any attachments to it may be confidential and are >>> intended solely for the use of the individual to whom it is addressed. Any >>> views or opinions expressed are solely those of the author and do not >>> necessarily represent those of Shape Blue Ltd or related companies. If you >>> are not the intended recipient of this email, you must neither take any >>> action based upon its contents, nor copy or show it to anyone. Please >>> contact the sender if you believe you have received this email in error. >>> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue >>> Services India LLP is a company incorporated in India and is operated under >>> license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a >>> company incorporated in Brasil and is operated under license from Shape >>> Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of >>> South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is >>> a registered trademark. >>>>>> >>>>>> Find out more about ShapeBlue and our range of CloudStack related >>> services >>>>>> >>>>>> IaaS Cloud Design & Build< >>> http://shapeblue.com/iaas-cloud-design-and-build//> >>>>>> CSForge – rapid IaaS deployment framework< >>> http://shapeblue.com/csforge/> >>>>>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> >>>>>> CloudStack Software Engineering< >>> http://shapeblue.com/cloudstack-software-engineering/> >>>>>> CloudStack Infrastructure Support< >>> http://shapeblue.com/cloudstack-infrastructure-support/> >>>>>> CloudStack Bootcamp Training Courses< >>> http://shapeblue.com/cloudstack-training/> >>>>>> >>>>>> This email and any attachments to it may be confidential and are >>> intended solely for the use of the individual to whom it is addressed. Any >>> views or opinions expressed are solely those of the author and do not >>> necessarily represent those of Shape Blue Ltd or related companies. If you >>> are not the intended recipient of this email, you must neither take any >>> action based upon its contents, nor copy or show it to anyone. Please >>> contact the sender if you believe you have received this email in error. >>> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue >>> Services India LLP is a company incorporated in India and is operated under >>> license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a >>> company incorporated in Brasil and is operated under license from Shape >>> Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of >>> South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is >>> a registered trademark. >>>> >>>> Find out more about ShapeBlue and our range of CloudStack related >>> services >>>> >>>> IaaS Cloud Design & Build< >>> http://shapeblue.com/iaas-cloud-design-and-build//> >>>> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/> >>>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> >>>> CloudStack Software Engineering< >>> http://shapeblue.com/cloudstack-software-engineering/> >>>> CloudStack Infrastructure Support< >>> http://shapeblue.com/cloudstack-infrastructure-support/> >>>> CloudStack Bootcamp Training Courses< >>> http://shapeblue.com/cloudstack-training/> >>>> >>>> This email and any attachments to it may be confidential and are >>> intended solely for the use of the individual to whom it is addressed. Any >>> views or opinions expressed are solely those of the author and do not >>> necessarily represent those of Shape Blue Ltd or related companies. If you >>> are not the intended recipient of this email, you must neither take any >>> action based upon its contents, nor copy or show it to anyone. Please >>> contact the sender if you believe you have received this email in error. >>> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue >>> Services India LLP is a company incorporated in India and is operated under >>> license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a >>> company incorporated in Brasil and is operated under license from Shape >>> Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of >>> South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is >>> a registered trademark. >>> >>> Find out more about ShapeBlue and our range of CloudStack related services >>> >>> IaaS Cloud Design & Build< >>> http://shapeblue.com/iaas-cloud-design-and-build//> >>> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/> >>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> >>> CloudStack Software Engineering< >>> http://shapeblue.com/cloudstack-software-engineering/> >>> CloudStack Infrastructure Support< >>> http://shapeblue.com/cloudstack-infrastructure-support/> >>> CloudStack Bootcamp Training Courses< >>> http://shapeblue.com/cloudstack-training/> >>> >>> This email and any attachments to it may be confidential and are intended >>> solely for the use of the individual to whom it is addressed. Any views or >>> opinions expressed are solely those of the author and do not necessarily >>> represent those of Shape Blue Ltd or related companies. If you are not the >>> intended recipient of this email, you must neither take any action based >>> upon its contents, nor copy or show it to anyone. Please contact the sender >>> if you believe you have received this email in error. Shape Blue Ltd is a >>> company incorporated in England & Wales. ShapeBlue Services India LLP is a >>> company incorporated in India and is operated under license from Shape Blue >>> Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil >>> and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is >>> a company registered by The Republic of South Africa and is traded under >>> license from Shape Blue Ltd. ShapeBlue is a registered trademark. >> >> >> >> -- >> Rafael Weingärtner > > Find out more about ShapeBlue and our range of CloudStack related services > > IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//> > CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/> > CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> > CloudStack Software > Engineering<http://shapeblue.com/cloudstack-software-engineering/> > CloudStack Infrastructure > Support<http://shapeblue.com/cloudstack-infrastructure-support/> > CloudStack Bootcamp Training > Courses<http://shapeblue.com/cloudstack-training/> > > This email and any attachments to it may be confidential and are intended > solely for the use of the individual to whom it is addressed. Any views or > opinions expressed are solely those of the author and do not necessarily > represent those of Shape Blue Ltd or related companies. If you are not the > intended recipient of this email, you must neither take any action based upon > its contents, nor copy or show it to anyone. Please contact the sender if you > believe you have received this email in error. Shape Blue Ltd is a company > incorporated in England & Wales. ShapeBlue Services India LLP is a company > incorporated in India and is operated under license from Shape Blue Ltd. > Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is > operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company > registered by The Republic of South Africa and is traded under license from > Shape Blue Ltd. ShapeBlue is a registered trademark.