I am a Continuum admin and do make use of the project group permissions. In my case any person that I give group permissions to I trust enough not to exploit this. I agree with Ken, as long as this is fixed quickly I won't mind waiting for a 1.2.1.
Bryan -----Original Message----- From: Ken Liu [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 17, 2008 12:47 PM To: [email protected] Subject: Re: [VOTE] Release Continuum 1.2 (take 3) I am the continuum admin for my team and would be ok with this, and I am eager to start using 1.2. Perhaps just make sure that this is problem is mentioned in the release notes, and then start working an immediate bugfix (1.2.1) release? I think those people who would have a problem with the security hole could just wait a few weeks until the next release. just my $.02 Ken On Wed, Sep 17, 2008 at 12:11 PM, Wendy Smoak <[EMAIL PROTECTED]> wrote: > On Mon, Sep 15, 2008 at 3:59 AM, Olivier Lamy <[EMAIL PROTECTED]> wrote: > > > The last release is 9 months and no one has been done since the TLP > graduation. > > I'd like to release continuum 1.2. > > We fixed 128 issues : > > > http://jira.codehaus.org/secure/ReleaseNote.jspa?version=13779&styleName=Htm l&projectId=10540&Create=Create > > > > The staging repo is here : http://people.apache.org/~olamy/staging-repo/<http://people.apache.org/%7Eol amy/staging-repo/> > > If you're using project group permissions, there's a fairly serious > security issue in 1.2. Any project group admin can grant roles all > the way up to system administrator, to himself and others. > (CONTINUUM-1867) > > I'm conflicted about releasing this as-is. On one hand, if you're > depending on the roles to prevent access to projects, it's seriously > broken. On the other hand... most people I've talked to aren't using > this feature, and even if the roles *are* working, any developer can > check in a script, which runs as the Continuum user, and do pretty > much anything they want. > > Thoughts? > > -- > Wendy >
