Given all this, I will release Redback 1.1.1 now with just this fix
included so we can roll another 1.2 (take 4) immediately.
- Brett
On 18/09/2008, at 7:21 AM, Emmanuel Venisse wrote:
I don't consider it as a bloker issue for the majority of installs
but it is
one for vmbuild.
IMO, we can release it with this issue and release 1.2.1 in few week
with
redback 1.2 (not tested yet brett's changes) and some other fixes,
but I'm
ok for a take 4 too :-)
Emmanuel
On Wed, Sep 17, 2008 at 10:19 PM, Olivier Lamy <[EMAIL PROTECTED]>
wrote:
As I understand here we depend on a redback 1.2 release to fix that ?
When this one will be released ?
Perso, I don't have any objections to try an other release (take 4)
if
the next rednack release which fix that is available at the end of
the
week. (Now I know exactly what to do to cut a continuum releases all
scripts are ready ;-) ).
I consider this issue as blocker if we want to update the continuum
instance in vmbuild.
Thoughts ?
Thanks,
--
Olivier
2008/9/17 Wendy Smoak <[EMAIL PROTECTED]>:
On Mon, Sep 15, 2008 at 3:59 AM, Olivier Lamy <[EMAIL PROTECTED]>
wrote:
The last release is 9 months and no one has been done since the TLP
graduation.
I'd like to release continuum 1.2.
We fixed 128 issues :
http://jira.codehaus.org/secure/ReleaseNote.jspa?version=13779&styleName=Html&projectId=10540&Create=Create
The staging repo is here :
http://people.apache.org/~olamy/staging-repo/<http://people.apache.org/%7Eolamy/staging-repo/
>
If you're using project group permissions, there's a fairly serious
security issue in 1.2. Any project group admin can grant roles all
the way up to system administrator, to himself and others.
(CONTINUUM-1867)
I'm conflicted about releasing this as-is. On one hand, if you're
depending on the roles to prevent access to projects, it's seriously
broken. On the other hand... most people I've talked to aren't
using
this feature, and even if the roles *are* working, any developer can
check in a script, which runs as the Continuum user, and do pretty
much anything they want.
Thoughts?
--
Wendy
--
Brett Porter
[EMAIL PROTECTED]
http://blogs.exist.com/bporter/
