On Wed, Jul 31, 2013 at 6:14 PM, Robert Newson <rnew...@apache.org> wrote: > Note: there's a blocking bug against the new "configurable whitelist > of user document properties" which needs to be either resolved, marked > "won't fix", or the current work on master needs reverting.
I'm distchecking my way through 1334-revert-feature-view-server-pipelining and https://github.com/adamlofts/couchdb/tree/1493-fix-zerobyte-json-parsing. For #1838, am I correctly understanding the problem if I say that nothing is changed as long as the newly configurable whitelist is enabled by hand? I.e. _user documents only become readable once someone has touched the whitelist? If so, my instinct is to solve this by documenting the problem (both in the changelog and in relevant other sections of the docs) and leaving the rest for a future release. That seems reasonable because the onus would be on the person enabling the whitelist to read some documentation before doing so (and they'd have to actually found the feature first). This way of doing it also helps because I can solve it myself and won't be blocked by others who need to fix the security problem. However, if someone is ready to jump in and fix the problem (assuming we have a fix strategy in place that would satisfy everyone!), that might be better. How does that sound to others? I should note that I'm due to leave on Thursday for 10 days with no (or very limited) connectivity. So I'm afraid someone (Noah, Robert?) might have to take over at some point. Still, I'll do my best to drive the process forward for the remaining days, so I leave as little work as possible to any successor. Sorry again for being so slow with this. Figuring out my way to the release process, in particular changing it to deal with changelog.rst rather than NEWS and CHANGES, has been rather more time-intensive than I thought, and I've had a few hectic weeks due to other stuff. Cheers, Dirkjan