OK on the security tightening I found this email from Joan: https://lists.apache.org/thread.html/9c3dacde83d698c262afec5eca524783c71dbeceee26aa66a77538ee@%3Cdev.couchdb.apache.org%3E <https://lists.apache.org/thread.html/9c3dacde83d698c262afec5eca524783c71dbeceee26aa66a77538ee@%3Cdev.couchdb.apache.org%3E>
Reproduced here. I’ll add this context to the ticket, but seems like there’s a decent amount of design work left to do here. Adam > I remembered one last deprecation we wanted in 3.0: security tightening, > which included the deprecation of admin party. > > Jan can you find the ticket on this? I don't think it's the full #1504. > Just new defaults, and we'll need to think thru what happens when > starting up a node that has no [admins]. Do we create one and log its > password to the logfile? What if logging is disabled / goes nowhere? Or > do we simply refuse to start until an admin is created? What about > crypting and salting the password ahead of time - do we introduce a > small cli tool to generate passwords like apache/httpd does? Many questions. > > -Joan > On Oct 9, 2019, at 2:32 PM, Adam Kocoloski <kocol...@apache.org> wrote: > > I tidied up the “3.0 Release Tasks” column and closed out a few issue that > didn’t get auto-closed through PRs. We’re down to 8 cards in that column at > the moment. > > One issue is the rebar3 / mix migration: > https://github.com/apache/couchdb/issues/1428. I’m not convinced that needs > to land for 3.0. I expect most people use our binary packages and/or > container-based installation methods rather than building from source > themselves. It also feels like there’s a fair amount of open-ended > experimentation that might take place in order to build consensus on the > direction there. I’d like to move that back into the backlog; does anyone > disagree? > > We also have an issue that says we want to “tighten up the security model”: > https://github.com/apache/couchdb/issues/2191. I don’t know quite what the > intended scope is for that. Does anyone have specifics there? > > Adam > >> On Oct 2, 2019, at 10:25 AM, Denitsa Burroughs <denitsa.burrou...@gmail.com> >> wrote: >> >> Hi all, >> >> Here's a weekly update on CouchDB 3.0. Still looking for volunteers to work >> on the available issues and/or doc items. Please take a look and let me >> know if you can work in any of thise. >> >> *In progress (Owners, please provide an update):* >> >> #1524 <https://github.com/apache/couchdb/issues/1524> Per-document access >> control- Jan >> #1875 <https://github.com/apache/couchdb/issues/1875> Update SpiderMonkey >> Version - Peng Hui >> #2165 <https://github.com/apache/couchdb/issues/2165> - Remove >> delayed_commits setting - Nick (docs left) >> >> *Available: * >> #2177 <https://github.com/apache/couchdb/issues/2177> Update Fauxton >> dependency >> #2169 <https://github.com/apache/couchdb/issues/2169> Remove support for >> ?stale query parameter in favor of `stable` and `update_after` combo >> #2167 <https://github.com/apache/couchdb/issues/2167> Remove vestiges of >> view-based `_changes` feed >> #2166 <https://github.com/apache/couchdb/issues/2166> - Remove >> `/{db}/_external/*` >> #2115 <https://github.com/apache/couchdb/issues/2115> Update default config >> settings (Q, max_document_size, etc.) >> #1428 <https://github.com/apache/couchdb/issues/1428> Migrate to rebar3 or >> mix >> #1470 <https://github.com/apache/couchdb/pull/1470> Fix calculation of >> external size for attachments - Eric? >> #1523 <https://github.com/apache/couchdb/issues/1523> Retire the >> node-local interface (port 5986) >> >> - WIP PR: https://github.com/apache/couchdb/pull/2092 >> >> >> *Discussion items (on ML):* >> 2191 <https://github.com/apache/couchdb/issues/2191> Tightening up the >> security model >> IOQ discussion - Cluster setup does not create IOQ stats database >> >> *Documentation improvements:* >> - Proposed deprecations for 3.0, not rebuilt/removed in 4.0 >> - couch_btree developer docs - Chintan >> >> Thanks! >> >> Deni >
