Reminder that Jan is still on break and won't be back until next week, and he's the one who had been spearheading the security tightening design work.
-Joan On 2019-10-09 15:17, Adam Kocoloski wrote: > OK on the security tightening I found this email from Joan: > > https://lists.apache.org/thread.html/9c3dacde83d698c262afec5eca524783c71dbeceee26aa66a77538ee@%3Cdev.couchdb.apache.org%3E > > <https://lists.apache.org/thread.html/9c3dacde83d698c262afec5eca524783c71dbeceee26aa66a77538ee@%3Cdev.couchdb.apache.org%3E> > > Reproduced here. I’ll add this context to the ticket, but seems like there’s > a decent amount of design work left to do here. > > Adam > >> I remembered one last deprecation we wanted in 3.0: security tightening, >> which included the deprecation of admin party. >> >> Jan can you find the ticket on this? I don't think it's the full #1504. >> Just new defaults, and we'll need to think thru what happens when >> starting up a node that has no [admins]. Do we create one and log its >> password to the logfile? What if logging is disabled / goes nowhere? Or >> do we simply refuse to start until an admin is created? What about >> crypting and salting the password ahead of time - do we introduce a >> small cli tool to generate passwords like apache/httpd does? Many questions. >> >> -Joan > >> On Oct 9, 2019, at 2:32 PM, Adam Kocoloski <kocol...@apache.org> wrote: >> >> I tidied up the “3.0 Release Tasks” column and closed out a few issue that >> didn’t get auto-closed through PRs. We’re down to 8 cards in that column at >> the moment. >> >> One issue is the rebar3 / mix migration: >> https://github.com/apache/couchdb/issues/1428. I’m not convinced that needs >> to land for 3.0. I expect most people use our binary packages and/or >> container-based installation methods rather than building from source >> themselves. It also feels like there’s a fair amount of open-ended >> experimentation that might take place in order to build consensus on the >> direction there. I’d like to move that back into the backlog; does anyone >> disagree? >> >> We also have an issue that says we want to “tighten up the security model”: >> https://github.com/apache/couchdb/issues/2191. I don’t know quite what the >> intended scope is for that. Does anyone have specifics there? >> >> Adam >> >>> On Oct 2, 2019, at 10:25 AM, Denitsa Burroughs >>> <denitsa.burrou...@gmail.com> wrote: >>> >>> Hi all, >>> >>> Here's a weekly update on CouchDB 3.0. Still looking for volunteers to work >>> on the available issues and/or doc items. Please take a look and let me >>> know if you can work in any of thise. >>> >>> *In progress (Owners, please provide an update):* >>> >>> #1524 <https://github.com/apache/couchdb/issues/1524> Per-document access >>> control- Jan >>> #1875 <https://github.com/apache/couchdb/issues/1875> Update SpiderMonkey >>> Version - Peng Hui >>> #2165 <https://github.com/apache/couchdb/issues/2165> - Remove >>> delayed_commits setting - Nick (docs left) >>> >>> *Available: * >>> #2177 <https://github.com/apache/couchdb/issues/2177> Update Fauxton >>> dependency >>> #2169 <https://github.com/apache/couchdb/issues/2169> Remove support for >>> ?stale query parameter in favor of `stable` and `update_after` combo >>> #2167 <https://github.com/apache/couchdb/issues/2167> Remove vestiges of >>> view-based `_changes` feed >>> #2166 <https://github.com/apache/couchdb/issues/2166> - Remove >>> `/{db}/_external/*` >>> #2115 <https://github.com/apache/couchdb/issues/2115> Update default config >>> settings (Q, max_document_size, etc.) >>> #1428 <https://github.com/apache/couchdb/issues/1428> Migrate to rebar3 or >>> mix >>> #1470 <https://github.com/apache/couchdb/pull/1470> Fix calculation of >>> external size for attachments - Eric? >>> #1523 <https://github.com/apache/couchdb/issues/1523> Retire the >>> node-local interface (port 5986) >>> >>> - WIP PR: https://github.com/apache/couchdb/pull/2092 >>> >>> >>> *Discussion items (on ML):* >>> 2191 <https://github.com/apache/couchdb/issues/2191> Tightening up the >>> security model >>> IOQ discussion - Cluster setup does not create IOQ stats database >>> >>> *Documentation improvements:* >>> - Proposed deprecations for 3.0, not rebuilt/removed in 4.0 >>> - couch_btree developer docs - Chintan >>> >>> Thanks! >>> >>> Deni >> > >