I maintain my +1 vote, as it is by design to allow full access, even arbitrary plugin code upload, by users with config-edit permission and in unprotected Solr instances. I do support discussing new defaults to some of these setting, but that can happen in the open for a future release, no rush as this is by definition not a bug or vulnerability.
Jan > 29. apr. 2023 kl. 17:54 skrev Justin Sweeney <justin.sweene...@gmail.com>: > > I'm going to proceed with this release as is, we can follow up with an > additional release as needed. Voting will close 2023-04-30 at 15:00 UTC. > > On Sat, Apr 29, 2023 at 10:37 AM Ishan Chattopadhyaya < > ichattopadhy...@gmail.com> wrote: > >> https://issues.apache.org/jira/browse/SOLR-16777 is fixed. I've added it >> to >> the release branch. >> The other one will require me some more time, maybe another day. >> Justin, I believe a re-spin is warranted to accommodate this, but I leave >> it to your judgement. >> >> On Sat, 29 Apr 2023 at 12:07, Ishan Chattopadhyaya < >> ichattopadhy...@gmail.com> wrote: >> >>> In my opinion, these two are blockers. >>> >>> https://issues.apache.org/jira/browse/SOLR-16776 >>> https://issues.apache.org/jira/browse/SOLR-16777 >>> >>> In case we decide not to respin to accommodate these, these should be >>> carried over to a 9.2.2 release. >>> >>> On Sat, 29 Apr, 2023, 7:54 am Ishan Chattopadhyaya, < >>> ichattopadhy...@gmail.com> wrote: >>> >>>> (FYI, -1 on a release is not a veto. Just a simple vote.) >>>> >>>> On Sat, 29 Apr, 2023, 6:53 am Ishan Chattopadhyaya, < >>>> ichattopadhy...@gmail.com> wrote: >>>> >>>>> Sure, carry on with this release. >>>>> >>>>> I vote -1 on this release, and I'll prepare for a follow on release >>>>> after this one is done. >>>>> >>>>> On Sat, 29 Apr, 2023, 2:45 am David Smiley, <dsmi...@apache.org> >> wrote: >>>>> >>>>>> I'm going to challenge Ishan and say that there is no change coming >> that >>>>>> warrants halting a bugfix/patch release, as the proposed change that >>>>>> Ishan >>>>>> speaks of is an "improvement" that helps security and is not a >>>>>> bug/vulnerability being fixed. It would also bring a backwards >>>>>> compatibility change. So please do continue with this long delayed >>>>>> bugfix >>>>>> release! >>>>>> >>>>>> ~ David Smiley >>>>>> Apache Lucene/Solr Search Developer >>>>>> http://www.linkedin.com/in/davidwsmiley >>>>>> >>>>>> >>>>>> On Fri, Apr 28, 2023 at 3:28 PM Justin Sweeney < >>>>>> justin.sweene...@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> It sounds like the general consensus from the thread regarding the >>>>>> issue >>>>>>> was that while some changes to make that less risky are worthwhile, >>>>>> they >>>>>>> are not blockers for the release. Did that change? >>>>>>> >>>>>>> I just hate to hold up the release any longer unless we have a truly >>>>>>> blocking issue since there are a number of very worthwhile fixes >>>>>> included >>>>>>> here. >>>>>>> >>>>>>> On Fri, Apr 28, 2023 at 12:46 PM Ishan Chattopadhyaya < >>>>>>> ichattopadhy...@gmail.com> wrote: >>>>>>> >>>>>>>> Hi Justin, >>>>>>>> I am testing a patch for a security issue discussed privately >>>>>> within the >>>>>>>> PMC group. Can you please give me another 24 hours to have it >>>>>> fixed? If >>>>>>>> not, then I'll be pushing for a 9.2.2 release later, once that is >>>>>>> resolved. >>>>>>>> Thank you for your understanding. >>>>>>>> Regards, >>>>>>>> Ishan >>>>>>>> >>>>>>>> On Fri, 28 Apr 2023 at 22:04, Arrieta, Alejandro < >>>>>>>> aarri...@perrinsoftware.com> wrote: >>>>>>>> >>>>>>>>> +1 >>>>>>>>> SUCCESS! [0:29:31.135392] >>>>>>>>> >>>>>>>>> And run Solr operator tests successfully following instructions: >>>>>>>>> Local end-to-end cluster test successfully run! >>>>>>>>> >>>>>>>>> ubuntu 23.04 amd64 temurin-openjdk11 on virtualbox 7. >>>>>>>>> >>>>>>>>> Kind Regards, >>>>>>>>> Alejandro Arrieta >>>>>>>>> >>>>>>>>> On Thu, Apr 27, 2023 at 4:23 PM Joel Bernstein < >>>>>> joels...@gmail.com> >>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> +1 (binding) >>>>>>>>>> >>>>>>>>>> SUCCESS! [0:43:48.160659] >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I tested out the assets as well and looked fine. >>>>>>>>>> >>>>>>>>>> Joel Bernstein >>>>>>>>>> http://joelsolr.blogspot.com/ >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Thu, Apr 27, 2023 at 1:23 PM Jan Høydahl < >>>>>> jan....@cominvent.com> >>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> +1 (binding) >>>>>>>>>>> >>>>>>>>>>> SUCCESS! [0:38:44.920838] >>>>>>>>>>> >>>>>>>>>>> Jan >>>>>>>>>>> >>>>>>>>>>>> 27. apr. 2023 kl. 16:12 skrev Justin Sweeney < >>>>>>>>>> justin.sweene...@gmail.com >>>>>>>>>>>> : >>>>>>>>>>>> >>>>>>>>>>>> Hi all, we are back on for the vote: >>>>>>>>>>>> >>>>>>>>>>>> Please vote for release candidate 1 for Solr 9.2.1 >>>>>>>>>>>> >>>>>>>>>>>> The artifacts can be downloaded from: >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >> https://dist.apache.org/repos/dist/dev/solr/solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 >>>>>>>>>>>> >>>>>>>>>>>> You can run the smoke tester directly with this command: >>>>>>>>>>>> >>>>>>>>>>>> python3 -u dev-tools/scripts/smokeTestRelease.py \ >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >> https://dist.apache.org/repos/dist/dev/solr/solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 >>>>>>>>>>>> >>>>>>>>>>>> You can build a release-candidate of the official docker >>>>>> image >>>>>>>> using >>>>>>>>>> the >>>>>>>>>>>> following command: >>>>>>>>>>>> >>>>>>>>>>>> DIST_BASE=https://dist.apache.org/repos/dist/dev/solr && >> \ >>>>>>>>>>>> >>>>>>>>> >>>>>> RC_FOLDER=solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 >>>>>>>>>>> && \ >>>>>>>>>>>> docker build >>>>>>>> $DIST_BASE/$RC_FOLDER/solr/docker/Dockerfile.official \ >>>>>>>>>>>> --build-arg >>>>>>>>>> SOLR_DOWNLOAD_URL=$DIST_BASE/$RC_FOLDER/solr/solr-9.2.1.tgz >>>>>>>>>>> \ >>>>>>>>>>>> -t solr-rc:9.2.1-1 >>>>>>>>>>>> >>>>>>>>>>>> The vote will be open for at least 72 hours i.e. until >>>>>> 2023-04-30 >>>>>>>>> 15:00 >>>>>>>>>>> UTC. >>>>>>>>>>>> >>>>>>>>>>>> [ ] +1 approve >>>>>>>>>>>> [ ] +0 no opinion >>>>>>>>>>>> [ ] -1 disapprove (and reason why) >>>>>>>>>>>> >>>>>>>>>>>> On Mon, Apr 24, 2023 at 12:38 PM Justin Sweeney < >>>>>>>>>>> justin.sweene...@gmail.com> >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Yup, let's wait in that case. I didn't realize it would >>>>>> fail >>>>>>>> since I >>>>>>>>>> had >>>>>>>>>>>>> temporarily added my key locally to be able to execute >> the >>>>>>>>> additional >>>>>>>>>>>>> steps. This results in the smoketester passing for me. >> I'll >>>>>>>> resend a >>>>>>>>>>> vote >>>>>>>>>>>>> once I'm able to push my key. >>>>>>>>>>>>> >>>>>>>>>>>>> On Mon, Apr 24, 2023 at 12:32 PM Houston Putman < >>>>>>>> hous...@apache.org >>>>>>>>>> >>>>>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hey Justin, >>>>>>>>>>>>>> >>>>>>>>>>>>>> Should we wait to run this until after your GPG key is >> in >>>>>>>>>>>>>> https://downloads.apache.org/solr/KEYS? >>>>>>>>>>>>>> >>>>>>>>>>>>>> The smoketester fails for me because it can't find your >>>>>> key. >>>>>>>>>>>>>> >>>>>>>>>>>>>> - Houston >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Mon, Apr 24, 2023 at 12:20 PM Justin Sweeney < >>>>>>>>>>>>>> justin.sweene...@gmail.com> >>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Please vote for release candidate 1 for Solr 9.2.1 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> The artifacts can be downloaded from: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >> https://dist.apache.org/repos/dist/dev/solr/solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> You can run the smoke tester directly with this >> command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> python3 -u dev-tools/scripts/smokeTestRelease.py \ >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >> https://dist.apache.org/repos/dist/dev/solr/solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> You can build a release-candidate of the official >> docker >>>>>> image >>>>>>>>> using >>>>>>>>>>> the >>>>>>>>>>>>>>> following command: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> DIST_BASE=https://dist.apache.org/repos/dist/dev/solr >>>>>> && \ >>>>>>>>>>>>>>> >>>>>>>>>> >>>>>> RC_FOLDER=solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 >>>>>>>>>>>>>> && >>>>>>>>>>>>>>> \ >>>>>>>>>>>>>>> docker build >>>>>>>>> $DIST_BASE/$RC_FOLDER/solr/docker/Dockerfile.official >>>>>>>>>> \ >>>>>>>>>>>>>>> --build-arg >>>>>>>>>>>>>> >>>>>> SOLR_DOWNLOAD_URL=$DIST_BASE/$RC_FOLDER/solr/solr-9.2.1.tgz \ >>>>>>>>>>>>>>> -t solr-rc:9.2.1-1 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> The vote will be open for at least 72 hours i.e. until >>>>>>>> 2023-04-27 >>>>>>>>>>> 17:00 >>>>>>>>>>>>>>> UTC. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> [ ] +1 approve >>>>>>>>>>>>>>> [ ] +0 no opinion >>>>>>>>>>>>>>> [ ] -1 disapprove (and reason why) >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>> >> --------------------------------------------------------------------- >>>>>>>>>>> To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org >>>>>>>>>>> For additional commands, e-mail: dev-h...@solr.apache.org >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org For additional commands, e-mail: dev-h...@solr.apache.org