On Sun, Apr 30, 2023, 10:09 AM Jan Høydahl <jan....@cominvent.com> wrote:
> I maintain my +1 vote, as it is by design to allow full access, even > arbitrary plugin code upload, by There is no such "design" as you say Jan. Show me a single feature that can upload and run code without file system or direct zk access users with config-edit permission and in unprotected Solr instances. > I do support discussing new defaults to some of these setting, but that > can happen in the open for a future release, no rush as this is by > definition not a bug or vulnerability. > > Jan > > > 29. apr. 2023 kl. 17:54 skrev Justin Sweeney <justin.sweene...@gmail.com > >: > > > > I'm going to proceed with this release as is, we can follow up with an > > additional release as needed. Voting will close 2023-04-30 at 15:00 UTC. > > > > On Sat, Apr 29, 2023 at 10:37 AM Ishan Chattopadhyaya < > > ichattopadhy...@gmail.com> wrote: > > > >> https://issues.apache.org/jira/browse/SOLR-16777 is fixed. I've added > it > >> to > >> the release branch. > >> The other one will require me some more time, maybe another day. > >> Justin, I believe a re-spin is warranted to accommodate this, but I > leave > >> it to your judgement. > >> > >> On Sat, 29 Apr 2023 at 12:07, Ishan Chattopadhyaya < > >> ichattopadhy...@gmail.com> wrote: > >> > >>> In my opinion, these two are blockers. > >>> > >>> https://issues.apache.org/jira/browse/SOLR-16776 > >>> https://issues.apache.org/jira/browse/SOLR-16777 > >>> > >>> In case we decide not to respin to accommodate these, these should be > >>> carried over to a 9.2.2 release. > >>> > >>> On Sat, 29 Apr, 2023, 7:54 am Ishan Chattopadhyaya, < > >>> ichattopadhy...@gmail.com> wrote: > >>> > >>>> (FYI, -1 on a release is not a veto. Just a simple vote.) > >>>> > >>>> On Sat, 29 Apr, 2023, 6:53 am Ishan Chattopadhyaya, < > >>>> ichattopadhy...@gmail.com> wrote: > >>>> > >>>>> Sure, carry on with this release. > >>>>> > >>>>> I vote -1 on this release, and I'll prepare for a follow on release > >>>>> after this one is done. > >>>>> > >>>>> On Sat, 29 Apr, 2023, 2:45 am David Smiley, <dsmi...@apache.org> > >> wrote: > >>>>> > >>>>>> I'm going to challenge Ishan and say that there is no change coming > >> that > >>>>>> warrants halting a bugfix/patch release, as the proposed change that > >>>>>> Ishan > >>>>>> speaks of is an "improvement" that helps security and is not a > >>>>>> bug/vulnerability being fixed. It would also bring a backwards > >>>>>> compatibility change. So please do continue with this long delayed > >>>>>> bugfix > >>>>>> release! > >>>>>> > >>>>>> ~ David Smiley > >>>>>> Apache Lucene/Solr Search Developer > >>>>>> http://www.linkedin.com/in/davidwsmiley > >>>>>> > >>>>>> > >>>>>> On Fri, Apr 28, 2023 at 3:28 PM Justin Sweeney < > >>>>>> justin.sweene...@gmail.com> > >>>>>> wrote: > >>>>>> > >>>>>>> It sounds like the general consensus from the thread regarding the > >>>>>> issue > >>>>>>> was that while some changes to make that less risky are worthwhile, > >>>>>> they > >>>>>>> are not blockers for the release. Did that change? > >>>>>>> > >>>>>>> I just hate to hold up the release any longer unless we have a > truly > >>>>>>> blocking issue since there are a number of very worthwhile fixes > >>>>>> included > >>>>>>> here. > >>>>>>> > >>>>>>> On Fri, Apr 28, 2023 at 12:46 PM Ishan Chattopadhyaya < > >>>>>>> ichattopadhy...@gmail.com> wrote: > >>>>>>> > >>>>>>>> Hi Justin, > >>>>>>>> I am testing a patch for a security issue discussed privately > >>>>>> within the > >>>>>>>> PMC group. Can you please give me another 24 hours to have it > >>>>>> fixed? If > >>>>>>>> not, then I'll be pushing for a 9.2.2 release later, once that is > >>>>>>> resolved. > >>>>>>>> Thank you for your understanding. > >>>>>>>> Regards, > >>>>>>>> Ishan > >>>>>>>> > >>>>>>>> On Fri, 28 Apr 2023 at 22:04, Arrieta, Alejandro < > >>>>>>>> aarri...@perrinsoftware.com> wrote: > >>>>>>>> > >>>>>>>>> +1 > >>>>>>>>> SUCCESS! [0:29:31.135392] > >>>>>>>>> > >>>>>>>>> And run Solr operator tests successfully following instructions: > >>>>>>>>> Local end-to-end cluster test successfully run! > >>>>>>>>> > >>>>>>>>> ubuntu 23.04 amd64 temurin-openjdk11 on virtualbox 7. > >>>>>>>>> > >>>>>>>>> Kind Regards, > >>>>>>>>> Alejandro Arrieta > >>>>>>>>> > >>>>>>>>> On Thu, Apr 27, 2023 at 4:23 PM Joel Bernstein < > >>>>>> joels...@gmail.com> > >>>>>>>> wrote: > >>>>>>>>> > >>>>>>>>>> +1 (binding) > >>>>>>>>>> > >>>>>>>>>> SUCCESS! [0:43:48.160659] > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> I tested out the assets as well and looked fine. > >>>>>>>>>> > >>>>>>>>>> Joel Bernstein > >>>>>>>>>> http://joelsolr.blogspot.com/ > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> On Thu, Apr 27, 2023 at 1:23 PM Jan Høydahl < > >>>>>> jan....@cominvent.com> > >>>>>>>>> wrote: > >>>>>>>>>> > >>>>>>>>>>> +1 (binding) > >>>>>>>>>>> > >>>>>>>>>>> SUCCESS! [0:38:44.920838] > >>>>>>>>>>> > >>>>>>>>>>> Jan > >>>>>>>>>>> > >>>>>>>>>>>> 27. apr. 2023 kl. 16:12 skrev Justin Sweeney < > >>>>>>>>>> justin.sweene...@gmail.com > >>>>>>>>>>>> : > >>>>>>>>>>>> > >>>>>>>>>>>> Hi all, we are back on for the vote: > >>>>>>>>>>>> > >>>>>>>>>>>> Please vote for release candidate 1 for Solr 9.2.1 > >>>>>>>>>>>> > >>>>>>>>>>>> The artifacts can be downloaded from: > >>>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>> > >> > https://dist.apache.org/repos/dist/dev/solr/solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 > >>>>>>>>>>>> > >>>>>>>>>>>> You can run the smoke tester directly with this command: > >>>>>>>>>>>> > >>>>>>>>>>>> python3 -u dev-tools/scripts/smokeTestRelease.py \ > >>>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>> > >> > https://dist.apache.org/repos/dist/dev/solr/solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 > >>>>>>>>>>>> > >>>>>>>>>>>> You can build a release-candidate of the official docker > >>>>>> image > >>>>>>>> using > >>>>>>>>>> the > >>>>>>>>>>>> following command: > >>>>>>>>>>>> > >>>>>>>>>>>> DIST_BASE=https://dist.apache.org/repos/dist/dev/solr && > >> \ > >>>>>>>>>>>> > >>>>>>>>> > >>>>>> > RC_FOLDER=solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 > >>>>>>>>>>> && \ > >>>>>>>>>>>> docker build > >>>>>>>> $DIST_BASE/$RC_FOLDER/solr/docker/Dockerfile.official \ > >>>>>>>>>>>> --build-arg > >>>>>>>>>> SOLR_DOWNLOAD_URL=$DIST_BASE/$RC_FOLDER/solr/solr-9.2.1.tgz > >>>>>>>>>>> \ > >>>>>>>>>>>> -t solr-rc:9.2.1-1 > >>>>>>>>>>>> > >>>>>>>>>>>> The vote will be open for at least 72 hours i.e. until > >>>>>> 2023-04-30 > >>>>>>>>> 15:00 > >>>>>>>>>>> UTC. > >>>>>>>>>>>> > >>>>>>>>>>>> [ ] +1 approve > >>>>>>>>>>>> [ ] +0 no opinion > >>>>>>>>>>>> [ ] -1 disapprove (and reason why) > >>>>>>>>>>>> > >>>>>>>>>>>> On Mon, Apr 24, 2023 at 12:38 PM Justin Sweeney < > >>>>>>>>>>> justin.sweene...@gmail.com> > >>>>>>>>>>>> wrote: > >>>>>>>>>>>> > >>>>>>>>>>>>> Yup, let's wait in that case. I didn't realize it would > >>>>>> fail > >>>>>>>> since I > >>>>>>>>>> had > >>>>>>>>>>>>> temporarily added my key locally to be able to execute > >> the > >>>>>>>>> additional > >>>>>>>>>>>>> steps. This results in the smoketester passing for me. > >> I'll > >>>>>>>> resend a > >>>>>>>>>>> vote > >>>>>>>>>>>>> once I'm able to push my key. > >>>>>>>>>>>>> > >>>>>>>>>>>>> On Mon, Apr 24, 2023 at 12:32 PM Houston Putman < > >>>>>>>> hous...@apache.org > >>>>>>>>>> > >>>>>>>>>>>>> wrote: > >>>>>>>>>>>>> > >>>>>>>>>>>>>> Hey Justin, > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Should we wait to run this until after your GPG key is > >> in > >>>>>>>>>>>>>> https://downloads.apache.org/solr/KEYS? > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> The smoketester fails for me because it can't find your > >>>>>> key. > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> - Houston > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> On Mon, Apr 24, 2023 at 12:20 PM Justin Sweeney < > >>>>>>>>>>>>>> justin.sweene...@gmail.com> > >>>>>>>>>>>>>> wrote: > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Please vote for release candidate 1 for Solr 9.2.1 > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> The artifacts can be downloaded from: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>> > >> > https://dist.apache.org/repos/dist/dev/solr/solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> You can run the smoke tester directly with this > >> command: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> python3 -u dev-tools/scripts/smokeTestRelease.py \ > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>> > >> > https://dist.apache.org/repos/dist/dev/solr/solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> You can build a release-candidate of the official > >> docker > >>>>>> image > >>>>>>>>> using > >>>>>>>>>>> the > >>>>>>>>>>>>>>> following command: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> DIST_BASE=https://dist.apache.org/repos/dist/dev/solr > >>>>>> && \ > >>>>>>>>>>>>>>> > >>>>>>>>>> > >>>>>> > RC_FOLDER=solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 > >>>>>>>>>>>>>> && > >>>>>>>>>>>>>>> \ > >>>>>>>>>>>>>>> docker build > >>>>>>>>> $DIST_BASE/$RC_FOLDER/solr/docker/Dockerfile.official > >>>>>>>>>> \ > >>>>>>>>>>>>>>> --build-arg > >>>>>>>>>>>>>> > >>>>>> SOLR_DOWNLOAD_URL=$DIST_BASE/$RC_FOLDER/solr/solr-9.2.1.tgz \ > >>>>>>>>>>>>>>> -t solr-rc:9.2.1-1 > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> The vote will be open for at least 72 hours i.e. until > >>>>>>>> 2023-04-27 > >>>>>>>>>>> 17:00 > >>>>>>>>>>>>>>> UTC. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> [ ] +1 approve > >>>>>>>>>>>>>>> [ ] +0 no opinion > >>>>>>>>>>>>>>> [ ] -1 disapprove (and reason why) > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>> > >> --------------------------------------------------------------------- > >>>>>>>>>>> To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org > >>>>>>>>>>> For additional commands, e-mail: dev-h...@solr.apache.org > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>> > >>>>> > >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org > For additional commands, e-mail: dev-h...@solr.apache.org > >