I failed to convince the PMC about the severity of the exploits that I was hoping to address in the blocker issues. I don't have time nor patience to pursue those blockers any more. I withdraw my vote (-1) on this release.
On Mon, 1 May 2023 at 02:42, Jan Høydahl <jan....@cominvent.com> wrote: > > Without polluting this thread, I'll just say that this assertion is > wrong. > > If you can demonstrate how someone with full API access, but no write > > access to disk or ZK, can execute any user code, I'll stand corrected. > > Hi Noble/Ishan. I regret using the phrasing "arbitrary plugin code upload" > about the config APIs. It was not precise. > > I was trying to paraphrase the definition of the "config-edit" permission > from memory, but obviosly did a poor job :) > Let me instead quote the ref-guide for "config-edit" permission: > https://solr.apache.org/guide/solr/9_2/deployment-guide/rule-based-authorization-plugin.html > > > config-edit:... Because configs can add libraries/custom code from > various locations, loading any new code via a trusted SolrConfig is > explicitly allowed for users with this permission... > > I.e. currently remote streaming can (by design) be enabled by users with > config-edit and systems without auth/z. > Let's move any further discussion to relevant JIRAs and/or other threads > and leave this for voting. > > Jan > > > 30. apr. 2023 kl. 03:20 skrev Ishan Chattopadhyaya < > ichattopadhy...@gmail.com>: > > > >> it is by design to allow full access, even arbitrary plugin code upload, > > by users with config-edit permission and in unprotected Solr instances. > > > > Without polluting this thread, I'll just say that this assertion is > wrong. > > If you can demonstrate how someone with full API access, but no write > > access to disk or ZK, can execute any user code, I'll stand corrected. > > > > I'll write a more detailed reply in a different thread on the measures we > > have taken to prevent that, let alone allow full access "by design". > > > > On Sun, 30 Apr, 2023, 6:32 am Noble Paul, <noble.p...@gmail.com> wrote: > > > >> On Sun, Apr 30, 2023, 10:09 AM Jan Høydahl <jan....@cominvent.com> > wrote: > >> > >>> I maintain my +1 vote, as it is by design to allow full access, even > >>> arbitrary plugin code upload, by > >> > >> > >> There is no such "design" as you say Jan. Show me a single feature that > can > >> upload and run code without file system or direct zk access > >> > >> users with config-edit permission and in unprotected Solr instances. > >>> I do support discussing new defaults to some of these setting, but that > >>> can happen in the open for a future release, no rush as this is by > >>> definition not a bug or vulnerability. > >>> > >>> Jan > >>> > >>>> 29. apr. 2023 kl. 17:54 skrev Justin Sweeney < > >> justin.sweene...@gmail.com > >>>> : > >>>> > >>>> I'm going to proceed with this release as is, we can follow up with an > >>>> additional release as needed. Voting will close 2023-04-30 at 15:00 > >> UTC. > >>>> > >>>> On Sat, Apr 29, 2023 at 10:37 AM Ishan Chattopadhyaya < > >>>> ichattopadhy...@gmail.com> wrote: > >>>> > >>>>> https://issues.apache.org/jira/browse/SOLR-16777 is fixed. I've > added > >>> it > >>>>> to > >>>>> the release branch. > >>>>> The other one will require me some more time, maybe another day. > >>>>> Justin, I believe a re-spin is warranted to accommodate this, but I > >>> leave > >>>>> it to your judgement. > >>>>> > >>>>> On Sat, 29 Apr 2023 at 12:07, Ishan Chattopadhyaya < > >>>>> ichattopadhy...@gmail.com> wrote: > >>>>> > >>>>>> In my opinion, these two are blockers. > >>>>>> > >>>>>> https://issues.apache.org/jira/browse/SOLR-16776 > >>>>>> https://issues.apache.org/jira/browse/SOLR-16777 > >>>>>> > >>>>>> In case we decide not to respin to accommodate these, these should > be > >>>>>> carried over to a 9.2.2 release. > >>>>>> > >>>>>> On Sat, 29 Apr, 2023, 7:54 am Ishan Chattopadhyaya, < > >>>>>> ichattopadhy...@gmail.com> wrote: > >>>>>> > >>>>>>> (FYI, -1 on a release is not a veto. Just a simple vote.) > >>>>>>> > >>>>>>> On Sat, 29 Apr, 2023, 6:53 am Ishan Chattopadhyaya, < > >>>>>>> ichattopadhy...@gmail.com> wrote: > >>>>>>> > >>>>>>>> Sure, carry on with this release. > >>>>>>>> > >>>>>>>> I vote -1 on this release, and I'll prepare for a follow on > release > >>>>>>>> after this one is done. > >>>>>>>> > >>>>>>>> On Sat, 29 Apr, 2023, 2:45 am David Smiley, <dsmi...@apache.org> > >>>>> wrote: > >>>>>>>> > >>>>>>>>> I'm going to challenge Ishan and say that there is no change > >> coming > >>>>> that > >>>>>>>>> warrants halting a bugfix/patch release, as the proposed change > >> that > >>>>>>>>> Ishan > >>>>>>>>> speaks of is an "improvement" that helps security and is not a > >>>>>>>>> bug/vulnerability being fixed. It would also bring a backwards > >>>>>>>>> compatibility change. So please do continue with this long > >> delayed > >>>>>>>>> bugfix > >>>>>>>>> release! > >>>>>>>>> > >>>>>>>>> ~ David Smiley > >>>>>>>>> Apache Lucene/Solr Search Developer > >>>>>>>>> http://www.linkedin.com/in/davidwsmiley > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> On Fri, Apr 28, 2023 at 3:28 PM Justin Sweeney < > >>>>>>>>> justin.sweene...@gmail.com> > >>>>>>>>> wrote: > >>>>>>>>> > >>>>>>>>>> It sounds like the general consensus from the thread regarding > >> the > >>>>>>>>> issue > >>>>>>>>>> was that while some changes to make that less risky are > >> worthwhile, > >>>>>>>>> they > >>>>>>>>>> are not blockers for the release. Did that change? > >>>>>>>>>> > >>>>>>>>>> I just hate to hold up the release any longer unless we have a > >>> truly > >>>>>>>>>> blocking issue since there are a number of very worthwhile fixes > >>>>>>>>> included > >>>>>>>>>> here. > >>>>>>>>>> > >>>>>>>>>> On Fri, Apr 28, 2023 at 12:46 PM Ishan Chattopadhyaya < > >>>>>>>>>> ichattopadhy...@gmail.com> wrote: > >>>>>>>>>> > >>>>>>>>>>> Hi Justin, > >>>>>>>>>>> I am testing a patch for a security issue discussed privately > >>>>>>>>> within the > >>>>>>>>>>> PMC group. Can you please give me another 24 hours to have it > >>>>>>>>> fixed? If > >>>>>>>>>>> not, then I'll be pushing for a 9.2.2 release later, once that > >> is > >>>>>>>>>> resolved. > >>>>>>>>>>> Thank you for your understanding. > >>>>>>>>>>> Regards, > >>>>>>>>>>> Ishan > >>>>>>>>>>> > >>>>>>>>>>> On Fri, 28 Apr 2023 at 22:04, Arrieta, Alejandro < > >>>>>>>>>>> aarri...@perrinsoftware.com> wrote: > >>>>>>>>>>> > >>>>>>>>>>>> +1 > >>>>>>>>>>>> SUCCESS! [0:29:31.135392] > >>>>>>>>>>>> > >>>>>>>>>>>> And run Solr operator tests successfully following > >> instructions: > >>>>>>>>>>>> Local end-to-end cluster test successfully run! > >>>>>>>>>>>> > >>>>>>>>>>>> ubuntu 23.04 amd64 temurin-openjdk11 on virtualbox 7. > >>>>>>>>>>>> > >>>>>>>>>>>> Kind Regards, > >>>>>>>>>>>> Alejandro Arrieta > >>>>>>>>>>>> > >>>>>>>>>>>> On Thu, Apr 27, 2023 at 4:23 PM Joel Bernstein < > >>>>>>>>> joels...@gmail.com> > >>>>>>>>>>> wrote: > >>>>>>>>>>>> > >>>>>>>>>>>>> +1 (binding) > >>>>>>>>>>>>> > >>>>>>>>>>>>> SUCCESS! [0:43:48.160659] > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> I tested out the assets as well and looked fine. > >>>>>>>>>>>>> > >>>>>>>>>>>>> Joel Bernstein > >>>>>>>>>>>>> http://joelsolr.blogspot.com/ > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> On Thu, Apr 27, 2023 at 1:23 PM Jan Høydahl < > >>>>>>>>> jan....@cominvent.com> > >>>>>>>>>>>> wrote: > >>>>>>>>>>>>> > >>>>>>>>>>>>>> +1 (binding) > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> SUCCESS! [0:38:44.920838] > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> Jan > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>> 27. apr. 2023 kl. 16:12 skrev Justin Sweeney < > >>>>>>>>>>>>> justin.sweene...@gmail.com > >>>>>>>>>>>>>>> : > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Hi all, we are back on for the vote: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> Please vote for release candidate 1 for Solr 9.2.1 > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> The artifacts can be downloaded from: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>> > >>> > >> > https://dist.apache.org/repos/dist/dev/solr/solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> You can run the smoke tester directly with this command: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> python3 -u dev-tools/scripts/smokeTestRelease.py \ > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>> > >>> > >> > https://dist.apache.org/repos/dist/dev/solr/solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> You can build a release-candidate of the official docker > >>>>>>>>> image > >>>>>>>>>>> using > >>>>>>>>>>>>> the > >>>>>>>>>>>>>>> following command: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> DIST_BASE=https://dist.apache.org/repos/dist/dev/solr && > >>>>> \ > >>>>>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>> > >>> RC_FOLDER=solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 > >>>>>>>>>>>>>> && \ > >>>>>>>>>>>>>>> docker build > >>>>>>>>>>> $DIST_BASE/$RC_FOLDER/solr/docker/Dockerfile.official \ > >>>>>>>>>>>>>>> --build-arg > >>>>>>>>>>>>> SOLR_DOWNLOAD_URL=$DIST_BASE/$RC_FOLDER/solr/solr-9.2.1.tgz > >>>>>>>>>>>>>> \ > >>>>>>>>>>>>>>> -t solr-rc:9.2.1-1 > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> The vote will be open for at least 72 hours i.e. until > >>>>>>>>> 2023-04-30 > >>>>>>>>>>>> 15:00 > >>>>>>>>>>>>>> UTC. > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> [ ] +1 approve > >>>>>>>>>>>>>>> [ ] +0 no opinion > >>>>>>>>>>>>>>> [ ] -1 disapprove (and reason why) > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> On Mon, Apr 24, 2023 at 12:38 PM Justin Sweeney < > >>>>>>>>>>>>>> justin.sweene...@gmail.com> > >>>>>>>>>>>>>>> wrote: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> Yup, let's wait in that case. I didn't realize it would > >>>>>>>>> fail > >>>>>>>>>>> since I > >>>>>>>>>>>>> had > >>>>>>>>>>>>>>>> temporarily added my key locally to be able to execute > >>>>> the > >>>>>>>>>>>> additional > >>>>>>>>>>>>>>>> steps. This results in the smoketester passing for me. > >>>>> I'll > >>>>>>>>>>> resend a > >>>>>>>>>>>>>> vote > >>>>>>>>>>>>>>>> once I'm able to push my key. > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> On Mon, Apr 24, 2023 at 12:32 PM Houston Putman < > >>>>>>>>>>> hous...@apache.org > >>>>>>>>>>>>> > >>>>>>>>>>>>>>>> wrote: > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Hey Justin, > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Should we wait to run this until after your GPG key is > >>>>> in > >>>>>>>>>>>>>>>>> https://downloads.apache.org/solr/KEYS? > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> The smoketester fails for me because it can't find your > >>>>>>>>> key. > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> - Houston > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> On Mon, Apr 24, 2023 at 12:20 PM Justin Sweeney < > >>>>>>>>>>>>>>>>> justin.sweene...@gmail.com> > >>>>>>>>>>>>>>>>> wrote: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>> Please vote for release candidate 1 for Solr 9.2.1 > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>> The artifacts can be downloaded from: > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>> > >>> > >> > https://dist.apache.org/repos/dist/dev/solr/solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>> You can run the smoke tester directly with this > >>>>> command: > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>> python3 -u dev-tools/scripts/smokeTestRelease.py \ > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>> > >>> > >> > https://dist.apache.org/repos/dist/dev/solr/solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>> You can build a release-candidate of the official > >>>>> docker > >>>>>>>>> image > >>>>>>>>>>>> using > >>>>>>>>>>>>>> the > >>>>>>>>>>>>>>>>>> following command: > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>> DIST_BASE=https://dist.apache.org/repos/dist/dev/solr > >>>>>>>>> && \ > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>> > >>> RC_FOLDER=solr-9.2.1-RC1-rev-a4c64ab6a2a270ca69c28c706dabb2927ed8a7c2 > >>>>>>>>>>>>>>>>> && > >>>>>>>>>>>>>>>>>> \ > >>>>>>>>>>>>>>>>>> docker build > >>>>>>>>>>>> $DIST_BASE/$RC_FOLDER/solr/docker/Dockerfile.official > >>>>>>>>>>>>> \ > >>>>>>>>>>>>>>>>>> --build-arg > >>>>>>>>>>>>>>>>> > >>>>>>>>> SOLR_DOWNLOAD_URL=$DIST_BASE/$RC_FOLDER/solr/solr-9.2.1.tgz \ > >>>>>>>>>>>>>>>>>> -t solr-rc:9.2.1-1 > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>> The vote will be open for at least 72 hours i.e. until > >>>>>>>>>>> 2023-04-27 > >>>>>>>>>>>>>> 17:00 > >>>>>>>>>>>>>>>>>> UTC. > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>> [ ] +1 approve > >>>>>>>>>>>>>>>>>> [ ] +0 no opinion > >>>>>>>>>>>>>>>>>> [ ] -1 disapprove (and reason why) > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>> > >>>>> --------------------------------------------------------------------- > >>>>>>>>>>>>>> To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org > >>>>>>>>>>>>>> For additional commands, e-mail: dev-h...@solr.apache.org > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> > >>>>>>>> > >>>>> > >>> > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: dev-unsubscr...@solr.apache.org > >>> For additional commands, e-mail: dev-h...@solr.apache.org > >>> > >>> > >> > >