Well the question is is this issue a blocker since really blockers are the
only things that hold up releases. My gut tells me no since the jdbc
backend is sort of outside of the core and its a user opt-in. Don't get me
wrong, a serious bug, but again is it a blocker. I think we could probably
come up with a number of ways to muck up the configuration if we really
tried, should they all hold up the release?
Anyways, this is something the PSC will have to vote on it seems. My
position is that this should not hold up the release. However if you can
break the patch up into the smaller chunks I will be happy to review them
piecewise asap and am ok with the ones that we are really really sure are
low risk.
-Justin
On Fri, Jun 15, 2012 at 11:02 AM, Christian Mueller <[email protected]>wrote:
> Hi Justin
>
> About the disaster. I do not want to talk about wrong error messages, this
> is a minor problem.
>
> 1) Create a role service backed by Jdbc. Open the dialog for editing and
> press save without modifications. The password is lost. Reopen the
> configuration dialog and try to repair. No chance, you will see a stack
> trace.
>
> 2) Try to work with user/group or role services causing an IOException.
> (You can simulate the situation by shutting down the database). The only
> thing you can see are stack traces
>
> 3) Create an additional role service and user /group service. Add
> users/groups and roles. Now go the access control pages. (Layer,Services).
> If the role service is not the active one, you will not see your new roles.
>
> There are a lot of such issues. IMHO, the patch is really a hardening of
> the system. Believe me, the last week, I really tried to set up a security
> infrastructure according to the mails of the user list. The most important
> thing is that we have our "root" user, otherwise I would have given up.
> The patch only tries to fix such kinds of issues and gives us the chance to
> improve the user feeling in the next release. And again, beyond finishing
> our agreed role concept, there is nothing new.
>
> My primary target is to have a GeoServer version 2.2.0 with a consistent
> security concept and I am hoping for support of all developers.
>
> Thanks in advance
> Christan
>
>
>
>
>
>
> 2012/6/15 Justin Deoliveira <[email protected]>
>
>>
>>
>> On Fri, Jun 15, 2012 at 9:37 AM, Christian Mueller <[email protected]>wrote:
>>
>>> Hi David, Justin, Andrea, ....
>>>
>>> sorry for all these inconveniences. During eliminating the
>>> deprecations I also fixed some bugs. The problem is that within the last
>>> month my work was always interrupted. (Finishing my Master Thesis,
>>> emergency situation at my customer). Splitting the patch in smaller chunks
>>> is possible, but this will require two days at a minimum.
>>>
>>> At the end of the day, NOT applying the patch will cause more troubles.
>>> I carefully read the mailing lists to get feedback and I resolved all the
>>> problems reported. Again, the only mistake I did was to prepare one big
>>> patch. This will never happen.
>>>
>>> Summary:
>>> Applying the patch is a risk, of course, nobody is perfect. Not
>>> applying the patch is a disaster. I have seen users on the mailing list
>>> appreciating all these new features. The patch covers issues of IOErrors(
>>> broken jdbc connections) and more. I do not want to go into details here,
>>> but I have a programming experience of 28 years and I have a feeling what
>>> is better and what is not better. Not applying the patch is the worst case
>>> scenario and will cause many troubles in the future.
>>>
>>> Can you be more specific about what the disasters will be? Especially in
>> light of the fact that we will be able to push out a release in
>> approximately one-months time after 2.2.0 goes out the door?
>>
>> To present an opposing view many folks I talk to say that 2.2.0 not being
>> an official release yes is a disaster for them. Since we have waited so
>> long to make it a stable release people are naturally using it because they
>> need certain key features and bug fixes. But at the same time since its not
>> stable they can't expect the same level of support for it. There has to be
>> a compromise somewhere. And given that i don't hear too many people
>> screaming at this point I think that compromise is now. For those who these
>> issues really are a blocker for I don't think its unreasonable to ask the
>> to wait another 1-2 months for 2.2.1.
>>
>>
>>
>>
>>> Again, sorry
>>> Christian
>>>
>>>
>>>
>>>
>>>
>>> 2012/6/15 Justin Deoliveira <[email protected]>
>>>
>>>> Good point David. That is certainly one of the issues with the patch,
>>>> in that it lumps a number of changes together. If it were broken up i would
>>>> be fine with saying parts of it could go in and wait on only smaller parts
>>>> of it.
>>>>
>>>>
>>>> On Fri, Jun 15, 2012 at 8:10 AM, David Winslow <[email protected]>wrote:
>>>>
>>>>> Is it feasible to reduce the size of the patch by including only the
>>>>> consistency fixes, and shipping a GeoServer 2.2 release that knowingly
>>>>> contains UI bugs and uses deprecated (but presumed working) code?
>>>>>
>>>>> --
>>>>> David Winslow
>>>>> OpenGeo - http://opengeo.org/
>>>>>
>>>>> On Fri, Jun 15, 2012 at 9:50 AM, Christian Mueller <[email protected]
>>>>> > wrote:
>>>>>
>>>>>> Hi Andrea,
>>>>>>
>>>>>> Yes, imho GSIP 77 will improve the situation. Big +1 for the
>>>>>> proposal. The whole new security system is a monster change and I do not
>>>>>> want to have a Geoserver release with an inconsistent security system.
>>>>>> Let
>>>>>> us wait for Justins opinion, I would vote for your proposal having a beta
>>>>>> 3.
>>>>>>
>>>>>> Christian
>>>>>>
>>>>>>
>>>>>> 2012/6/15 Andrea Aime <[email protected]>
>>>>>>
>>>>>>> On Fri, Jun 15, 2012 at 1:05 PM, Christian Mueller <
>>>>>>> [email protected]> wrote:
>>>>>>> > The question is how to continue, two facts I want to point out
>>>>>>> >
>>>>>>> > - We cannot make a 2.2.0 release without the changes. The system
>>>>>>> would not
>>>>>>> > work correctly.
>>>>>>> > - My next steps would be to review/complete the security
>>>>>>> documentation and
>>>>>>> > during this work, make a next round hardening the code.
>>>>>>> >
>>>>>>> >
>>>>>>> > Opinions ?.
>>>>>>>
>>>>>>> The fact that we still need a 4400+loc patch to fix the security
>>>>>>> subsystem tells me
>>>>>>> whatever we release next week cannot possibly be a release
>>>>>>> candidate, but at
>>>>>>> best a beta3, especially since you say that a next round of
>>>>>>> hardening is in
>>>>>>> the plans: nothing bad about it per se, but bad that it's needed
>>>>>>> since RC means
>>>>>>> Release Candidate, means we believe we're done and ask the users to
>>>>>>> check and eventually tell us otherwise.
>>>>>>>
>>>>>>> Hopefully GSIP 77 will bring some sanity into all of this.
>>>>>>>
>>>>>>> Btw, I have no time to review the patch, I can have a look during
>>>>>>> the weekend
>>>>>>> but my familiarity with the new authentication system is not enough.
>>>>>>> I'll trust Justin's judgement on it unless my quick review really
>>>>>>> finds some red flag.
>>>>>>>
>>>>>>> Cheers
>>>>>>> Andrea
>>>>>>>
>>>>>>> --
>>>>>>> Ing. Andrea Aime
>>>>>>> GeoSolutions S.A.S.
>>>>>>> Tech lead
>>>>>>>
>>>>>>> Via Poggio alle Viti 1187
>>>>>>> 55054 Massarosa (LU)
>>>>>>> Italy
>>>>>>>
>>>>>>> phone: +39 0584 962313
>>>>>>> fax: +39 0584 962313
>>>>>>> mob: +39 339 8844549
>>>>>>>
>>>>>>> http://www.geo-solutions.it
>>>>>>> http://geo-solutions.blogspot.com/
>>>>>>> http://www.youtube.com/user/GeoSolutionsIT
>>>>>>> http://www.linkedin.com/in/andreaaime
>>>>>>> http://twitter.com/geowolf
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> Live Security Virtual Conference
>>>>>> Exclusive live event will cover all the ways today's security and
>>>>>> threat landscape has changed and how IT managers can respond.
>>>>>> Discussions
>>>>>> will include endpoint security, mobile security and the latest in
>>>>>> malware
>>>>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>>>>> _______________________________________________
>>>>>> Geoserver-devel mailing list
>>>>>> [email protected]
>>>>>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Live Security Virtual Conference
>>>>> Exclusive live event will cover all the ways today's security and
>>>>> threat landscape has changed and how IT managers can respond.
>>>>> Discussions
>>>>> will include endpoint security, mobile security and the latest in
>>>>> malware
>>>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>>>>> _______________________________________________
>>>>> Geoserver-devel mailing list
>>>>> [email protected]
>>>>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Justin Deoliveira
>>>> OpenGeo - http://opengeo.org
>>>> Enterprise support for open source geospatial.
>>>>
>>>>
>>>
>>
>>
>> --
>> Justin Deoliveira
>> OpenGeo - http://opengeo.org
>> Enterprise support for open source geospatial.
>>
>>
>
--
Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
