On Sat, Jun 16, 2012 at 2:45 AM, Christian Mueller <[email protected]>wrote:
> Hi all
>
> I really want to find a solution for this unlucky situation. The core
> developers have the big picture about Geoserver and I do not want to cause
> further problems.
>
> Waiting 4-6 weeks is no problem (I am 46 years old, small time frame for
> me). I have only one question.
>
> The security code is brand new and introduced in the 2.2.x versions. Let
> us call it version A. The patch removes a lot of problems, let us call it
> version B.
> I think it is important to say that the patch modifies only the brand new
> security code. The idea is to delay major changes like
> http://jira.codehaus.org/browse/GEOS-5155 and prefixed role names to a
> later release.
>
> Unfortunately the security module can't really be viewed as a new part of
code and hence lower risk to modify. It ties in in many places. Startup is
one, a failure in security subsystem startup halts the starting of the
server entirely. It also ties pretty deeply into our persistence layer /
xstream with the encryption there, again making it a possible point of
massive failure.
> I cannot see a reason for using version A instead of version B. Again,
> modifications of B only touches security code, A is new and B is new too.
> Version A may cause a lot of problems for early adopters. I try to see it
> from the perspective of the core developers not involved in the development
> of the security module. (Justin is the exception). The risk is the same,
> why not make a 2.2.0 release with a lot of bug fixes ?
>
Its not about the changes in this case, we know they fix some existing
bugs. That said I did have a question about the patch in one my emails to
you asking for some clarification (the GeoServerSecurityManager part), i
don't think got answered. Regardless, its not about that. It is about
drawing a line a some point and calling a release candidate. As Andrea
noted that line has been pushed back for far too long to the point where it
is starting to affect people who have built there core business around
GeoServer. It is my opinion that also the majority of the community thinks
it has been far too long as well.
There is also the issue of the patch lumping together many issues into one.
If it were split up it would be easier to come to the compromise of picking
some changes, the ones that are clearly lower risk, or are trivial changes.
I take some responsibility for this as I have been encouraging you to work
with git on a branch and to organize changes into cohesive commits.
>
> To close this issue, I need a decision of the PSC. I am not frustrated but
> I fear early adopters will be. On the other side, I do not have the big
> picture, please vote.
>
My vote is to go ahead with the release and wait for the changes, for the
above reasons. But also because i myself have fell to the temptation of
trying to push in last minute changes in the past and have been burned for
it.
>
> Again, I am sorry about the situation
> Christian
>
>
>
>
> 2012/6/15 Andrea Aime <[email protected]>
>
>> On Sat, Jun 16, 2012 at 12:00 AM, Rodrigo Del C. Andrade
>> <[email protected]> wrote:
>> >
>> > Hello, folks.
>> >
>> > I apologize for intruding in something that is above my paygrade, but
>> for
>> > whatever it's worth I will drop my .2c as a user just in case:
>> >
>> > I spent the last weak extending the JDBC service to have an alternative
>> that
>> > uses our own databases structure and pass encoding hash algorithms (btw,
>> > thanks for the guidance, it works like a dream! :) ) and the problems
>> > Christian described with the JDBC extension are, if not a complete deal
>> > breaker, frustrating to someone who is not aware of the inner workings
>> of
>> > security subsystem. An average user would have a bad time if he screws
>> up
>> > the configuration the first time.
>> >
>> > Were not for the root password I would probably have flipped tables way
>> > more often than what I am known for and many times I had to manually
>> edit
>> > the config.xml files because of some inconsistency or other odd things
>> in
>> > the services I was creating.
>>
>> Rodrigo, what we're discussing here is not the opportunity of committing
>> the
>> patches at all, it's obvious that they must go in,
>> but the opportuntity commit them now instead of a 4-6 weeks time,
>> for a feature that's new and whose you're a early adopter of.
>>
>> It is astonishing that someone cannot wait one month for a large amount
>> of changes to land where other contributors had to wait over four months
>> so far to get a release (half of the PSC was ready to release in
>> February, mind),
>> and had to pay consequences because of that.
>>
>> Working in a community is also about balancing the needs of all the
>> contributors,
>> focusing on one particular need and forgetting all the other work that
>> was done
>> is offensive for the peole that carried it on and makes it harder to
>> justify
>> contributing as a company, or find reasons to spend a Sunday trying to
>> help out instead of having fun or relax.
>> This of course works both ways, I'm sure Christian is pretty frustrated
>> and
>> wondering why he put all the effort and now he can't close it up for the
>> 2.2.0
>> release, at the same time the people that wanted to release in February
>> have been frustrated for 4 months now and with the continous pushes
>> to delay the release to get in this or that it's really getting beyond
>> ridicolous.
>>
>> Cheers
>> Andrea
>>
>> --
>> Ing. Andrea Aime
>> GeoSolutions S.A.S.
>> Tech lead
>>
>> Via Poggio alle Viti 1187
>> 55054 Massarosa (LU)
>> Italy
>>
>> phone: +39 0584 962313
>> fax: +39 0584 962313
>> mob: +39 339 8844549
>>
>> http://www.geo-solutions.it
>> http://geo-solutions.blogspot.com/
>> http://www.youtube.com/user/GeoSolutionsIT
>> http://www.linkedin.com/in/andreaaime
>> http://twitter.com/geowolf
>>
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Geoserver-devel mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>>
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Geoserver-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>
>
--
Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
