Re: CouchDB 1.7.0 Roadmap

[Giovanni Lenzi]

Hi Johs,

Yes, I confirm that proxy feature is already working for us.

--Giovanni

2015-11-13 8:29 GMT+01:00 Johs Ensby :

> Giovanni,
> you said earlier in a conversation about proxy
>
> > On 21. okt. 2015, at 17.23, Giovanni Lenzi  > wrote:
> > I think CouchDB already has a forward proxy feature for #1 use case (
> http://docs.couchdb.org/en/1.6.1/config/proxying.html <
> http://docs.couchdb.org/en/1.6.1/config/proxying.html>)
> > At Smileupps we use this proxying feature to give hoodie access through
> the same couchdb instance host and port.
>
> I never managed set this up, is working as describes in 1.6.1 docs and
> thus not nessecary to put on the 1.7.0 wish list to Alex?
>
> Johs
>
>
>

Re: CouchDB 1.7.0 Roadmap

[Oskar Maria Grande]

Hi awesome CouchDB folks,

my friend Peter and I would very much enjoy evaluating the mentioned auth 
topics, JWT is especially intriguing to us.

> May be we can also include else experimental features, like JWT and/or
> Delegated auth. Personally, I would like to see them, but it's all up
> to you Klaus and Jan (;

Peter is studying at Stockholm University and we hope to be able to use an 
interesting (security as well as Erlang related) topic for his thesis and maybe 
to work on together in general :)

Suffice to say we’ve both been huge CouchDB fans and this would mean quite a 
lot to us in terms of finally getting our hands dirty with Couch internals!

Any personal 2c would be very much welcome!

Thanks and cheers from Vienna,

Oskar & Peter

# Oskar Maria Grande | @musha68k
# http://daruma.io
# +43 676 955 3646

> On 12 Nov 2015, at 16:05, Alexander Shorin  wrote:
> 
> Dear CouchDB team,
> 
> While we're all working on 2.0 is in progress, I fear that we'll end
> this year without a single release. Technically, there is only one
> month left till 2016 excluding holidays, but let's be honest - that's
> not enough for 2.0. So I propose the plan for 1.7 release to not end
> this year with empty list.
> 
> There are a couple of important changes that we have for it and users
> are waiting for. Primary is the Erlang 18 compatibility, but not only.
> 
> What we already have on 1.x.x branch:
> 
> - COUCHDB-1011: replicate by document ids from futon
> - COUCHDB-1275: decode database names in recent used list
> - COUCHDB-2225 Enforce that shared libraries can be built by the system
> - COUCHDB-2430: Disable Nagle's algorithm
> - COUCHDB-2583: fix connection dropping by the resources which doesn't
> require any payload
> - COUCHDB-2761: Support glibc >= 2.20
> - COUCHDB-2783: Bind both to IPv4 and IPv6
> - Futon: Fixed potential XSS issue in jquery.ui
> - jquery.couch: Fixed document copying
> - sslv3 support is deprecated
> - Support for user configurable SSL ciphers
> - Multiple minor documentation fixes
> - Support Erlang 18
> 
> What we can backport without worry:
> 
> - COUCHDB-1356: Return username on POST to /_session
> - COUCHDB-1447: X-Couch-* headers missed if custom headers were returned
> - COUCHDB-1964: eunit test suite
> - COUCHDB-2310: /db/_bulk_get
> - COUCHDB-2375: Respond with HTTP 400 Bad Request on invalid revision number
> - COUCHDB-2534: db security should respect authed users
> - COUCHDB-2732: Use thread local storage for couch_ejson_compare NIF
> - COUCHDB-2752: Validate Host header
> - COUCHDB-2873: Update snappy to 1.1.3
> - Multiple improvements that we have for replicator
> 
> What I would like to add:
> 
> - COUCHDB-2722: Keys from rewrited query params should be blank when
> not specified in the URI
> - COUCHDB-2874: Rewrites via query server
> - COUCHDB-2877: Return nicer error for bad Authorization header
> - Deprecation of /_log
> - Deprecation of OAuth auth
> - Enable CORS by default:
> https://fetch.spec.whatwg.org/#basic-safe-cors-protocol-setup
> - Remove Fauxton - AFAIK, it supports 1.x no more and current version
> in 1.x.x branch is heavily outdated.
> - Mark this release as LTS with short (really) cycle of bug fixes ship
> 
> Questionalbe:
> - Add systemd notification support.
> 
> May be we can also include else experimental features, like JWT and/or
> Delegated auth. Personally, I would like to see them, but it's all up
> to you Klaus and Jan (;
> 
> But even without these experimental features, we have quite long list
> of changes to ship.
> 
> The plan is simple: for November get all from backport and add lists
> into 1.x.x branch and ship 1.7 in first half of December. Quite good
> Christmas Eve present for everyone. Personal deadlines 30th November
> and 20th December respectively.
> 
> Since "everyone is busy on 2.0" I'll take care of this.
> 
> P.S. If someone has else important bugfixes on mind to include, please
> drop a notice. For 2.0 we have ETOOMANY useful changes, but I would
> like to stop only on really important ones. Like replicator ones as I
> mentioned.
> 
> --
> ,,,^..^,,,
> 

Re: CouchDB 1.7.0 Roadmap

[Johs Ensby]

Giovanni,
you said earlier in a conversation about proxy

> On 21. okt. 2015, at 17.23, Giovanni Lenzi  > wrote:
> I think CouchDB already has a forward proxy feature for #1 use case 
> (http://docs.couchdb.org/en/1.6.1/config/proxying.html 
> )
> At Smileupps we use this proxying feature to give hoodie access through the 
> same couchdb instance host and port. 

I never managed set this up, is working as describes in 1.6.1 docs and thus not 
nessecary to put on the 1.7.0 wish list to Alex?

Johs

Re: CouchDB 1.7.0 Roadmap

[Giovanni Lenzi]

Ooppss, sent to public ML. Sorry for the partial off-topic. You can reply
privately if you want.

Thanks

--Giovanni

2015-11-12 16:54 GMT+01:00 Giovanni Lenzi :

> Hi Alexander,
>
> I'm writing you privately because I don't want the main thread to go
> off-topic
>
> Thanks for your roadmap to 1.7.0.. seems very very juicy!
>
> About the "COUCHDB-2752: Validate Host header" in your list. As
> documented here (https://issues.apache.org/jira/browse/COUCHDB-2752), to
> me it seems that flag can perfectly be used in the proposed way here:
> http://couchdb.markmail.org/message/q2623pzw7lt73lcg?q=CouchDB+secure+even+withouth+a+proxy
>
> Do you confirm?
>
>
> --Giovanni
>
> 2015-11-12 16:05 GMT+01:00 Alexander Shorin :
>
>> Dear CouchDB team,
>>
>> While we're all working on 2.0 is in progress, I fear that we'll end
>> this year without a single release. Technically, there is only one
>> month left till 2016 excluding holidays, but let's be honest - that's
>> not enough for 2.0. So I propose the plan for 1.7 release to not end
>> this year with empty list.
>>
>> There are a couple of important changes that we have for it and users
>> are waiting for. Primary is the Erlang 18 compatibility, but not only.
>>
>> What we already have on 1.x.x branch:
>>
>> - COUCHDB-1011: replicate by document ids from futon
>> - COUCHDB-1275: decode database names in recent used list
>> - COUCHDB-2225 Enforce that shared libraries can be built by the system
>> - COUCHDB-2430: Disable Nagle's algorithm
>> - COUCHDB-2583: fix connection dropping by the resources which doesn't
>> require any payload
>> - COUCHDB-2761: Support glibc >= 2.20
>> - COUCHDB-2783: Bind both to IPv4 and IPv6
>> - Futon: Fixed potential XSS issue in jquery.ui
>> - jquery.couch: Fixed document copying
>> - sslv3 support is deprecated
>> - Support for user configurable SSL ciphers
>> - Multiple minor documentation fixes
>> - Support Erlang 18
>>
>> What we can backport without worry:
>>
>> - COUCHDB-1356: Return username on POST to /_session
>> - COUCHDB-1447: X-Couch-* headers missed if custom headers were returned
>> - COUCHDB-1964: eunit test suite
>> - COUCHDB-2310: /db/_bulk_get
>> - COUCHDB-2375: Respond with HTTP 400 Bad Request on invalid revision
>> number
>> - COUCHDB-2534: db security should respect authed users
>> - COUCHDB-2732: Use thread local storage for couch_ejson_compare NIF
>> - COUCHDB-2752: Validate Host header
>> - COUCHDB-2873: Update snappy to 1.1.3
>> - Multiple improvements that we have for replicator
>>
>> What I would like to add:
>>
>> - COUCHDB-2722: Keys from rewrited query params should be blank when
>> not specified in the URI
>> - COUCHDB-2874: Rewrites via query server
>> - COUCHDB-2877: Return nicer error for bad Authorization header
>> - Deprecation of /_log
>> - Deprecation of OAuth auth
>> - Enable CORS by default:
>> https://fetch.spec.whatwg.org/#basic-safe-cors-protocol-setup
>> - Remove Fauxton - AFAIK, it supports 1.x no more and current version
>> in 1.x.x branch is heavily outdated.
>> - Mark this release as LTS with short (really) cycle of bug fixes ship
>>
>> Questionalbe:
>> - Add systemd notification support.
>>
>> May be we can also include else experimental features, like JWT and/or
>> Delegated auth. Personally, I would like to see them, but it's all up
>> to you Klaus and Jan (;
>>
>> But even without these experimental features, we have quite long list
>> of changes to ship.
>>
>> The plan is simple: for November get all from backport and add lists
>> into 1.x.x branch and ship 1.7 in first half of December. Quite good
>> Christmas Eve present for everyone. Personal deadlines 30th November
>> and 20th December respectively.
>>
>> Since "everyone is busy on 2.0" I'll take care of this.
>>
>> P.S. If someone has else important bugfixes on mind to include, please
>> drop a notice. For 2.0 we have ETOOMANY useful changes, but I would
>> like to stop only on really important ones. Like replicator ones as I
>> mentioned.
>>
>> --
>> ,,,^..^,,,
>>
>
>

Re: CouchDB 1.7.0 Roadmap

[Alexander Shorin]

On Thu, Nov 12, 2015 at 6:54 PM, Giovanni Lenzi  wrote:
> I'm writing you privately because I don't want the main thread to go
> off-topic

Well, no (:

> Thanks for your roadmap to 1.7.0.. seems very very juicy!
>
> About the "COUCHDB-2752: Validate Host header" in your list. As documented
> here (https://issues.apache.org/jira/browse/COUCHDB-2752), to me it seems
> that flag can perfectly be used in the proposed way here:
> http://couchdb.markmail.org/message/q2623pzw7lt73lcg?q=CouchDB+secure+even+withouth+a+proxy
>
> Do you confirm?

After quick look, it seems so.

--
,,,^..^,,,

CouchDB 1.7.0 Roadmap

[Alexander Shorin]

Dear CouchDB team,

While we're all working on 2.0 is in progress, I fear that we'll end
this year without a single release. Technically, there is only one
month left till 2016 excluding holidays, but let's be honest - that's
not enough for 2.0. So I propose the plan for 1.7 release to not end
this year with empty list.

There are a couple of important changes that we have for it and users
are waiting for. Primary is the Erlang 18 compatibility, but not only.

What we already have on 1.x.x branch:

- COUCHDB-1011: replicate by document ids from futon
- COUCHDB-1275: decode database names in recent used list
- COUCHDB-2225 Enforce that shared libraries can be built by the system
- COUCHDB-2430: Disable Nagle's algorithm
- COUCHDB-2583: fix connection dropping by the resources which doesn't
require any payload
- COUCHDB-2761: Support glibc >= 2.20
- COUCHDB-2783: Bind both to IPv4 and IPv6
- Futon: Fixed potential XSS issue in jquery.ui
- jquery.couch: Fixed document copying
- sslv3 support is deprecated
- Support for user configurable SSL ciphers
- Multiple minor documentation fixes
- Support Erlang 18

What we can backport without worry:

- COUCHDB-1356: Return username on POST to /_session
- COUCHDB-1447: X-Couch-* headers missed if custom headers were returned
- COUCHDB-1964: eunit test suite
- COUCHDB-2310: /db/_bulk_get
- COUCHDB-2375: Respond with HTTP 400 Bad Request on invalid revision number
- COUCHDB-2534: db security should respect authed users
- COUCHDB-2732: Use thread local storage for couch_ejson_compare NIF
- COUCHDB-2752: Validate Host header
- COUCHDB-2873: Update snappy to 1.1.3
- Multiple improvements that we have for replicator

What I would like to add:

- COUCHDB-2722: Keys from rewrited query params should be blank when
not specified in the URI
- COUCHDB-2874: Rewrites via query server
- COUCHDB-2877: Return nicer error for bad Authorization header
- Deprecation of /_log
- Deprecation of OAuth auth
- Enable CORS by default:
https://fetch.spec.whatwg.org/#basic-safe-cors-protocol-setup
- Remove Fauxton - AFAIK, it supports 1.x no more and current version
in 1.x.x branch is heavily outdated.
- Mark this release as LTS with short (really) cycle of bug fixes ship

Questionalbe:
- Add systemd notification support.

May be we can also include else experimental features, like JWT and/or
Delegated auth. Personally, I would like to see them, but it's all up
to you Klaus and Jan (;

But even without these experimental features, we have quite long list
of changes to ship.

The plan is simple: for November get all from backport and add lists
into 1.x.x branch and ship 1.7 in first half of December. Quite good
Christmas Eve present for everyone. Personal deadlines 30th November
and 20th December respectively.

Since "everyone is busy on 2.0" I'll take care of this.

P.S. If someone has else important bugfixes on mind to include, please
drop a notice. For 2.0 we have ETOOMANY useful changes, but I would
like to stop only on really important ones. Like replicator ones as I
mentioned.

--
,,,^..^,,,

Re: CouchDB 1.7.0 Roadmap

[Giovanni Lenzi]

Hi Alexander,

I'm writing you privately because I don't want the main thread to go
off-topic

Thanks for your roadmap to 1.7.0.. seems very very juicy!

About the "COUCHDB-2752: Validate Host header" in your list. As documented
here (https://issues.apache.org/jira/browse/COUCHDB-2752), to me it seems
that flag can perfectly be used in the proposed way here:
http://couchdb.markmail.org/message/q2623pzw7lt73lcg?q=CouchDB+secure+even+withouth+a+proxy

Do you confirm?


--Giovanni

2015-11-12 16:05 GMT+01:00 Alexander Shorin :

> Dear CouchDB team,
>
> While we're all working on 2.0 is in progress, I fear that we'll end
> this year without a single release. Technically, there is only one
> month left till 2016 excluding holidays, but let's be honest - that's
> not enough for 2.0. So I propose the plan for 1.7 release to not end
> this year with empty list.
>
> There are a couple of important changes that we have for it and users
> are waiting for. Primary is the Erlang 18 compatibility, but not only.
>
> What we already have on 1.x.x branch:
>
> - COUCHDB-1011: replicate by document ids from futon
> - COUCHDB-1275: decode database names in recent used list
> - COUCHDB-2225 Enforce that shared libraries can be built by the system
> - COUCHDB-2430: Disable Nagle's algorithm
> - COUCHDB-2583: fix connection dropping by the resources which doesn't
> require any payload
> - COUCHDB-2761: Support glibc >= 2.20
> - COUCHDB-2783: Bind both to IPv4 and IPv6
> - Futon: Fixed potential XSS issue in jquery.ui
> - jquery.couch: Fixed document copying
> - sslv3 support is deprecated
> - Support for user configurable SSL ciphers
> - Multiple minor documentation fixes
> - Support Erlang 18
>
> What we can backport without worry:
>
> - COUCHDB-1356: Return username on POST to /_session
> - COUCHDB-1447: X-Couch-* headers missed if custom headers were returned
> - COUCHDB-1964: eunit test suite
> - COUCHDB-2310: /db/_bulk_get
> - COUCHDB-2375: Respond with HTTP 400 Bad Request on invalid revision
> number
> - COUCHDB-2534: db security should respect authed users
> - COUCHDB-2732: Use thread local storage for couch_ejson_compare NIF
> - COUCHDB-2752: Validate Host header
> - COUCHDB-2873: Update snappy to 1.1.3
> - Multiple improvements that we have for replicator
>
> What I would like to add:
>
> - COUCHDB-2722: Keys from rewrited query params should be blank when
> not specified in the URI
> - COUCHDB-2874: Rewrites via query server
> - COUCHDB-2877: Return nicer error for bad Authorization header
> - Deprecation of /_log
> - Deprecation of OAuth auth
> - Enable CORS by default:
> https://fetch.spec.whatwg.org/#basic-safe-cors-protocol-setup
> - Remove Fauxton - AFAIK, it supports 1.x no more and current version
> in 1.x.x branch is heavily outdated.
> - Mark this release as LTS with short (really) cycle of bug fixes ship
>
> Questionalbe:
> - Add systemd notification support.
>
> May be we can also include else experimental features, like JWT and/or
> Delegated auth. Personally, I would like to see them, but it's all up
> to you Klaus and Jan (;
>
> But even without these experimental features, we have quite long list
> of changes to ship.
>
> The plan is simple: for November get all from backport and add lists
> into 1.x.x branch and ship 1.7 in first half of December. Quite good
> Christmas Eve present for everyone. Personal deadlines 30th November
> and 20th December respectively.
>
> Since "everyone is busy on 2.0" I'll take care of this.
>
> P.S. If someone has else important bugfixes on mind to include, please
> drop a notice. For 2.0 we have ETOOMANY useful changes, but I would
> like to stop only on really important ones. Like replicator ones as I
> mentioned.
>
> --
> ,,,^..^,,,
>

Re: CouchDB 1.7.0 Roadmap

[Alexander Shorin]

On Thu, Nov 12, 2015 at 7:20 PM, Tomas Novysedlak
 wrote:
>
>   Just a quick one. How about long promised
> https://issues.apache.org/jira/browse/COUCHDB-1415 ?

I'll take a look, but no promises. I'm also not quite sure which exact
changes fixed this for 2.0 and will it be safe to backport them.

--
,,,^..^,,,

Re: CouchDB 1.7.0 Roadmap

[Tomas Novysedlak]

Hi Alexander,

  Just a quick one. How about long promised
https://issues.apache.org/jira/browse/COUCHDB-1415 ?

Thank you,
  Tomas


On Thu, Nov 12, 2015 at 4:05 PM, Alexander Shorin  wrote:

> Dear CouchDB team,
>
> While we're all working on 2.0 is in progress, I fear that we'll end
> this year without a single release. Technically, there is only one
> month left till 2016 excluding holidays, but let's be honest - that's
> not enough for 2.0. So I propose the plan for 1.7 release to not end
> this year with empty list.
>
> There are a couple of important changes that we have for it and users
> are waiting for. Primary is the Erlang 18 compatibility, but not only.
>
> What we already have on 1.x.x branch:
>
> - COUCHDB-1011: replicate by document ids from futon
> - COUCHDB-1275: decode database names in recent used list
> - COUCHDB-2225 Enforce that shared libraries can be built by the system
> - COUCHDB-2430: Disable Nagle's algorithm
> - COUCHDB-2583: fix connection dropping by the resources which doesn't
> require any payload
> - COUCHDB-2761: Support glibc >= 2.20
> - COUCHDB-2783: Bind both to IPv4 and IPv6
> - Futon: Fixed potential XSS issue in jquery.ui
> - jquery.couch: Fixed document copying
> - sslv3 support is deprecated
> - Support for user configurable SSL ciphers
> - Multiple minor documentation fixes
> - Support Erlang 18
>
> What we can backport without worry:
>
> - COUCHDB-1356: Return username on POST to /_session
> - COUCHDB-1447: X-Couch-* headers missed if custom headers were returned
> - COUCHDB-1964: eunit test suite
> - COUCHDB-2310: /db/_bulk_get
> - COUCHDB-2375: Respond with HTTP 400 Bad Request on invalid revision
> number
> - COUCHDB-2534: db security should respect authed users
> - COUCHDB-2732: Use thread local storage for couch_ejson_compare NIF
> - COUCHDB-2752: Validate Host header
> - COUCHDB-2873: Update snappy to 1.1.3
> - Multiple improvements that we have for replicator
>
> What I would like to add:
>
> - COUCHDB-2722: Keys from rewrited query params should be blank when
> not specified in the URI
> - COUCHDB-2874: Rewrites via query server
> - COUCHDB-2877: Return nicer error for bad Authorization header
> - Deprecation of /_log
> - Deprecation of OAuth auth
> - Enable CORS by default:
> https://fetch.spec.whatwg.org/#basic-safe-cors-protocol-setup
> - Remove Fauxton - AFAIK, it supports 1.x no more and current version
> in 1.x.x branch is heavily outdated.
> - Mark this release as LTS with short (really) cycle of bug fixes ship
>
> Questionalbe:
> - Add systemd notification support.
>
> May be we can also include else experimental features, like JWT and/or
> Delegated auth. Personally, I would like to see them, but it's all up
> to you Klaus and Jan (;
>
> But even without these experimental features, we have quite long list
> of changes to ship.
>
> The plan is simple: for November get all from backport and add lists
> into 1.x.x branch and ship 1.7 in first half of December. Quite good
> Christmas Eve present for everyone. Personal deadlines 30th November
> and 20th December respectively.
>
> Since "everyone is busy on 2.0" I'll take care of this.
>
> P.S. If someone has else important bugfixes on mind to include, please
> drop a notice. For 2.0 we have ETOOMANY useful changes, but I would
> like to stop only on really important ones. Like replicator ones as I
> mentioned.
>
> --
> ,,,^..^,,,
>