VOTE: Take Security seriously or my resignation.

2016-01-06 Thread Peter Firmstone 
Option 1.  I propose that we take security seriously, no security patches are 
to be rejected prior to review, that we review and analyse them properly based 
on merit. That discussions about security issues be taken seriously.

Option 2.  Alternatively I resign my River committer status

Please cast your vote, the vote is open for 7 days.

Let the community decide.

Regards,

Peter

Sent from my Samsung device.
 

Re: VOTE: Take Security seriously or my resignation.

2016-01-06 Thread Patricia Shanahan 

Please, please cancel this.

We do need to have a serious discussion of River future direction. I
expect that discussion to take a lot longer than a week, and hope it
will involve as many users and potential users of River as possible. For
example, we may need to canvas other project mailing lists to find out
whether a River with specific changes would be useful to them.

It will certainly take me more than a week to study the subject, and the
various opinions about it, sufficiently to be prepared to vote.

I feel, very strongly, that we need to get River 3.0 out the door ASAP.
Even with enough time for proper study, holding the River future
discussion first will inevitably distract from that objective and delay
the release. I thought that was also the PMC consensus.

My preferred plan is get existing changes out as River 3.0 first, then
discussion and study, then vote on future direction. I am sorely tempted
to resign if this premature vote goes ahead, regardless of the outcome,
but will not because I don't think such threats are an appropriate way
of influencing PMC votes.

Patricia

On 1/6/2016 4:21 AM, Peter Firmstone wrote:

Option 1.  I propose that we take security seriously, no security patches are 
to be rejected prior to review, that we review and analyse them properly based 
on merit. That discussions about security issues be taken seriously.

Option 2.  Alternatively I resign my River committer status

Please cast your vote, the vote is open for 7 days.

Let the community decide.

Regards,

Peter

Sent from my Samsung device.

Re: VOTE: Take Security seriously or my resignation.

2016-01-06 Thread James Hurley 

+1

-Jim

On Jan 06, 2016, at 10:13 AM, Patricia Shanahan  wrote:
Please, please cancel this.

We do need to have a serious discussion of River future direction. I
expect that discussion to take a lot longer than a week, and hope it
will involve as many users and potential users of River as possible. For
example, we may need to canvas other project mailing lists to find out
whether a River with specific changes would be useful to them.

It will certainly take me more than a week to study the subject, and the
various opinions about it, sufficiently to be prepared to vote.

I feel, very strongly, that we need to get River 3.0 out the door ASAP.
Even with enough time for proper study, holding the River future
discussion first will inevitably distract from that objective and delay
the release. I thought that was also the PMC consensus.

My preferred plan is get existing changes out as River 3.0 first, then
discussion and study, then vote on future direction. I am sorely tempted
to resign if this premature vote goes ahead, regardless of the outcome,
but will not because I don't think such threats are an appropriate way
of influencing PMC votes.

Patricia

On 1/6/2016 4:21 AM, Peter Firmstone wrote:
Option 1. I propose that we take security seriously, no security patches are to 
be rejected prior to review, that we review and analyse them properly based on 
merit. That discussions about security issues be taken seriously.

Option 2. Alternatively I resign my River committer status

Please cast your vote, the vote is open for 7 days.

Let the community decide.

Regards,

Peter

Sent from my Samsung device.

Re: Release 3.0, package rename and ServiceProxyAccessor

2016-01-06 Thread Simon IJskes - QCG 

On 06-01-16 18:49, Simon IJskes - QCG wrote:

On 06-01-16 13:38, Peter wrote:

Your security analysis is too narrow, your thinking like a user, not
an attacker.

An attacker is not going to send you a proxy to load into a standalone
Classloader.  She has the choice of the entire classpath, not you and
not River, that's right it's the senders choice, not the receivers.

She's looking for vulnerable classes on your classpath.
ObjectInputStream will load the attackers instructions. There's no
protection domain on the  stack representing the attacker, the
attacker is looking to deserialize into privileged context, the
attacker wants AllPermission.  This all occurs before your remote
method call even returns.  Once the the attacker has privileges, she
can create her own URLClassLoader grant AllPermission to her
downloaded code, install her own security manager.


https://cwe.mitre.org/data/definitions/502.html


https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=27492407

Has a number of secure coding recomendations.

G.

--
QCG, Software development, 071-5890970, http://www.qcg.nl
Quality Consultancy Group b.v., Leiderdorp, Kvk Den Haag: 28088397

Re: Release 3.0, package rename and ServiceProxyAccessor

2016-01-06 Thread Simon IJskes - QCG 

On 06-01-16 13:38, Peter wrote:

Your security analysis is too narrow, your thinking like a user, not an 
attacker.

An attacker is not going to send you a proxy to load into a standalone 
Classloader.  She has the choice of the entire classpath, not you and not 
River, that's right it's the senders choice, not the receivers.

She's looking for vulnerable classes on your classpath.  ObjectInputStream will 
load the attackers instructions. There's no protection domain on the  stack 
representing the attacker, the attacker is looking to deserialize into 
privileged context, the attacker wants AllPermission.  This all occurs before 
your remote method call even returns.  Once the the attacker has privileges, 
she can create her own URLClassLoader grant AllPermission to her downloaded 
code, install her own security manager.


https://cwe.mitre.org/data/definitions/502.html


--
QCG, Software development, 071-5890970, http://www.qcg.nl
Quality Consultancy Group b.v., Leiderdorp, Kvk Den Haag: 28088397

Re: VOTE: Take Security seriously or my resignation.

2016-01-06 Thread Greg Trasuk 
Hi Jim:

Good to see you back here!

Cheers,

Greg Trasuk
> On Jan 6, 2016, at 10:31 AM, James Hurley  wrote:
> 
> +1
> 
> -Jim
> 
> On Jan 06, 2016, at 10:13 AM, Patricia Shanahan  wrote:
>> Please, please cancel this.
>> 
>> We do need to have a serious discussion of River future direction. I
>> expect that discussion to take a lot longer than a week, and hope it
>> will involve as many users and potential users of River as possible. For
>> example, we may need to canvas other project mailing lists to find out
>> whether a River with specific changes would be useful to them.
>> 
>> It will certainly take me more than a week to study the subject, and the
>> various opinions about it, sufficiently to be prepared to vote.
>> 
>> I feel, very strongly, that we need to get River 3.0 out the door ASAP.
>> Even with enough time for proper study, holding the River future
>> discussion first will inevitably distract from that objective and delay
>> the release. I thought that was also the PMC consensus.
>> 
>> My preferred plan is get existing changes out as River 3.0 first, then
>> discussion and study, then vote on future direction. I am sorely tempted
>> to resign if this premature vote goes ahead, regardless of the outcome,
>> but will not because I don't think such threats are an appropriate way
>> of influencing PMC votes.
>> 
>> Patricia
>> 
>> On 1/6/2016 4:21 AM, Peter Firmstone wrote:
>>> Option 1. I propose that we take security seriously, no security patches 
>>> are to be rejected prior to review, that we review and analyse them 
>>> properly based on merit. That discussions about security issues be taken 
>>> seriously.
>>> 
>>> Option 2. Alternatively I resign my River committer status
>>> 
>>> Please cast your vote, the vote is open for 7 days.
>>> 
>>> Let the community decide.
>>> 
>>> Regards,
>>> 
>>> Peter
>>> 
>>> Sent from my Samsung device.
>>> 
>>>

Re: VOTE: Take Security seriously or my resignation.

2016-01-06 Thread Bryan Thompson 
Peter,

I think that there might be a consensus for publishing 3.0 and then
considering security patches against it.

Bryan


Bryan Thompson
Chief Scientist & Founder
SYSTAP, LLC
4501 Tower Road
Greensboro, NC 27410
br...@systap.com
http://blazegraph.com
http://blog.blazegraph.com

Blazegraph™  is our ultra high-performance
graph database that supports both RDF/SPARQL and Tinkerpop/Blueprints
APIs.  Blazegraph is now available with GPU acceleration using our disruptive
technology to accelerate data-parallel graph analytics and graph query.

CONFIDENTIALITY NOTICE:  This email and its contents and attachments are
for the sole use of the intended recipient(s) and are confidential or
proprietary to SYSTAP. Any unauthorized review, use, disclosure,
dissemination or copying of this email or its contents or attachments is
prohibited. If you have received this communication in error, please notify
the sender by reply email and permanently delete all copies of the email
and its contents and attachments.

On Wed, Jan 6, 2016 at 10:31 AM, James Hurley  wrote:

> +1
>
> -Jim
>
> On Jan 06, 2016, at 10:13 AM, Patricia Shanahan  wrote:
>
> Please, please cancel this.
>
> We do need to have a serious discussion of River future direction. I
> expect that discussion to take a lot longer than a week, and hope it
> will involve as many users and potential users of River as possible. For
> example, we may need to canvas other project mailing lists to find out
> whether a River with specific changes would be useful to them.
>
> It will certainly take me more than a week to study the subject, and the
> various opinions about it, sufficiently to be prepared to vote.
>
> I feel, very strongly, that we need to get River 3.0 out the door ASAP.
> Even with enough time for proper study, holding the River future
> discussion first will inevitably distract from that objective and delay
> the release. I thought that was also the PMC consensus.
>
> My preferred plan is get existing changes out as River 3.0 first, then
> discussion and study, then vote on future direction. I am sorely tempted
> to resign if this premature vote goes ahead, regardless of the outcome,
> but will not because I don't think such threats are an appropriate way
> of influencing PMC votes.
>
> Patricia
>
> On 1/6/2016 4:21 AM, Peter Firmstone wrote:
>
> Option 1. I propose that we take security seriously, no security patches
> are to be rejected prior to review, that we review and analyse them
> properly based on merit. That discussions about security issues be taken
> seriously.
>
>
> Option 2. Alternatively I resign my River committer status
>
>
> Please cast your vote, the vote is open for 7 days.
>
>
> Let the community decide.
>
>
> Regards,
>
>
> Peter
>
>
> Sent from my Samsung device.
>
>
>
>

Cancelled. Re: VOTE: Take Security seriously or my resignation.

2016-01-06 Thread Peter 
Vote withdrawn.

Peter.

Sent from my Samsung device.
 
  Include original message
 Original message 
From: Patricia Shanahan 
Sent: 07/01/2016 01:13:23 am
To: dev@river.apache.org
Subject: Re: VOTE: Take Security seriously or my resignation.

Please, please cancel this. 

We do need to have a serious discussion of River future direction. I 
expect that discussion to take a lot longer than a week, and hope it 
will involve as many users and potential users of River as possible. For 
example, we may need to canvas other project mailing lists to find out 
whether a River with specific changes would be useful to them. 

It will certainly take me more than a week to study the subject, and the 
various opinions about it, sufficiently to be prepared to vote. 

I feel, very strongly, that we need to get River 3.0 out the door ASAP 
Even with enough time for proper study, holding the River future 
discussion first will inevitably distract from that objective and delay 
the release. I thought that was also the PMC consensus. 

My preferred plan is get existing changes out as River 3.0 first, then 
discussion and study, then vote on future direction. I am sorely tempted 
to resign if this premature vote goes ahead, regardless of the outcome, 
but will not because I don't think such threats are an appropriate way 
of influencing PMC votes. 

Patricia 

On 1/6/2016 4:21 AM, Peter Firmstone wrote: 
> Option 1.  I propose that we take security seriously, no security patches are 
>to be rejected prior to review, that we review and analyse them properly based 
>on merit. That discussions about security issues be taken seriously. 
> 
> Option 2.  Alternatively I resign my River committer status 
> 
> Please cast your vote, the vote is open for 7 days. 
> 
> Let the community decide. 
> 
> Regards, 
> 
> Peter 
> 
> Sent from my Samsung device. 
> 
>