Jira (PUP-10714) remove "master_used" report parameter in puppet 7
Title: Message Title Scott Cyprus commented on PUP-10714 Re: remove "master_used" report parameter in puppet 7 Josh Cooper By only putting the deprecation notice in the release documentation (and not within a warning emitted during puppet runs), it forces build maintainers to look in two places instead of one. Is it fair to expect deprecation notices to be displayed as warnings during puppet runs, as opposed to finding out that it just doesn't work anymore and having to dig through release documentation to validate that? Add Comment This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.374886.1602655032000.34029.1621259700026%40Atlassian.JIRA.
Jira (PUP-10627) write public information to puppet_dir/public
Title: Message Title Scott Cyprus commented on PUP-10627 Re: write public information to puppet_dir/public R.I.Pienaar > The ability to control file modes in config files is known by very few people ime based on chat history etc I hate to sound like an elitist jerk, but why should other people's ignorance dictate how a product is secured by default? It begs the question, how far are we willing to go to accomodate the weakest link? If someone doesn't understand how groups work, then in my opinion they shouldn't be anywhere near puppet code that will presumably be run on many systems. Add Comment This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.369665.1597829487000.34006.1621257900031%40Atlassian.JIRA.
Jira (PUP-10627) write public information to puppet_dir/public
Title: Message Title Scott Cyprus commented on PUP-10627 Re: write public information to puppet_dir/public Josh Cooper Thanks for the quick response. I did see that the original 644 change was caught and changed to 640, which is fine. I was more concerned about the original 644 permission. Fair point about the version being accessible elsewhere, although some of the other info in the file such as failed runs and last_run is a bit sensitive as well. Honestly, I was less concerned about the somewhat-sensitive information in the file, and more concerned with the permissions that the file was given. It's just a bad look, you know? It made me wonder, "What else on my system has similar permissions that I didn't happen to read about in the change logs?" Add Comment This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.369665.1597829487000.33677.1621036560024%40Atlassian.JIRA.
Jira (PUP-10714) remove "master_used" report parameter in puppet 7
Title: Message Title Scott Cyprus commented on PUP-10714 Re: remove "master_used" report parameter in puppet 7 The new terminology "server_used" was marked as resolved on 2020/10/13, and the old terminology "master_used" was completely removed (without deprecation notice) on 2020/10/26. It was mention that you don't think the variable is used anywhere in the product, but what about the humans who read documentation that's still on the internet who do expect that variable to work (maybe somebody wrote a blog post because it actually did work for 13 days)? Do you see how things like this erode trust in the puppet ecosystem? Add Comment This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.374886.1602655032000.33596.1621027200024%40Atlassian.JIRA.
Jira (PUP-10714) remove "master_used" report parameter in puppet 7
Title: Message Title Scott Cyprus updated an issue Puppet / PUP-10714 remove "master_used" report parameter in puppet 7 Change By: Scott Cyprus Comment: So you decided to break people's builds to arbitrarily change the name of a previously working variable?The new "server_used" terminology was marked as resolved on 2020/10/13 (PUP-10672), and then the old terminology "master_used" was not only deprecated but completely removed on 2020/10/26. Do you see how bad this is? Do you folks care at all anymore? Add Comment This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.374886.1602655032000.33593.1621026360161%40Atlassian.JIRA.
Jira (PUP-10714) remove "master_used" report parameter in puppet 7
Title: Message Title Scott Cyprus commented on PUP-10714 Re: remove "master_used" report parameter in puppet 7 So you decided to break people's builds to arbitrarily change the name of a previously working variable? The new "server_used" terminology was marked as resolved on 2020/10/13 (PUP-10672), and then the old terminology "master_used" was not only deprecated but completely removed on 2020/10/26. Do you see how bad this is? Do you folks care at all anymore? Add Comment This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.374886.1602655032000.33592.1621026360115%40Atlassian.JIRA.
Jira (PUP-10627) write public information to puppet_dir/public
Title: Message Title Scott Cyprus updated an issue Puppet / PUP-10627 write public information to puppet_dir/public Change By: Scott Cyprus Comment: It's very concerning that this "improvement" request was implemented without a second thought. 755 and 644 on a file that could get someone hacked? People are trusting your software to run on their systems, and careless changes like this erode that trust really quickly. It wasn't a "great catch" by Trevor, it was common sense. Please keep in mind that people use puppet to install software, and that software has an attack surface. If a hacker gains a limited shell on the machine and sees that puppet is running an outdated and vulnerable version then that is an easy way to escalate privileges. Add Comment This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.369665.1597829487000.33580.1621024500041%40Atlassian.JIRA.
Jira (PUP-10627) write public information to puppet_dir/public
Title: Message Title Scott Cyprus commented on PUP-10627 Re: write public information to puppet_dir/public It's very concerning that this "improvement" request was implemented without a second thought. 755 and 644 on a file that could get someone hacked? People are trusting your software to run on their systems, and careless changes like this erode that trust really quickly. It wasn't a "great catch" by Trevor, it was common sense. Please keep in mind that people use puppet to install software, and that software has an attack surface. If a hacker gains a limited shell on the machine and sees that puppet is running an outdated and vulnerable version then that is an easy way to escalate privileges. Add Comment This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.369665.1597829487000.33581.1621024500086%40Atlassian.JIRA.
Jira (PUP-10627) write public information to puppet_dir/public
Title: Message Title Scott Cyprus commented on PUP-10627 Re: write public information to puppet_dir/public It's very concerning that this "improvement" request was implemented without a second thought. 755 and 644 on a file that could get someone hacked? People are trusting your software to run on their systems, and careless changes like this erode that trust really quickly. It wasn't a "great catch" by Trevor, it was common sense. Please keep in mind that people use puppet to install software, and that software has an attack surface. If a hacker gains a limited shell on the machine and sees that puppet is running an outdated and vulnerable version then that is an easy way in. Add Comment This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.369665.1597829487000.33576.1621024380027%40Atlassian.JIRA.
