ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Denis Magda <dma...@apache.org>
Subject Re: Lack of accounting for extremely disruptive functionality
Date Tue, 06 Jun 2017 05:43:57 GMT
Hi Roman!

In fact, that particular issue you’re referring to was handled directly in JIRA [1] in order
to address the reported CVE [2]. Now I see, that as one of the ticket reviewers, I should
have initiated a broader discussion on @dev to avoid the point we came to today with the update

Speaking about the notifier in general, that’s not a new piece of code. It was originally
donated to Ignite at the time of incubation and we planned to make use of it for the whole
community (for instance, knowing such metrics as JDK version we can not only see what’s
the most popular Java version Ignite runs on but to decide if there is a reason to support
Java 7).

However, due to a lack of resources and shifting priorities and interests inside of the community
we haven’t completed the upgrade process of the notifier and none of the data gathered by
it is used for any purpose. So, now, the reasonable decision would be to disable the notifier
completely and initiate a separate discussion on @dev going over its scope, functionality
and future. 


[1] https://issues.apache.org/jira/browse/IGNITE-4537 <https://issues.apache.org/jira/browse/IGNITE-4537>
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6805 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6805>

> On Jun 5, 2017, at 6:27 PM, Roman Shaposhnik <rvs@apache.org> wrote:
> Hi!
> there's a thread about an extremely questionable practice
> that Apache Ignite engages in. A practice that borderlines
> on unsolicited data collection (and as such may even be
> illegal in some jurisdictions without an explicit opt-in):
>    https://mail-archives.apache.org/mod_mbox/www-legal-discuss/201706.mbox/%3CCAGJoAUn-hiE89mWObh1Lb2S_vgqQJ%3DDC%3D1P_V1REQ9hUERCFog%40mail.gmail.com%3E
> This thread, however, is not focused on the legality (IANAL) of
> the practice nor it is focused on security implications of it. I'd live
> to talk about an absolute lack of any accounting for an extremely
> disruptive functionality like this one.
> Because you see, when I asked myself a question "how the heck
> could something like this possible end up in a project with
> virtually 0 discussion that I remember?" My next thought was -- well
> let me use Git and JIRA to get to the bottom of this. Quite to
> my surprise every single commit that touches the URL in question
> has virtually 0 accounting for why it is there. No JIRA IDs, not extended
> comments -- nothing.
> My understanding is that you guys pride yourself on being RTC project.
> Can someone please explain to me how all of these got reviewed:
> https://github.com/apache/ignite/commit/952be8b995050b34379006dd6e739da3fe3b49e3
> https://github.com/apache/ignite/commit/33ec73f901ca5dba441c6ca4e118d55165f3d25e
> https://github.com/apache/ignite/commit/551b3d1eab2a0b78d3f259f1bf24f1f6f3ff7b06
> https://github.com/apache/ignite/commit/c4030f926a7339cfcae14e19cec22d9d37cd94dd
> https://github.com/apache/ignite/commit/73c5e43c6c161aa18aa9e8ff2b09e582c7aedce4
> Thanks,
> Roman.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message