qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Keith W <keith.w...@gmail.com>
Subject Re: Request for inclusion into 0.32
Date Tue, 24 Feb 2015 12:50:38 GMT
Hi Justin

On 24 February 2015 at 12:31, Justin Ross <justin.ross@gmail.com> wrote:

> The latter three are approved.
> On the first, QPID-6247.  You say "only affects a part of Broker
> functionality responsible for writing updates to configuration files".
> This is the primary way users will store their configuration, true?  If so,
> that's not isolated.
> It's also not small.  Which leaves us with importance.  Does this deserve
> an exception because it's a particularly severe defect?  It looks (to the
> uninformed, me) like a normal priority defect.  Is it a regression?
It is true that QPID-6247 is a long standard defect, however, with changes
we have already made in 0.32 the severity is increased.   0.32 brings with
it the ability to upload private keys through the UI.  By default, these
keys are stored - inlined - within the Broker's configuration files and are
written to disk.  If we don't include QPID-6247 the Broker won't preserve
the file permissions on the configuration files through the update, and it
could therefore become inadvertently readable by others.  This would
represent a security issue.   Apologies, we should have identified the
interdependency between this existing defect and the new feature earlier in
the cycle.

Kind regards, Keith


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message