qpid-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Ross <justin.r...@gmail.com>
Subject Re: Request for inclusion into 0.32
Date Tue, 24 Feb 2015 12:55:18 GMT
Thanks, Keith.  It's now approved for 0.32.

On Tue, Feb 24, 2015 at 7:50 AM, Keith W <keith.wall@gmail.com> wrote:

> Hi Justin
>
>
>
> On 24 February 2015 at 12:31, Justin Ross <justin.ross@gmail.com> wrote:
>
>> The latter three are approved.
>>
>> On the first, QPID-6247.  You say "only affects a part of Broker
>> functionality responsible for writing updates to configuration files".
>> This is the primary way users will store their configuration, true?  If
>> so,
>> that's not isolated.
>>
>> It's also not small.  Which leaves us with importance.  Does this deserve
>> an exception because it's a particularly severe defect?  It looks (to the
>> uninformed, me) like a normal priority defect.  Is it a regression?
>>
>>
> It is true that QPID-6247 is a long standard defect, however, with
> changes we have already made in 0.32 the severity is increased.   0.32
> brings with it the ability to upload private keys through the UI.  By
> default, these keys are stored - inlined - within the Broker's
> configuration files and are written to disk.  If we don't include QPID-6247
> the Broker won't preserve the file permissions on the configuration files
> through the update, and it could therefore become inadvertently readable by
> others.  This would represent a security issue.   Apologies, we should have
> identified the interdependency between this existing defect and the new
> feature earlier in the cycle.
>
> Kind regards, Keith
>
>
>
>>
>>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message