Re: Backporting 3.8.1 security fix in 3.6.x

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Backporting 3.8.1 security fix in 3.6.x

Romain Manni-Bucau
Le ven. 2 avr. 2021 à 16:08, Elliotte Rusty Harold <[hidden email]> a
écrit :

> On Fri, Apr 2, 2021 at 11:44 AM Romain Manni-Bucau
> <[hidden email]> wrote:
>
> > So teams pick a version with semver like in mind assuming they will get
> > security fixes in this branch for the duration of the projects which tend
> > to be wrong since maven tends to update minor as often as patch digit.
>
> That is a very unjustified assumption. A miniscule fraction of open
> source projects issue patch releases for anything but head. The Linux
> kernel comes to mind. I can't think of a second, and none from the
> Apache Project. I'm sure they're out there, but it's certainly less
> than 1%. Absent an explicit statement that a minor version will
> receive security fixes in the future, I would never assume that
> anything other than the latest release is likely to be patched.
>

Agree with that, this is why we have a "defining a release policy before
next release" track right now but in the mean time, since several apache
project defined such  policy (thinking to karaf and tomee) and that maven
is really really mainstream, we can't ignore it had been done today - and
once again it is why we get so much negative feedback each time we jump
versions.
So let's fix the immediate need and accomodate our users and fix the real
issue right after/soon to avoid it happens again.


>
> --
> Elliotte Rusty Harold
> [hidden email]
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Backporting 3.8.1 security fix in 3.6.x

Romain Manni-Bucau
@Hervé BOUTEMY <[hidden email]> I'm fine with any *solution* to this
issue which must enable user to use a 3.6.n, n > 3 to block http (and not
https) repos by config. I proposed to backport the 3.8 solution (even if
not satisfying for some) to avoid to break between 3.6 and 3.8 and later
4.x but while goal is reached I'm happy with any solution but have to admit
I'm not sure which one you aim at with your last answer so please advice me
:s.

Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<https://www.packtpub.com/application-development/java-ee-8-high-performance>


Le ven. 2 avr. 2021 à 19:32, Hervé BOUTEMY <[hidden email]> a écrit :

> disagree: it is my last sentence on the question, no more time to loose
>
> non breaking by default is not fixing: fixing is breaking by default
>
> and of course, yes, a user can override default secure configuration to
> allow
> insecure exceptions or even global insecure: it's his responsibility
>
>
> done with me
>
> Le vendredi 2 avril 2021, 19:01:49 CEST Romain Manni-Bucau a écrit :
> > Le ven. 2 avr. 2021 à 18:39, Hervé BOUTEMY <[hidden email]> a
> écrit :
> > > backporting MNG-7119, I understand that it fixes a (low severity)
> security
> > > issue
> > >
> > > backporting MNG-7116, MNG-7117 and MNG-7128 without MNG-7118 does not
> > > backport
> > > THE security fix = MNG-7118 block HTTP by default
> >
> > Nop, this is NOT a security fix for most build Hervé, it is only for
> builds
> > not customizing the global settings.xml.
> > Concretely, it is 1-1 due to maven usage to have or not the default
> > regarding the security fix (agree it is saner to have it by default) but
> > for 3.6 branch breaking by default is not an opiotn, therefore enabling
> to
> > use it but not enabling it out of the box.
> >
> > > sorry, breaking by default is the security fix: if you don't want
> breaking
> > > by
> > > default, you don't want the security fix
> >
> > Not sure I'm following the reasoning.
> > What I said in the 3.6/3.8 thread was that we must enable the security
> fix
> > to be used in 3.6 branch, this is what does the PR.
> >
> > > Regards,
> > >
> > > Hervé
> > >
> > > Le vendredi 2 avril 2021, 09:20:37 CEST Romain Manni-Bucau a écrit :
> > > > Hi all,
> > > >
> > > > As explained in another thread, I created
> > > > https://github.com/apache/maven/pull/462 to backport the security
> fix on
> > > > 3.8  in 3.6.x.
> > > > Anyone able to review it?
> > > > Only change is that the default configuration is not there but it
> can be
> > > > enabled - idea is to document it instead of breaking by default.
> > > >
> > > > Romain Manni-Bucau
> > > > @rmannibucau <https://twitter.com/rmannibucau> |  Blog
> > > > <https://rmannibucau.metawerx.net/> | Old Blog
> > > > <http://rmannibucau.wordpress.com> | Github <
> > >
> > > https://github.com/rmannibucau>
> > >
> > > > | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
> > > >
> > > > <
> > >
> > >
> https://www.packtpub.com/application-development/java-ee-8-high-performanc
> > > e
> > >
> > >
> > >
> > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [hidden email]
> > > For additional commands, e-mail: [hidden email]
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>