You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Rohit Yadav <ro...@shapeblue.com> on 2022/03/01 08:30:01 UTC
Re: [VOTE] Apache CloudStack 4.16.1.0 (RC2)
2cents;
I suppose it's up to the RM to triage and if necessary cut RC3, however, if a normal user account can't have the list of resources (uuid, in this case network's UUID) then it doesn't appear a critical issue to me for 99.99% cases.
Long term - it may be worth doing a broad search for all APIs where a similar behaviour may exist (user can't list the resource, but if they knew the UUID could possible run an API against that).
Regards.
________________________________
From: Andrija Panic <an...@gmail.com>
Sent: Tuesday, March 1, 2022 04:36
To: dev <de...@cloudstack.apache.org>
Subject: Re: [VOTE] Apache CloudStack 4.16.1.0 (RC2)
By all means, although we could argue that this is NOT a regression, and as
such we might skip it - but it's a security/privacy issue, so we should
better fix it in RC3, yes.
On Mon, 28 Feb 2022 at 16:15, Gabriel Bräscher <ga...@gmail.com> wrote:
> Hello folks,
>
> I would like to raise the issue
> https://github.com/apache/cloudstack/issues/6049.
> It affects not only 4.16.1.0 RC2, but also previous releases.
> I consider it a critical issue, which could potentially impact the need for
> a release candidate #3.
> Any thoughts?
>
> Regards,
> Gabriel.
>
> On Mon, Feb 28, 2022 at 3:46 PM Nux! <nu...@li.nux.ro> wrote:
>
> > +1 (binding)
> >
> > Tested KVM in advanced zones (with and without security groups).
> > Everything seems to be working.
> >
> > ---
> > Nux!
> > www.nux.ro
> >
> > On 2022-02-25 15:08, Suresh Anaparti wrote:
> > > Hi All,
> > >
> > > I have created a 4.16.1.0 release (RC2), with the following artifacts
> > > up for testing and a vote:
> > >
> > > Git Branch and Commit SHA:
> > > https://github.com/apache/cloudstack/tree/4.16.1.0-RC20220225T1901
> > > Commit: cad9332082a1f85eedc30cf547ae28224be170c2
> > >
> > > Source release (checksums and signatures are available at the same
> > > location):
> > > https://dist.apache.org/repos/dist/dev/cloudstack/4.16.1.0/
> > >
> > > PGP release keys (signed using
> > > D6E0581ECF8A2FBE3FF6B3C9D7CEAE3A9E71D0AA):
> > > https://dist.apache.org/repos/dist/release/cloudstack/KEYS
> > >
> > > The vote will be open until 2nd March 2022.
> > >
> > > For sanity in tallying the vote, can PMC members please be sure to
> > > indicate "(binding)" with their vote?
> > >
> > > [ ] +1 approve
> > > [ ] +0 no opinion
> > > [ ] -1 disapprove (and reason why)
> > >
> > > For users convenience, the packages from this release candidate (RC2)
> > > and
> > > 4.16.1 systemvm templates are available here:
> > > https://download.cloudstack.org/testing/4.16.1.0-RC2/
> > > https://download.cloudstack.org/systemvm/4.16/
> > >
> > > Documentation is not published yet, but the following may be
> > > referenced for upgrade related tests:
> > > (there's a new 4.16.1 systemvm template to be registered prior to
> > > upgrade)
> > >
> >
> https://github.com/apache/cloudstack-documentation/tree/4.16/source/upgrading/upgrade
> > >
> > > NOTES on the issues fixed in this RC2 release:
> > >
> > > (these do *NOT* require a full retest if you were testing RC1 already -
> > > just if you were affected by these issues):
> > > - https://github.com/apache/cloudstack/issues/6017 (regression in
> > > register template form
> > > when select/unselect check boxes using space in keyboard)
> > > - https://github.com/apache/cloudstack/issues/6026 (affects volumes on
> > > managed storages when
> > > stopping or migrating a VM)
> > > - https://github.com/apache/cloudstack/issues/6038 (regression in SSVM
> > > scaling down behavior,
> > > new config 'secstorage.vm.auto.scale.down' added to control scaling
> > > down)
> > >
> > >
> > > Regards,
> > > Suresh
> >
>
--
Andrija Panić
Re: [VOTE] Apache CloudStack 4.16.1.0 (RC2)
Posted by Suresh Anaparti <Su...@shapeblue.com>.
Agree with Rohit, and it's a very rare case.
@Gabriel, Do you agree to continue with 4.16.1.0 RC2?
Regards,
Suresh
On 01/03/22, 3:10 PM, "Andrija Panic" <an...@gmail.com> wrote:
That makes sense, Rohit, indeed. UUID is impossible to guess.
Gabriel, Suresh?
On Tue, 1 Mar 2022 at 09:31, Rohit Yadav <ro...@shapeblue.com> wrote:
> 2cents;
>
> I suppose it's up to the RM to triage and if necessary cut RC3, however,
> if a normal user account can't have the list of resources (uuid, in this
> case network's UUID) then it doesn't appear a critical issue to me for
> 99.99% cases.
>
> Long term - it may be worth doing a broad search for all APIs where a
> similar behaviour may exist (user can't list the resource, but if they knew
> the UUID could possible run an API against that).
>
>
>
> Regards.
>
> ________________________________
> From: Andrija Panic <an...@gmail.com>
> Sent: Tuesday, March 1, 2022 04:36
> To: dev <de...@cloudstack.apache.org>
> Subject: Re: [VOTE] Apache CloudStack 4.16.1.0 (RC2)
>
> By all means, although we could argue that this is NOT a regression, and as
> such we might skip it - but it's a security/privacy issue, so we should
> better fix it in RC3, yes.
>
>
>
>
> On Mon, 28 Feb 2022 at 16:15, Gabriel Bräscher <ga...@gmail.com>
> wrote:
>
> > Hello folks,
> >
> > I would like to raise the issue
> > https://github.com/apache/cloudstack/issues/6049.
> > It affects not only 4.16.1.0 RC2, but also previous releases.
> > I consider it a critical issue, which could potentially impact the need
> for
> > a release candidate #3.
> > Any thoughts?
> >
> > Regards,
> > Gabriel.
> >
> > On Mon, Feb 28, 2022 at 3:46 PM Nux! <nu...@li.nux.ro> wrote:
> >
> > > +1 (binding)
> > >
> > > Tested KVM in advanced zones (with and without security groups).
> > > Everything seems to be working.
> > >
> > > ---
> > > Nux!
> > > www.nux.ro
> > >
> > > On 2022-02-25 15:08, Suresh Anaparti wrote:
> > > > Hi All,
> > > >
> > > > I have created a 4.16.1.0 release (RC2), with the following artifacts
> > > > up for testing and a vote:
> > > >
> > > > Git Branch and Commit SHA:
> > > > https://github.com/apache/cloudstack/tree/4.16.1.0-RC20220225T1901
> > > > Commit: cad9332082a1f85eedc30cf547ae28224be170c2
> > > >
> > > > Source release (checksums and signatures are available at the same
> > > > location):
> > > > https://dist.apache.org/repos/dist/dev/cloudstack/4.16.1.0/
> > > >
> > > > PGP release keys (signed using
> > > > D6E0581ECF8A2FBE3FF6B3C9D7CEAE3A9E71D0AA):
> > > > https://dist.apache.org/repos/dist/release/cloudstack/KEYS
> > > >
> > > > The vote will be open until 2nd March 2022.
> > > >
> > > > For sanity in tallying the vote, can PMC members please be sure to
> > > > indicate "(binding)" with their vote?
> > > >
> > > > [ ] +1 approve
> > > > [ ] +0 no opinion
> > > > [ ] -1 disapprove (and reason why)
> > > >
> > > > For users convenience, the packages from this release candidate (RC2)
> > > > and
> > > > 4.16.1 systemvm templates are available here:
> > > > https://download.cloudstack.org/testing/4.16.1.0-RC2/
> > > > https://download.cloudstack.org/systemvm/4.16/
> > > >
> > > > Documentation is not published yet, but the following may be
> > > > referenced for upgrade related tests:
> > > > (there's a new 4.16.1 systemvm template to be registered prior to
> > > > upgrade)
> > > >
> > >
> >
> https://github.com/apache/cloudstack-documentation/tree/4.16/source/upgrading/upgrade
> > > >
> > > > NOTES on the issues fixed in this RC2 release:
> > > >
> > > > (these do *NOT* require a full retest if you were testing RC1
> already -
> > > > just if you were affected by these issues):
> > > > - https://github.com/apache/cloudstack/issues/6017 (regression in
> > > > register template form
> > > > when select/unselect check boxes using space in keyboard)
> > > > - https://github.com/apache/cloudstack/issues/6026 (affects volumes
> on
> > > > managed storages when
> > > > stopping or migrating a VM)
> > > > - https://github.com/apache/cloudstack/issues/6038 (regression in
> SSVM
> > > > scaling down behavior,
> > > > new config 'secstorage.vm.auto.scale.down' added to control scaling
> > > > down)
> > > >
> > > >
> > > > Regards,
> > > > Suresh
> > >
> >
>
>
> --
>
> Andrija Panić
>
--
Andrija Panić
Re: [VOTE] Apache CloudStack 4.16.1.0 (RC2)
Posted by Andrija Panic <an...@gmail.com>.
That makes sense, Rohit, indeed. UUID is impossible to guess.
Gabriel, Suresh?
On Tue, 1 Mar 2022 at 09:31, Rohit Yadav <ro...@shapeblue.com> wrote:
> 2cents;
>
> I suppose it's up to the RM to triage and if necessary cut RC3, however,
> if a normal user account can't have the list of resources (uuid, in this
> case network's UUID) then it doesn't appear a critical issue to me for
> 99.99% cases.
>
> Long term - it may be worth doing a broad search for all APIs where a
> similar behaviour may exist (user can't list the resource, but if they knew
> the UUID could possible run an API against that).
>
>
>
> Regards.
>
> ________________________________
> From: Andrija Panic <an...@gmail.com>
> Sent: Tuesday, March 1, 2022 04:36
> To: dev <de...@cloudstack.apache.org>
> Subject: Re: [VOTE] Apache CloudStack 4.16.1.0 (RC2)
>
> By all means, although we could argue that this is NOT a regression, and as
> such we might skip it - but it's a security/privacy issue, so we should
> better fix it in RC3, yes.
>
>
>
>
> On Mon, 28 Feb 2022 at 16:15, Gabriel Bräscher <ga...@gmail.com>
> wrote:
>
> > Hello folks,
> >
> > I would like to raise the issue
> > https://github.com/apache/cloudstack/issues/6049.
> > It affects not only 4.16.1.0 RC2, but also previous releases.
> > I consider it a critical issue, which could potentially impact the need
> for
> > a release candidate #3.
> > Any thoughts?
> >
> > Regards,
> > Gabriel.
> >
> > On Mon, Feb 28, 2022 at 3:46 PM Nux! <nu...@li.nux.ro> wrote:
> >
> > > +1 (binding)
> > >
> > > Tested KVM in advanced zones (with and without security groups).
> > > Everything seems to be working.
> > >
> > > ---
> > > Nux!
> > > www.nux.ro
> > >
> > > On 2022-02-25 15:08, Suresh Anaparti wrote:
> > > > Hi All,
> > > >
> > > > I have created a 4.16.1.0 release (RC2), with the following artifacts
> > > > up for testing and a vote:
> > > >
> > > > Git Branch and Commit SHA:
> > > > https://github.com/apache/cloudstack/tree/4.16.1.0-RC20220225T1901
> > > > Commit: cad9332082a1f85eedc30cf547ae28224be170c2
> > > >
> > > > Source release (checksums and signatures are available at the same
> > > > location):
> > > > https://dist.apache.org/repos/dist/dev/cloudstack/4.16.1.0/
> > > >
> > > > PGP release keys (signed using
> > > > D6E0581ECF8A2FBE3FF6B3C9D7CEAE3A9E71D0AA):
> > > > https://dist.apache.org/repos/dist/release/cloudstack/KEYS
> > > >
> > > > The vote will be open until 2nd March 2022.
> > > >
> > > > For sanity in tallying the vote, can PMC members please be sure to
> > > > indicate "(binding)" with their vote?
> > > >
> > > > [ ] +1 approve
> > > > [ ] +0 no opinion
> > > > [ ] -1 disapprove (and reason why)
> > > >
> > > > For users convenience, the packages from this release candidate (RC2)
> > > > and
> > > > 4.16.1 systemvm templates are available here:
> > > > https://download.cloudstack.org/testing/4.16.1.0-RC2/
> > > > https://download.cloudstack.org/systemvm/4.16/
> > > >
> > > > Documentation is not published yet, but the following may be
> > > > referenced for upgrade related tests:
> > > > (there's a new 4.16.1 systemvm template to be registered prior to
> > > > upgrade)
> > > >
> > >
> >
> https://github.com/apache/cloudstack-documentation/tree/4.16/source/upgrading/upgrade
> > > >
> > > > NOTES on the issues fixed in this RC2 release:
> > > >
> > > > (these do *NOT* require a full retest if you were testing RC1
> already -
> > > > just if you were affected by these issues):
> > > > - https://github.com/apache/cloudstack/issues/6017 (regression in
> > > > register template form
> > > > when select/unselect check boxes using space in keyboard)
> > > > - https://github.com/apache/cloudstack/issues/6026 (affects volumes
> on
> > > > managed storages when
> > > > stopping or migrating a VM)
> > > > - https://github.com/apache/cloudstack/issues/6038 (regression in
> SSVM
> > > > scaling down behavior,
> > > > new config 'secstorage.vm.auto.scale.down' added to control scaling
> > > > down)
> > > >
> > > >
> > > > Regards,
> > > > Suresh
> > >
> >
>
>
> --
>
> Andrija Panić
>
--
Andrija Panić