[GitHub] [couchdb-pkg] alex-zywicki commented on issue #94: Fixes made for CVE-2022-24706 mitigation break automated installations

[GitBox <gi...@apache.org>]

alex-zywicki commented on issue #94:
URL: https://github.com/apache/couchdb-pkg/issues/94#issuecomment-1121577306

   @nickva You will most likely be hearing from Mike H soon, I told him to give you a hard time. 
   
   I think an environment variable would be a reasonable thing in addition to the randomly generated value, but I don't think it is enough on it's own. 
   
   For a single instance configuration I would expect the installation to just work with no input. And for clustered systems you're already doing a bunch of config so it shouldn't be much of a burden to configure the cookie as needed so long as the documentation is good. 
   
   Also keep in mind that this will also break your debian installs as well as you implemented what looks to be similar changes for debian.
   
   Ideally I would see the generation of a default random value moved out of the postinstall process and have it be part of the couch startup process where couch would just pick a value if none is configured and have the postinstall. That would keep the postinstall nice and clean rather than patching things up like it is now.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@couchdb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org