You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cloudstack.apache.org by Daan Hoogland <da...@gmail.com> on 2022/12/28 13:09:23 UTC

[DISCUSS][PROPOSAL][4.19] remove juniper plugins F5 and SRX

LS,
Since 4.17 the inclusion of the iControl jar has been disabled because of
unresolved security issues. This leaves the SRX and F5 plugins rendered
useless. I created a PR [1] to remove them and propose to merge this before
4.18.
Please, review if you feel this is needed and/or propose alternative
solutions if you have any.

My idea is to leave this open expecting lazy consent for at least a week
into the new year.

regards,

[1] https://github.com/apache/cloudstack/pull/7023

-- 
Daan

Re: [DISCUSS][PROPOSAL][4.19] remove juniper plugins F5 and SRX

Posted by Daan Hoogland <da...@gmail.com>.

The reason I deleted both was because they both depend on the vulnerable
jar iControl, for which there is no update.

On Fri, Dec 30, 2022 at 11:35 AM Rohit Yadav <ro...@shapeblue.com>
wrote:

> I think there are two plugins in question. What you've advised makes sense
> for F5, I'm not sure if SRX plugin is already removed from the build
> system. Nevertheless, if there are no objections then you may execute your
> proposal as the RM.
>
>
> Regards.
>
> ________________________________
> From: Daan Hoogland <da...@gmail.com>
> Sent: Thursday, December 29, 2022 22:03
> To: dev@cloudstack.apache.org <de...@cloudstack.apache.org>
> Cc: users <us...@cloudstack.apache.org>
> Subject: Re: [DISCUSS][PROPOSAL][4.19] remove juniper plugins F5 and SRX
>
> the plugin is already removed in the latest release, so I think this is a
> special case Rohit. It makes no sense to start deprecating now, it has been
> dysfunctional for more than half a year already. My proposal is to remove
> the code in 4.18, as the plugin is effectively already removed.
>
> On Thu, Dec 29, 2022 at 8:47 AM Rohit Yadav <ro...@shapeblue.com>
> wrote:
>
> > We've done this in the past which usually would be to deprecate the
> > component in a release and then remove that in subsequent releases, to
> not
> > surprise our users to give enough time for the community to object or
> > respond.
> >
> > I think we can start by deprecating them in 4.18, i.e. put in the release
> > notes (about) page to publish the information and intent to remove in
> > future releases. If there are no objections, then in the next LTS (4.19)
> > this can be removed from the source code and a removal notice is put in
> the
> > release notes.
> >
> >
> > Regards.
> >
> > ________________________________
> > From: Daan Hoogland <da...@gmail.com>
> > Sent: Wednesday, December 28, 2022 18:39
> > To: dev <de...@cloudstack.apache.org>; users <us...@cloudstack.apache.org>
> > Subject: [DISCUSS][PROPOSAL][4.19] remove juniper plugins F5 and SRX
> >
> > LS,
> > Since 4.17 the inclusion of the iControl jar has been disabled because of
> > unresolved security issues. This leaves the SRX and F5 plugins rendered
> > useless. I created a PR [1] to remove them and propose to merge this
> before
> > 4.18.
> > Please, review if you feel this is needed and/or propose alternative
> > solutions if you have any.
> >
> > My idea is to leave this open expecting lazy consent for at least a week
> > into the new year.
> >
> > regards,
> >
> > [1] https://github.com/apache/cloudstack/pull/7023
> >
> > --
> > Daan
> >
> >
> >
> >
>
> --
> Daan
>
>
>
>

-- 
Daan

Re: [DISCUSS][PROPOSAL][4.19] remove juniper plugins F5 and SRX

Posted by Daan Hoogland <da...@gmail.com>.

The reason I deleted both was because they both depend on the vulnerable
jar iControl, for which there is no update.

On Fri, Dec 30, 2022 at 11:35 AM Rohit Yadav <ro...@shapeblue.com>
wrote:

> I think there are two plugins in question. What you've advised makes sense
> for F5, I'm not sure if SRX plugin is already removed from the build
> system. Nevertheless, if there are no objections then you may execute your
> proposal as the RM.
>
>
> Regards.
>
> ________________________________
> From: Daan Hoogland <da...@gmail.com>
> Sent: Thursday, December 29, 2022 22:03
> To: dev@cloudstack.apache.org <de...@cloudstack.apache.org>
> Cc: users <us...@cloudstack.apache.org>
> Subject: Re: [DISCUSS][PROPOSAL][4.19] remove juniper plugins F5 and SRX
>
> the plugin is already removed in the latest release, so I think this is a
> special case Rohit. It makes no sense to start deprecating now, it has been
> dysfunctional for more than half a year already. My proposal is to remove
> the code in 4.18, as the plugin is effectively already removed.
>
> On Thu, Dec 29, 2022 at 8:47 AM Rohit Yadav <ro...@shapeblue.com>
> wrote:
>
> > We've done this in the past which usually would be to deprecate the
> > component in a release and then remove that in subsequent releases, to
> not
> > surprise our users to give enough time for the community to object or
> > respond.
> >
> > I think we can start by deprecating them in 4.18, i.e. put in the release
> > notes (about) page to publish the information and intent to remove in
> > future releases. If there are no objections, then in the next LTS (4.19)
> > this can be removed from the source code and a removal notice is put in
> the
> > release notes.
> >
> >
> > Regards.
> >
> > ________________________________
> > From: Daan Hoogland <da...@gmail.com>
> > Sent: Wednesday, December 28, 2022 18:39
> > To: dev <de...@cloudstack.apache.org>; users <us...@cloudstack.apache.org>
> > Subject: [DISCUSS][PROPOSAL][4.19] remove juniper plugins F5 and SRX
> >
> > LS,
> > Since 4.17 the inclusion of the iControl jar has been disabled because of
> > unresolved security issues. This leaves the SRX and F5 plugins rendered
> > useless. I created a PR [1] to remove them and propose to merge this
> before
> > 4.18.
> > Please, review if you feel this is needed and/or propose alternative
> > solutions if you have any.
> >
> > My idea is to leave this open expecting lazy consent for at least a week
> > into the new year.
> >
> > regards,
> >
> > [1] https://github.com/apache/cloudstack/pull/7023
> >
> > --
> > Daan
> >
> >
> >
> >
>
> --
> Daan
>
>
>
>

-- 
Daan

Re: [DISCUSS][PROPOSAL][4.19] remove juniper plugins F5 and SRX

Posted by Rohit Yadav <ro...@shapeblue.com>.

I think there are two plugins in question. What you've advised makes sense for F5, I'm not sure if SRX plugin is already removed from the build system. Nevertheless, if there are no objections then you may execute your proposal as the RM.


Regards.

________________________________
From: Daan Hoogland <da...@gmail.com>
Sent: Thursday, December 29, 2022 22:03
To: dev@cloudstack.apache.org <de...@cloudstack.apache.org>
Cc: users <us...@cloudstack.apache.org>
Subject: Re: [DISCUSS][PROPOSAL][4.19] remove juniper plugins F5 and SRX

the plugin is already removed in the latest release, so I think this is a
special case Rohit. It makes no sense to start deprecating now, it has been
dysfunctional for more than half a year already. My proposal is to remove
the code in 4.18, as the plugin is effectively already removed.

On Thu, Dec 29, 2022 at 8:47 AM Rohit Yadav <ro...@shapeblue.com>
wrote:

> We've done this in the past which usually would be to deprecate the
> component in a release and then remove that in subsequent releases, to not
> surprise our users to give enough time for the community to object or
> respond.
>
> I think we can start by deprecating them in 4.18, i.e. put in the release
> notes (about) page to publish the information and intent to remove in
> future releases. If there are no objections, then in the next LTS (4.19)
> this can be removed from the source code and a removal notice is put in the
> release notes.
>
>
> Regards.
>
> ________________________________
> From: Daan Hoogland <da...@gmail.com>
> Sent: Wednesday, December 28, 2022 18:39
> To: dev <de...@cloudstack.apache.org>; users <us...@cloudstack.apache.org>
> Subject: [DISCUSS][PROPOSAL][4.19] remove juniper plugins F5 and SRX
>
> LS,
> Since 4.17 the inclusion of the iControl jar has been disabled because of
> unresolved security issues. This leaves the SRX and F5 plugins rendered
> useless. I created a PR [1] to remove them and propose to merge this before
> 4.18.
> Please, review if you feel this is needed and/or propose alternative
> solutions if you have any.
>
> My idea is to leave this open expecting lazy consent for at least a week
> into the new year.
>
> regards,
>
> [1] https://github.com/apache/cloudstack/pull/7023
>
> --
> Daan
>
>
>
>

--
Daan

Re: [DISCUSS][PROPOSAL][4.19] remove juniper plugins F5 and SRX

Posted by Rohit Yadav <ro...@shapeblue.com>.

I think there are two plugins in question. What you've advised makes sense for F5, I'm not sure if SRX plugin is already removed from the build system. Nevertheless, if there are no objections then you may execute your proposal as the RM.


Regards.

________________________________
From: Daan Hoogland <da...@gmail.com>
Sent: Thursday, December 29, 2022 22:03
To: dev@cloudstack.apache.org <de...@cloudstack.apache.org>
Cc: users <us...@cloudstack.apache.org>
Subject: Re: [DISCUSS][PROPOSAL][4.19] remove juniper plugins F5 and SRX

the plugin is already removed in the latest release, so I think this is a
special case Rohit. It makes no sense to start deprecating now, it has been
dysfunctional for more than half a year already. My proposal is to remove
the code in 4.18, as the plugin is effectively already removed.

On Thu, Dec 29, 2022 at 8:47 AM Rohit Yadav <ro...@shapeblue.com>
wrote:

> We've done this in the past which usually would be to deprecate the
> component in a release and then remove that in subsequent releases, to not
> surprise our users to give enough time for the community to object or
> respond.
>
> I think we can start by deprecating them in 4.18, i.e. put in the release
> notes (about) page to publish the information and intent to remove in
> future releases. If there are no objections, then in the next LTS (4.19)
> this can be removed from the source code and a removal notice is put in the
> release notes.
>
>
> Regards.
>
> ________________________________
> From: Daan Hoogland <da...@gmail.com>
> Sent: Wednesday, December 28, 2022 18:39
> To: dev <de...@cloudstack.apache.org>; users <us...@cloudstack.apache.org>
> Subject: [DISCUSS][PROPOSAL][4.19] remove juniper plugins F5 and SRX
>
> LS,
> Since 4.17 the inclusion of the iControl jar has been disabled because of
> unresolved security issues. This leaves the SRX and F5 plugins rendered
> useless. I created a PR [1] to remove them and propose to merge this before
> 4.18.
> Please, review if you feel this is needed and/or propose alternative
> solutions if you have any.
>
> My idea is to leave this open expecting lazy consent for at least a week
> into the new year.
>
> regards,
>
> [1] https://github.com/apache/cloudstack/pull/7023
>
> --
> Daan
>
>
>
>

--
Daan

Re: [DISCUSS][PROPOSAL][4.19] remove juniper plugins F5 and SRX

Posted by Daan Hoogland <da...@gmail.com>.

the plugin is already removed in the latest release, so I think this is a
special case Rohit. It makes no sense to start deprecating now, it has been
dysfunctional for more than half a year already. My proposal is to remove
the code in 4.18, as the plugin is effectively already removed.

On Thu, Dec 29, 2022 at 8:47 AM Rohit Yadav <ro...@shapeblue.com>
wrote:

> We've done this in the past which usually would be to deprecate the
> component in a release and then remove that in subsequent releases, to not
> surprise our users to give enough time for the community to object or
> respond.
>
> I think we can start by deprecating them in 4.18, i.e. put in the release
> notes (about) page to publish the information and intent to remove in
> future releases. If there are no objections, then in the next LTS (4.19)
> this can be removed from the source code and a removal notice is put in the
> release notes.
>
>
> Regards.
>
> ________________________________
> From: Daan Hoogland <da...@gmail.com>
> Sent: Wednesday, December 28, 2022 18:39
> To: dev <de...@cloudstack.apache.org>; users <us...@cloudstack.apache.org>
> Subject: [DISCUSS][PROPOSAL][4.19] remove juniper plugins F5 and SRX
>
> LS,
> Since 4.17 the inclusion of the iControl jar has been disabled because of
> unresolved security issues. This leaves the SRX and F5 plugins rendered
> useless. I created a PR [1] to remove them and propose to merge this before
> 4.18.
> Please, review if you feel this is needed and/or propose alternative
> solutions if you have any.
>
> My idea is to leave this open expecting lazy consent for at least a week
> into the new year.
>
> regards,
>
> [1] https://github.com/apache/cloudstack/pull/7023
>
> --
> Daan
>
>
>
>

-- 
Daan

Re: [DISCUSS][PROPOSAL][4.19] remove juniper plugins F5 and SRX

Posted by Daan Hoogland <da...@gmail.com>.

the plugin is already removed in the latest release, so I think this is a
special case Rohit. It makes no sense to start deprecating now, it has been
dysfunctional for more than half a year already. My proposal is to remove
the code in 4.18, as the plugin is effectively already removed.

On Thu, Dec 29, 2022 at 8:47 AM Rohit Yadav <ro...@shapeblue.com>
wrote:

> We've done this in the past which usually would be to deprecate the
> component in a release and then remove that in subsequent releases, to not
> surprise our users to give enough time for the community to object or
> respond.
>
> I think we can start by deprecating them in 4.18, i.e. put in the release
> notes (about) page to publish the information and intent to remove in
> future releases. If there are no objections, then in the next LTS (4.19)
> this can be removed from the source code and a removal notice is put in the
> release notes.
>
>
> Regards.
>
> ________________________________
> From: Daan Hoogland <da...@gmail.com>
> Sent: Wednesday, December 28, 2022 18:39
> To: dev <de...@cloudstack.apache.org>; users <us...@cloudstack.apache.org>
> Subject: [DISCUSS][PROPOSAL][4.19] remove juniper plugins F5 and SRX
>
> LS,
> Since 4.17 the inclusion of the iControl jar has been disabled because of
> unresolved security issues. This leaves the SRX and F5 plugins rendered
> useless. I created a PR [1] to remove them and propose to merge this before
> 4.18.
> Please, review if you feel this is needed and/or propose alternative
> solutions if you have any.
>
> My idea is to leave this open expecting lazy consent for at least a week
> into the new year.
>
> regards,
>
> [1] https://github.com/apache/cloudstack/pull/7023
>
> --
> Daan
>
>
>
>

-- 
Daan

Re: [DISCUSS][PROPOSAL][4.19] remove juniper plugins F5 and SRX

Posted by Rohit Yadav <ro...@shapeblue.com>.

We've done this in the past which usually would be to deprecate the component in a release and then remove that in subsequent releases, to not surprise our users to give enough time for the community to object or respond.

I think we can start by deprecating them in 4.18, i.e. put in the release notes (about) page to publish the information and intent to remove in future releases. If there are no objections, then in the next LTS (4.19) this can be removed from the source code and a removal notice is put in the release notes.


Regards.

________________________________
From: Daan Hoogland <da...@gmail.com>
Sent: Wednesday, December 28, 2022 18:39
To: dev <de...@cloudstack.apache.org>; users <us...@cloudstack.apache.org>
Subject: [DISCUSS][PROPOSAL][4.19] remove juniper plugins F5 and SRX

LS,
Since 4.17 the inclusion of the iControl jar has been disabled because of
unresolved security issues. This leaves the SRX and F5 plugins rendered
useless. I created a PR [1] to remove them and propose to merge this before
4.18.
Please, review if you feel this is needed and/or propose alternative
solutions if you have any.

My idea is to leave this open expecting lazy consent for at least a week
into the new year.

regards,

[1] https://github.com/apache/cloudstack/pull/7023

--
Daan

Re: [DISCUSS][PROPOSAL][4.19] remove juniper plugins F5 and SRX

Posted by Rohit Yadav <ro...@shapeblue.com>.

We've done this in the past which usually would be to deprecate the component in a release and then remove that in subsequent releases, to not surprise our users to give enough time for the community to object or respond.

I think we can start by deprecating them in 4.18, i.e. put in the release notes (about) page to publish the information and intent to remove in future releases. If there are no objections, then in the next LTS (4.19) this can be removed from the source code and a removal notice is put in the release notes.


Regards.

________________________________
From: Daan Hoogland <da...@gmail.com>
Sent: Wednesday, December 28, 2022 18:39
To: dev <de...@cloudstack.apache.org>; users <us...@cloudstack.apache.org>
Subject: [DISCUSS][PROPOSAL][4.19] remove juniper plugins F5 and SRX

LS,
Since 4.17 the inclusion of the iControl jar has been disabled because of
unresolved security issues. This leaves the SRX and F5 plugins rendered
useless. I created a PR [1] to remove them and propose to merge this before
4.18.
Please, review if you feel this is needed and/or propose alternative
solutions if you have any.

My idea is to leave this open expecting lazy consent for at least a week
into the new year.

regards,

[1] https://github.com/apache/cloudstack/pull/7023

--
Daan