You are viewing a plain text version of this content. The canonical link for it is here.

Posted to derby-dev@db.apache.org by Kathey Marsden <km...@sbcglobal.net> on 2007/11/28 18:43:57 UTC

DERBY-3083 concerns (was Re: [VOTE] 10.3.2 release)

Daniel John Debrunner wrote:
> Kathey Marsden wrote:
>> Please test and vote on the 10.3.2.0 release candidate available at:
>
> I'm still thinking about the change made to 10.3 for DERBY-3083.
>
> In 10.2 bringing up the server in all cases did not install a security 
> manager.
>
> In 10.3.1.4:
>    - server did not start if the derby jars were re-named and no 
> security manager was already installed. While this is a regression 
> from 10.2 it was secure.
>
> In 10.3.2.0
>    - if the derby jars are renamed then no security manager is 
> installed. This is a regression security wise from 10.3.1.4 but does 
> fix a functional regression from 10.3.1.4.
>
> One real concern is that this new behaviour is 10.3.2.0 is not 
> documented anywhere, it contradicts the existing documentation, thus a 
> user will assume a security manager has been installed. There's also 
> no information printed to any error log that no security manager exists.
>
Thanks Dan for bringing this up before I created the new candidate #:). 
It looks like options are:
1) Back out DERBY-3083
2) log a message to the derby.log that no security manager exists, 
update the documentation. and create a releaseNote for DERBY-3083.
3) Come to consensus on a better solution.

I'd like to get a new release candidate out Friday at the latest, as I 
am going to be out on vacation starting December 17.  Thoughts on the 
best way to move forward on this?

Kathey

Re: DERBY-3083 concerns (was Re: [VOTE] 10.3.2 release)

Posted by Mike Matrigali <mi...@sbcglobal.net>.

Kathey Marsden wrote:

Given the time constraint I would be ok with backing out
the DERBY-3083 fix for this bug fix release and let it get
resolved in the next bug fix release.

/mikem

> Daniel John Debrunner wrote:
>> Kathey Marsden wrote:
>>> Please test and vote on the 10.3.2.0 release candidate available at:
>>
>> I'm still thinking about the change made to 10.3 for DERBY-3083.
>>
>> In 10.2 bringing up the server in all cases did not install a security 
>> manager.
>>
>> In 10.3.1.4:
>>    - server did not start if the derby jars were re-named and no 
>> security manager was already installed. While this is a regression 
>> from 10.2 it was secure.
>>
>> In 10.3.2.0
>>    - if the derby jars are renamed then no security manager is 
>> installed. This is a regression security wise from 10.3.1.4 but does 
>> fix a functional regression from 10.3.1.4.
>>
>> One real concern is that this new behaviour is 10.3.2.0 is not 
>> documented anywhere, it contradicts the existing documentation, thus a 
>> user will assume a security manager has been installed. There's also 
>> no information printed to any error log that no security manager exists.
>>
> Thanks Dan for bringing this up before I created the new candidate #:). 
> It looks like options are:
> 1) Back out DERBY-3083
> 2) log a message to the derby.log that no security manager exists, 
> update the documentation. and create a releaseNote for DERBY-3083.
> 3) Come to consensus on a better solution.
> 
> I'd like to get a new release candidate out Friday at the latest, as I 
> am going to be out on vacation starting December 17.  Thoughts on the 
> best way to move forward on this?
> 
> Kathey
> 
> 
> 
> 
> 
>