You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by Kathey Marsden <km...@sbcglobal.net> on 2007/11/28 18:43:57 UTC
DERBY-3083 concerns (was Re: [VOTE] 10.3.2 release)
Daniel John Debrunner wrote:
> Kathey Marsden wrote:
>> Please test and vote on the 10.3.2.0 release candidate available at:
>
> I'm still thinking about the change made to 10.3 for DERBY-3083.
>
> In 10.2 bringing up the server in all cases did not install a security
> manager.
>
> In 10.3.1.4:
> - server did not start if the derby jars were re-named and no
> security manager was already installed. While this is a regression
> from 10.2 it was secure.
>
> In 10.3.2.0
> - if the derby jars are renamed then no security manager is
> installed. This is a regression security wise from 10.3.1.4 but does
> fix a functional regression from 10.3.1.4.
>
> One real concern is that this new behaviour is 10.3.2.0 is not
> documented anywhere, it contradicts the existing documentation, thus a
> user will assume a security manager has been installed. There's also
> no information printed to any error log that no security manager exists.
>
Thanks Dan for bringing this up before I created the new candidate #:).
It looks like options are:
1) Back out DERBY-3083
2) log a message to the derby.log that no security manager exists,
update the documentation. and create a releaseNote for DERBY-3083.
3) Come to consensus on a better solution.
I'd like to get a new release candidate out Friday at the latest, as I
am going to be out on vacation starting December 17. Thoughts on the
best way to move forward on this?
Kathey
Re: DERBY-3083 concerns (was Re: [VOTE] 10.3.2 release)
Posted by Mike Matrigali <mi...@sbcglobal.net>.
Kathey Marsden wrote:
Given the time constraint I would be ok with backing out
the DERBY-3083 fix for this bug fix release and let it get
resolved in the next bug fix release.
/mikem
> Daniel John Debrunner wrote:
>> Kathey Marsden wrote:
>>> Please test and vote on the 10.3.2.0 release candidate available at:
>>
>> I'm still thinking about the change made to 10.3 for DERBY-3083.
>>
>> In 10.2 bringing up the server in all cases did not install a security
>> manager.
>>
>> In 10.3.1.4:
>> - server did not start if the derby jars were re-named and no
>> security manager was already installed. While this is a regression
>> from 10.2 it was secure.
>>
>> In 10.3.2.0
>> - if the derby jars are renamed then no security manager is
>> installed. This is a regression security wise from 10.3.1.4 but does
>> fix a functional regression from 10.3.1.4.
>>
>> One real concern is that this new behaviour is 10.3.2.0 is not
>> documented anywhere, it contradicts the existing documentation, thus a
>> user will assume a security manager has been installed. There's also
>> no information printed to any error log that no security manager exists.
>>
> Thanks Dan for bringing this up before I created the new candidate #:).
> It looks like options are:
> 1) Back out DERBY-3083
> 2) log a message to the derby.log that no security manager exists,
> update the documentation. and create a releaseNote for DERBY-3083.
> 3) Come to consensus on a better solution.
>
> I'd like to get a new release candidate out Friday at the latest, as I
> am going to be out on vacation starting December 17. Thoughts on the
> best way to move forward on this?
>
> Kathey
>
>
>
>
>
>