You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@couchdb.apache.org by Dave Cottlehuber <dc...@jsonified.com> on 2014/08/06 08:52:34 UTC
do we need a 1.6.1 ?
> That was accidental bug which was fixed after release:
> https://github.com/apache/couchdb/commit/d43f69d90740d5a230b0054fa32b6843b33691bc
> TL;DR remove all the clear text passwords from ini file and set admins
> via HTTP API to workaround the issue. This should help.
> --
> ,,,^..^,,,
>
This is the `hash admin passwords on startup when list` fix again, which will
catch more & more people as time goes on. I’m wondering if we should do a 1.6.1
specifically due to this?
A+
Dave
Re: do we need a 1.6.1 ?
Posted by Dave Cottlehuber <dc...@jsonified.com>.
As discussed in today’s IRC catchup, I will prepare a 1.6.1 branch
before sneaking off for a long weekend, bringing us up to the last
commit, #ade9dae, before Bob’s Big(Couch) Merge commit to master.
This will be a bugfix release, I’m proposing a minimal change log:
- just 3 major commits, with smaller doc & fauxton updates:
d43f69d hash admin passwords on startup when list
3bcf664 Add Experimental Content-Security-Policy support (CSP) for Fauxton
95600b7 Send a real EventSource event for heartbeat
tarball prepped with docs, now a new one at
http://people.apache.org/~dch/snapshots/couchdb/20140814/
I’ll kick off the proper release process tonight.
A+
Dave
Re: do we need a 1.6.1 ?
Posted by Dave Cottlehuber <dc...@jsonified.com>.
As discussed in today’s IRC catchup, I will prepare a 1.6.1 branch
before sneaking off for a long weekend, bringing us up to the last
commit, #ade9dae, before Bob’s Big(Couch) Merge commit to master.
This will be a bugfix release, I’m proposing a minimal change log:
- just 3 major commits, with smaller doc & fauxton updates:
d43f69d hash admin passwords on startup when list
3bcf664 Add Experimental Content-Security-Policy support (CSP) for Fauxton
95600b7 Send a real EventSource event for heartbeat
AFAICT I’ve done the git merge[1] correctly, and the tarball[2] passes
verify install, distcheck is still running at 2am. These aren’t
official tarballs!
I haven’t gotten the docs & changes file done yet, so this is just
for those who care to check I got the merge right.
Tomorrow I should get the doc fixes done, hope make distcheck is
passing while I sleep…
A+
Dave
[1]: https://github.com/apache/couchdb/tree/1.6.x
[2]: http://people.apache.org/~dch/snapshots/couchdb/20140813/
Re: do we need a 1.6.1 ?
Posted by Dave Cottlehuber <dc...@jsonified.com>.
> On Wed, Aug 6, 2014 at 7:52 AM, Dave Cottlehuber wrote:
> > This is the `hash admin passwords on startup when list` fix again, which will
> > catch more & more people as time goes on. I’m wondering if we should do a 1.6.1
> > specifically due to this?
>
> Sounds sane.
>
> Do we not have tests or something to catch this?
>
> Cheers,
>
> Dirkjan
My wording of this implies we broke something and then broke it again, that’s not
correct, however a number of users have tripped up on this (hence the again).
AFAICT #ade9dae is the last commit before the merge to pull 1.6.x up to date from,
so I will see how well this rebases to the 1.6.x branch today. Please let me know
if there’s anything further to go into this release.
A+
Dave
Re: do we need a 1.6.1 ?
Posted by Dirkjan Ochtman <di...@ochtman.nl>.
On Wed, Aug 6, 2014 at 7:52 AM, Dave Cottlehuber <dc...@jsonified.com> wrote:
> This is the `hash admin passwords on startup when list` fix again, which will
> catch more & more people as time goes on. I’m wondering if we should do a 1.6.1
> specifically due to this?
Sounds sane.
Do we not have tests or something to catch this?
Cheers,
Dirkjan
Re: do we need a 1.6.1 ?
Posted by Robert Newson <rn...@apache.org>.
+1
Sent from my iPhone
> On 6 Aug 2014, at 09:10, Andy Wenk <an...@apache.org> wrote:
>
> as this is a bit of a security bug I would vote +1
>
> Cheers
>
> Andy
>
>
> On 6 August 2014 08:52, Dave Cottlehuber <dc...@jsonified.com> wrote:
>
>>> That was accidental bug which was fixed after release:
>> https://github.com/apache/couchdb/commit/d43f69d90740d5a230b0054fa32b6843b33691bc
>>> TL;DR remove all the clear text passwords from ini file and set admins
>>> via HTTP API to workaround the issue. This should help.
>>> --
>>> ,,,^..^,,,
>>
>> This is the `hash admin passwords on startup when list` fix again, which
>> will
>> catch more & more people as time goes on. I’m wondering if we should do a
>> 1.6.1
>> specifically due to this?
>>
>> A+
>> Dave
>
>
> --
> Andy Wenk
> Hamburg - Germany
> RockIt!
>
> GPG fingerprint: C044 8322 9E12 1483 4FEC 9452 B65D 6BE3 9ED3 9588
>
> https://people.apache.org/keys/committer/andywenk.asc
Re: do we need a 1.6.1 ?
Posted by Andy Wenk <an...@apache.org>.
as this is a bit of a security bug I would vote +1
Cheers
Andy
On 6 August 2014 08:52, Dave Cottlehuber <dc...@jsonified.com> wrote:
> > That was accidental bug which was fixed after release:
> >
> https://github.com/apache/couchdb/commit/d43f69d90740d5a230b0054fa32b6843b33691bc
> > TL;DR remove all the clear text passwords from ini file and set admins
> > via HTTP API to workaround the issue. This should help.
> > --
> > ,,,^..^,,,
> >
>
> This is the `hash admin passwords on startup when list` fix again, which
> will
> catch more & more people as time goes on. I’m wondering if we should do a
> 1.6.1
> specifically due to this?
>
> A+
> Dave
>
>
>
--
Andy Wenk
Hamburg - Germany
RockIt!
GPG fingerprint: C044 8322 9E12 1483 4FEC 9452 B65D 6BE3 9ED3 9588
https://people.apache.org/keys/committer/andywenk.asc
Re: do we need a 1.6.1 ?
Posted by Alexander Shorin <kx...@gmail.com>.
On Wed, Aug 6, 2014 at 10:52 AM, Dave Cottlehuber <dc...@jsonified.com> wrote:
>> That was accidental bug which was fixed after release:
>> https://github.com/apache/couchdb/commit/d43f69d90740d5a230b0054fa32b6843b33691bc
>> TL;DR remove all the clear text passwords from ini file and set admins
>> via HTTP API to workaround the issue. This should help.
>> --
>> ,,,^..^,,,
>>
>
> This is the `hash admin passwords on startup when list` fix again, which will
> catch more & more people as time goes on. I’m wondering if we should do a 1.6.1
> specifically due to this?
+1
--
,,,^..^,,,