do we need a 1.6.1 ?

[Dave Cottlehuber <dc...@jsonified.com>]

> That was accidental bug which was fixed after release:
> https://github.com/apache/couchdb/commit/d43f69d90740d5a230b0054fa32b6843b33691bc
> TL;DR remove all the clear text passwords from ini file and set admins
> via HTTP API to workaround the issue. This should help.
> --
> ,,,^..^,,,
>  

This is the `hash admin passwords on startup when list` fix again, which will  
catch more & more people as time goes on. I’m wondering if we should do a 1.6.1
specifically due to this?

A+  
Dave

Re: do we need a 1.6.1 ?

[Dave Cottlehuber <dc...@jsonified.com>]

As discussed in today’s IRC catchup, I will prepare a 1.6.1 branch
before sneaking off for a long weekend, bringing us up to the last 
commit, #ade9dae, before Bob’s Big(Couch) Merge commit to master.

This will be a bugfix release, I’m proposing a minimal change log:

- just 3 major commits, with smaller doc & fauxton updates:

d43f69d    hash admin passwords on startup when list
3bcf664    Add Experimental Content-Security-Policy support (CSP) for Fauxton
95600b7    Send a real EventSource event for heartbeat


tarball prepped with docs, now a new one at

http://people.apache.org/~dch/snapshots/couchdb/20140814/

I’ll kick off the proper release process tonight.

A+
Dave

Re: do we need a 1.6.1 ?

[Dave Cottlehuber <dc...@jsonified.com>]

As discussed in today’s IRC catchup, I will prepare a 1.6.1 branch
before sneaking off for a long weekend, bringing us up to the last 
commit, #ade9dae, before Bob’s Big(Couch) Merge commit to master.

This will be a bugfix release, I’m proposing a minimal change log:

- just 3 major commits, with smaller doc & fauxton updates:

d43f69d    hash admin passwords on startup when list
3bcf664    Add Experimental Content-Security-Policy support (CSP) for Fauxton
95600b7    Send a real EventSource event for heartbeat

AFAICT I’ve done the git merge[1] correctly, and the tarball[2] passes
verify install, distcheck is still running at 2am. These aren’t
official tarballs!

I haven’t gotten the docs & changes file done yet, so this is just
for those who care to check I got the merge right.

Tomorrow I should get the doc fixes done, hope make distcheck is
passing while I sleep…

A+
Dave

[1]: https://github.com/apache/couchdb/tree/1.6.x
[2]: http://people.apache.org/~dch/snapshots/couchdb/20140813/

Re: do we need a 1.6.1 ?

[Dave Cottlehuber <dc...@jsonified.com>]

> On Wed, Aug 6, 2014 at 7:52 AM, Dave Cottlehuber wrote: 
> > This is the `hash admin passwords on startup when list` fix again, which will  
> > catch more & more people as time goes on. I’m wondering if we should do a 1.6.1  
> > specifically due to this?  
>  
> Sounds sane.  
>  
> Do we not have tests or something to catch this?  
>  
> Cheers,  
>  
> Dirkjan  

My wording of this implies we broke something and then broke it again, that’s not
correct, however a number of users have tripped up on this (hence the again). 

AFAICT #ade9dae is the last commit before the merge to pull 1.6.x up to date from,
so I will see how well this rebases to the 1.6.x branch today. Please let me know
if there’s anything further to go into this release.

A+
Dave

Re: do we need a 1.6.1 ?

[Dirkjan Ochtman <di...@ochtman.nl>]

On Wed, Aug 6, 2014 at 7:52 AM, Dave Cottlehuber <dc...@jsonified.com> wrote:
> This is the `hash admin passwords on startup when list` fix again, which will
> catch more & more people as time goes on. I’m wondering if we should do a 1.6.1
> specifically due to this?

Sounds sane.

Do we not have tests or something to catch this?

Cheers,

Dirkjan

Re: do we need a 1.6.1 ?

[Robert Newson <rn...@apache.org>]

+1 

Sent from my iPhone

> On 6 Aug 2014, at 09:10, Andy Wenk <an...@apache.org> wrote:
> 
> as this is a bit of a security bug I would vote +1
> 
> Cheers
> 
> Andy
> 
> 
> On 6 August 2014 08:52, Dave Cottlehuber <dc...@jsonified.com> wrote:
> 
>>> That was accidental bug which was fixed after release:
>> https://github.com/apache/couchdb/commit/d43f69d90740d5a230b0054fa32b6843b33691bc
>>> TL;DR remove all the clear text passwords from ini file and set admins
>>> via HTTP API to workaround the issue. This should help.
>>> --
>>> ,,,^..^,,,
>> 
>> This is the `hash admin passwords on startup when list` fix again, which
>> will
>> catch more & more people as time goes on. I’m wondering if we should do a
>> 1.6.1
>> specifically due to this?
>> 
>> A+
>> Dave
> 
> 
> -- 
> Andy Wenk
> Hamburg - Germany
> RockIt!
> 
> GPG fingerprint: C044 8322 9E12 1483 4FEC 9452 B65D 6BE3 9ED3 9588
> 
> https://people.apache.org/keys/committer/andywenk.asc

Re: do we need a 1.6.1 ?

[Andy Wenk <an...@apache.org>]

as this is a bit of a security bug I would vote +1

Cheers

Andy


On 6 August 2014 08:52, Dave Cottlehuber <dc...@jsonified.com> wrote:

> > That was accidental bug which was fixed after release:
> >
> https://github.com/apache/couchdb/commit/d43f69d90740d5a230b0054fa32b6843b33691bc
> > TL;DR remove all the clear text passwords from ini file and set admins
> > via HTTP API to workaround the issue. This should help.
> > --
> > ,,,^..^,,,
> >
>
> This is the `hash admin passwords on startup when list` fix again, which
> will
> catch more & more people as time goes on. I’m wondering if we should do a
> 1.6.1
> specifically due to this?
>
> A+
> Dave
>
>
>


-- 
Andy Wenk
Hamburg - Germany
RockIt!

GPG fingerprint: C044 8322 9E12 1483 4FEC 9452 B65D 6BE3 9ED3 9588

 https://people.apache.org/keys/committer/andywenk.asc

Re: do we need a 1.6.1 ?

[Alexander Shorin <kx...@gmail.com>]

On Wed, Aug 6, 2014 at 10:52 AM, Dave Cottlehuber <dc...@jsonified.com> wrote:
>> That was accidental bug which was fixed after release:
>> https://github.com/apache/couchdb/commit/d43f69d90740d5a230b0054fa32b6843b33691bc
>> TL;DR remove all the clear text passwords from ini file and set admins
>> via HTTP API to workaround the issue. This should help.
>> --
>> ,,,^..^,,,
>>
>
> This is the `hash admin passwords on startup when list` fix again, which will
> catch more & more people as time goes on. I’m wondering if we should do a 1.6.1
> specifically due to this?

+1

--
,,,^..^,,,