[jira] [Commented] (CASSANDRA-9384) Update jBCrypt dependency to version 0.4

Wed, 20 Feb 2019 11:34:26 -0800 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-9384?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16773315#comment-16773315
 ] 

Dinesh Joshi commented on CASSANDRA-9384:
-----------------------------------------

[~jjirsa] I assume that people actually test new versions of C* before they 
deploy them in prod. With my approach, the newly updated instance will fail to 
come up with the bad setting. Hopefully the bounce will stop before it takes 
down the whole cluster. This is how I would expect bounces to behave. At this 
point I'd expect the operator to look into why C* failed to start and notice 
the error message and do a deeper investigation to fix their issue or add the 
override and move on. This should happen in a dev or test environment. Not prod.

Consider the alternative where someone misses the warning message and doesn't 
read CHANGES.txt. They might get exploited because these messages went 
unnoticed. There is a higher chance of this making it into production without 
an incident. As an operator I would like security vulnerabilities fixed with a 
new releases and not just some log messages warning me that it exists.

We can go with [~spo...@gmail.com]'s approach but I feel subtle failure is 
worse than explicit failure at start time.

> Update jBCrypt dependency to version 0.4
> ----------------------------------------
>
>                 Key: CASSANDRA-9384
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-9384
>             Project: Cassandra
>          Issue Type: Bug
>            Reporter: Sam Tunnicliffe
>            Assignee: Dinesh Joshi
>            Priority: Major
>             Fix For: 2.1.x, 2.2.x, 3.0.x, 3.11.x
>
>
> https://bugzilla.mindrot.org/show_bug.cgi?id=2097
> Although the bug tracker lists it as NEW/OPEN, the release notes for 0.4 
> indicate that this is now fixed, so we should update.
> Thanks to [~Bereng] for identifying the issue.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to