At this point in the discussion maybe what we need is a clearly stated Jira
on the issue and what specifically is needed. Whether it is needed for 0.1
is another matter. It sounds like (potentially) a definite 1.0 issue, but
could we get by with a clear "statement of vulnerability" for a 0.x release
(if in fact there is an actual vulnerability)?
It sounds like there may be a distinction between "actual" vulnerability and
"potential" vulnerability. Whether such a distinction really matters is
another matter.
-- Jack Krupansky
-----Original Message-----
From: Grant Ingersoll
Sent: Friday, December 10, 2010 9:36 AM
To: connectors-dev@incubator.apache.org
Subject: Re: Release?
I think if there are known vulnerabilities, we need to fix them.
On Dec 10, 2010, at 6:01 AM, Karl Wright wrote:
You can be serious about security without agreeing on the remediation.
This software certainly adhered to MetaCarta standards and was
audited by government agencies as well. I understand your position,
but I don't know if everyone will see it in a similar way, since a
code audit highlights no problems at this time, because quoteSQLString
is used only on constant values. What do others think? If the
incubator would prohibit release on this basis, how in the heck did
solr ever get released?
Karl
On Fri, Dec 10, 2010 at 8:50 AM, Robert Muir <rcm...@gmail.com> wrote:
On Fri, Dec 10, 2010 at 8:42 AM, Karl Wright <daddy...@gmail.com> wrote:
Do you believe that this is a
requirement for an initial release? If so, I believe we should
suspend plans for that release and revisit it in February or March.
I'll certainly go along with whatever everyone feels on this one... it
was just always my impression that Apache was pretty serious about
security, but I'm not really sure how this applies to incubating
projects etc.
I thought it was relevant especially since the Solr Wiki says: The
recommended way to add document level security to your search is
through Apache Lucene Connector Framework (LCF).
http://wiki.apache.org/solr/SolrSecurity
