Kathey Marsden wrote:
Given the time constraint I would be ok with backing out
the DERBY-3083 fix for this bug fix release and let it get
resolved in the next bug fix release.
/mikem
Daniel John Debrunner wrote:
Kathey Marsden wrote:
Please test and vote on the 10.3.2.0 release candidate available at:
I'm still thinking about the change made to 10.3 for DERBY-3083.
In 10.2 bringing up the server in all cases did not install a security
manager.
In 10.3.1.4:
- server did not start if the derby jars were re-named and no
security manager was already installed. While this is a regression
from 10.2 it was secure.
In 10.3.2.0
- if the derby jars are renamed then no security manager is
installed. This is a regression security wise from 10.3.1.4 but does
fix a functional regression from 10.3.1.4.
One real concern is that this new behaviour is 10.3.2.0 is not
documented anywhere, it contradicts the existing documentation, thus a
user will assume a security manager has been installed. There's also
no information printed to any error log that no security manager exists.
Thanks Dan for bringing this up before I created the new candidate #:).
It looks like options are:
1) Back out DERBY-3083
2) log a message to the derby.log that no security manager exists,
update the documentation. and create a releaseNote for DERBY-3083.
3) Come to consensus on a better solution.
I'd like to get a new release candidate out Friday at the latest, as I
am going to be out on vacation starting December 17. Thoughts on the
best way to move forward on this?
Kathey
