Backporting in such a way that all auth requests will still go to the same request executor as before is OK for me.
On Tue, Nov 5, 2024 at 3:32 PM J. D. Jordan <jeremiah.jor...@gmail.com> wrote: > If I read the ticket correctly, this is preventing bcrypt of incoming > credentials from causing a DOS? > I think that’s reasonable to backport. If we want to be conservative it > could be backported with added code that keeps the current behavior by > default? > > On Nov 5, 2024, at 7:43 AM, Josh McKenzie <jmcken...@apache.org> wrote: > > > I'm neutral to the backport. In terms of the letter of the law, I can see > the argument either way of it being an improvement or a bugfix. > > Definitely wouldn't -1 a backport. > > On Tue, Nov 5, 2024, at 7:23 AM, Mick Semb Wever wrote: > > Can you please put the ticket description in the email. Saves us having > to follow the link to know what you're talking about. > > Yes to backporting this. > > On Tue, 5 Nov 2024 at 10:27, Štefan Miklošovič <smikloso...@apache.org> > wrote: > > Hello, > > I want to ask if there are objections for backporting CASSANDRA-17812 (1) > to 4.0.x and 4.1.x. > > There is a question already in that ticket about backporting from another > person and we keep being asked about this a lot. It seems to me that while > this is technically an improvement, it is so valuable that we should make > an exception here. > > It is even security related. > > (1) https://issues.apache.org/jira/browse/CASSANDRA-17812 > > Regards > > >
