Cool ;) I agree with you that applying a patch using FF is easier to trace.
On Fri, Nov 13, 2015 at 5:53 PM, John Burwell <john.burw...@shapeblue.com> wrote: > Rafeal, > > Excellent news. Since we found the fix in master, I withdraw my -1 and > any concerns. > > Per the steps I listed, I simply checked that the commit was pulled > forward. Since I wrote the patch, I didn’t actually apply the changes to > 4.5 or master — the reviewer performed these actions. I agree that those > applying fixes from other release branches to master must properly fast > forward to maintain traceability. > > Thanks, > -John > > --- > John Burwell (@john_burwell) > VP of Software Engineering, ShapeBlue > (571) 403-2411 | +44 20 3603 0542 > http://www.shapeblue.com | @ShapeBlue > 53 Chandos Place, Covent Garden, London, WC2N 4HS > > > > > On Nov 13, 2015, at 2:40 PM, Rafael Weingärtner < > rafaelweingart...@gmail.com> wrote: > > > > Hi John Burwell, > > Did you test the RC? Or you just checked if the commit was present? > > > > I have just checked and your changes that were introduced using the > commit > > "3a48171bd8a70c6012afce32c7636afffc1d2f7d" to the tag 4.5.2 are indeed in > > master. The point here is that, when you do a rebase, a new commit is > > created. Your changes were introduced to master using the commit > > "ef44c7d305567c99eb1b0ec411a64b4d3582db75" > > > > There is no need to stop the release process because of that. > > > > On Fri, Nov 13, 2015 at 5:23 PM, John Burwell < > john.burw...@shapeblue.com> > > wrote: > > > >> All, > >> > >> I realize when I reported my issue, I failed to state my methodology for > >> determining the fix was not present in RC2. I performed the following > >> steps: > >> > >> 1. git fetch origin > >> 2. git checkout master > >> 3. git rebase origin/master > >> 4. git tag --contains 3a48171b > >> > >> Steps 2 and 3 shouldn’t be necessary, but belts and suspenders. The > >> result of these steps was that only the 4.5.2 tag came back as > containing > >> the 3a48171b commit. There is always the chance that I mucked up the > >> check, and someone should double check my work before we go through the > >> effort of pulling back an approved RC. > >> > >> Thanks, > >> -John > >> > >> --- > >> John Burwell (@john_burwell) > >> VP of Software Engineering, ShapeBlue > >> (571) 403-2411 | +44 20 3603 0542 > >> http://www.shapeblue.com | @ShapeBlue > >> 53 Chandos Place, Covent Garden, London, WC2N 4HS > >> > >> > >> > >>> On Nov 13, 2015, at 2:07 PM, John Burwell <john.burw...@shapeblue.com> > >> wrote: > >>> > >>> Wilder, > >>> > >>> For now, I am just concerned with averting the security nightmare of > >> shipping a CVE regression. In terms of process, I don’t know how we > >> proceed. Were the vote still open, a single binding -1 would abort the > >> RC. We can either all decide by consensus not to pull back the RC or I > can > >> open a vote thread. Personally, I would prefer consensus. > >>> > >>> After 4.6.0, there is no doubt we need to assess how this CVE (and > >> potentially others) were not merged forward. I am thinking we shift > back > >> through the git log to find all known CVE fixes and add each hash to a > file > >> representing the commits that must be present. Our release tests then > >> perform a git tag —contains for each has to ensure that no CVE fixes > have > >> been missed. > >>> > >>> Thanks, > >>> -John > >>> > >>> --- > >>> John Burwell (@john_burwell) > >>> VP of Software Engineering, ShapeBlue > >>> (571) 403-2411 | +44 20 3603 0542 > >>> http://www.shapeblue.com | @ShapeBlue > >>> 53 Chandos Place, Covent Garden, London, WC2N 4HS > >>> > >>> > >>> > >>>> On Nov 13, 2015, at 1:58 PM, Wilder Rodrigues < > >> wrodrig...@schubergphilis.com> wrote: > >>>> > >>>> Hi John, > >>>> > >>>> If that actually goes agains a community/industry standard, I will > >> support you. It is not in my bucket list to be part of a group that > >> released something that was already destined to fail. > >>>> > >>>> However, I would like to make 2 points in this whole thing: > >>>> > >>>> 1. it’s a big shame to see that it was only fixed on the 4.5.x and > not > >> pushed towards master. We have to stop this. > >>>> 2. Would be nice to dedicate some time to check the emails around a > >> release cycle to avoid things like that. Cancelling it now means that > many > >> people will have to go and redo many tests to make sure everything is > fine! > >> Nobody wants a release that was half test only because a few lines of > code > >> changed. > >>>> > >>>> If you agree with me, we can cancel it and start the RC3 cycle on the > >> 23rd November. We just need to get the other member of the community to > >> agree on that as well. > >>>> > >>>> We just ask Shape Blue to run some tests on the 23rd, that’s all. > >>>> > >>>> Cheers, > >>>> Wilder > >>>> > >>>> > >>>>> On 13 Nov 2015, at 19:25, John Burwell <john.burw...@shapeblue.com> > >> wrote: > >>>>> > >>>>> Wilder, > >>>>> > >>>>> As a community, we cannot knowingly ship a release containing a CVE > >> regression. The industry best practice in this circumstance would be > pull > >> the release and notify users not to use it. Luckily, the release hasn’t > >> shipped yet, we can simply abort and create a new RC with CVE fix(es) > >> included. > >>>>> > >>>>> Thanks, > >>>>> -John > >>>>> > >>>>> --- > >>>>> John Burwell (@john_burwell) > >>>>> VP of Software Engineering, ShapeBlue > >>>>> (571) 403-2411 | +44 20 3603 0542 > >>>>> http://www.shapeblue.com | @ShapeBlue > >>>>> 53 Chandos Place, Covent Garden, London, WC2N 4HS > >>>>> > >>>>> > >>>>> > >>>>>> On Nov 13, 2015, at 1:11 PM, Wilder Rodrigues < > >> wrodrig...@schubergphilis.com> wrote: > >>>>>> > >>>>>> :( > >>>>>> > >>>>>> Sad to hear that just that late in the release process, John. Even > >> worse to hear that it was already happening in 4.5.2 - released some > months > >> ago. But no worries! With our new release process, we can do things, in > a > >> proper way, quicker than before. The ACS 4.6.1 RC1 will be out within 2 > >> weeks from now, fully tested and with the fixes - Redundant VPC > >> split-brain, S3 and you sec issue - included. We will increase the > release > >> cycle, not because we release broken stuff, but because we want to > decrease > >> the number of open issues. > >>>>>> > >>>>>> Our goal is to make ACS better than any cloud platform in the > market! > >>>>>> > >>>>>> Cheers, > >>>>>> Wilder > >>>>>> > >>>>>> > >>>>>>> On 13 Nov 2015, at 18:45, John Burwell <john.burw...@shapeblue.com > > > >> wrote: > >>>>>>> > >>>>>>> All, > >>>>>>> > >>>>>>> I realize my vote is coming in after the vote has closed. However, > >> I found that a fix [1] for at least one CVE that shipped in 4.5.2, CVE > >> 2015-3251, is not present in 4.6.0. I just happened to notice because > >> someone asked me within the last half hour about the availability of > that > >> fix. I apologize for the late -1 (binding), but, in my opinion, we > should > >> never knowingly ship a regression of a CVE fix. There were other CVEs > >> addressed in 4.5.2, and I am concerned they also may be missing from > 4.6.0. > >>>>>>> > >>>>>>> Thanks, > >>>>>>> -John > >>>>>>> > >>>>>>> [1]: https://github.com/apache/cloudstack/commit/3a48171b > >>>>>>> > >>>>>>> --- > >>>>>>> John Burwell (@john_burwell) > >>>>>>> VP of Software Engineering, ShapeBlue > >>>>>>> (571) 403-2411 | +44 20 3603 0542 > >>>>>>> http://www.shapeblue.com | @ShapeBlue > >>>>>>> 53 Chandos Place, Covent Garden, London, WC2N 4HS > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>> On Nov 13, 2015, at 11:11 AM, Nux! <n...@li.nux.ro> wrote: > >>>>>>>> > >>>>>>>> Good job, everyone! :-) > >>>>>>>> > >>>>>>>> -- > >>>>>>>> Sent from the Delta quadrant using Borg technology! > >>>>>>>> > >>>>>>>> Nux! > >>>>>>>> www.nux.ro > >>>>>>>> > >>>>>>>> ----- Original Message ----- > >>>>>>>>> From: "Remi Bergsma" <rberg...@schubergphilis.com> > >>>>>>>>> To: dev@cloudstack.apache.org > >>>>>>>>> Sent: Friday, 13 November, 2015 15:16:33 > >>>>>>>>> Subject: [RESULT] [VOTE] Apache CloudStack 4.6.0 > >>>>>>>> > >>>>>>>>> Hi all, > >>>>>>>>> > >>>>>>>>> After 72 hours, the vote for CloudStack 4.6.0 [1] *passes* with 7 > >> PMC + 2 > >>>>>>>>> non-PMC votes. > >>>>>>>>> > >>>>>>>>> +1 (PMC / binding) > >>>>>>>>> * Wilder > >>>>>>>>> * Nux (Lucian) > >>>>>>>>> * Rajani > >>>>>>>>> * Daan > >>>>>>>>> * Milamber (Bruno) > >>>>>>>>> * Wido > >>>>>>>>> * Remi > >>>>>>>>> > >>>>>>>>> +1 (non binding) > >>>>>>>>> * Raja > >>>>>>>>> * Boris > >>>>>>>>> > >>>>>>>>> 0 > >>>>>>>>> none > >>>>>>>>> > >>>>>>>>> -1 > >>>>>>>>> none > >>>>>>>>> > >>>>>>>>> A huge Thank You to everyone participating! :-) > >>>>>>>>> > >>>>>>>>> I will now prepare the release announcement to go out after the > >> weekend. In the > >>>>>>>>> mean time the mirrors have time to catch up and we have time to > >> update the > >>>>>>>>> documentation and put everything in place. > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> [1] http://cloudstack.markmail.org/message/pah6mhj7qgxewvx2 > >>>>>>> > >>>>>>> Find out more about ShapeBlue and our range of CloudStack related > >> services > >>>>>>> > >>>>>>> IaaS Cloud Design & Build< > >> http://shapeblue.com/iaas-cloud-design-and-build//> > >>>>>>> CSForge – rapid IaaS deployment framework< > >> http://shapeblue.com/csforge/> > >>>>>>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/ > > > >>>>>>> CloudStack Software Engineering< > >> http://shapeblue.com/cloudstack-software-engineering/> > >>>>>>> CloudStack Infrastructure Support< > >> http://shapeblue.com/cloudstack-infrastructure-support/> > >>>>>>> CloudStack Bootcamp Training Courses< > >> http://shapeblue.com/cloudstack-training/> > >>>>>>> > >>>>>>> This email and any attachments to it may be confidential and are > >> intended solely for the use of the individual to whom it is addressed. > Any > >> views or opinions expressed are solely those of the author and do not > >> necessarily represent those of Shape Blue Ltd or related companies. If > you > >> are not the intended recipient of this email, you must neither take any > >> action based upon its contents, nor copy or show it to anyone. Please > >> contact the sender if you believe you have received this email in error. > >> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue > >> Services India LLP is a company incorporated in India and is operated > under > >> license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a > >> company incorporated in Brasil and is operated under license from Shape > >> Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic > of > >> South Africa and is traded under license from Shape Blue Ltd. ShapeBlue > is > >> a registered trademark. > >>>>>> > >>>>> > >>>>> Find out more about ShapeBlue and our range of CloudStack related > >> services > >>>>> > >>>>> IaaS Cloud Design & Build< > >> http://shapeblue.com/iaas-cloud-design-and-build//> > >>>>> CSForge – rapid IaaS deployment framework< > >> http://shapeblue.com/csforge/> > >>>>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> > >>>>> CloudStack Software Engineering< > >> http://shapeblue.com/cloudstack-software-engineering/> > >>>>> CloudStack Infrastructure Support< > >> http://shapeblue.com/cloudstack-infrastructure-support/> > >>>>> CloudStack Bootcamp Training Courses< > >> http://shapeblue.com/cloudstack-training/> > >>>>> > >>>>> This email and any attachments to it may be confidential and are > >> intended solely for the use of the individual to whom it is addressed. > Any > >> views or opinions expressed are solely those of the author and do not > >> necessarily represent those of Shape Blue Ltd or related companies. If > you > >> are not the intended recipient of this email, you must neither take any > >> action based upon its contents, nor copy or show it to anyone. Please > >> contact the sender if you believe you have received this email in error. > >> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue > >> Services India LLP is a company incorporated in India and is operated > under > >> license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a > >> company incorporated in Brasil and is operated under license from Shape > >> Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic > of > >> South Africa and is traded under license from Shape Blue Ltd. ShapeBlue > is > >> a registered trademark. > >>>> > >>> > >>> Find out more about ShapeBlue and our range of CloudStack related > >> services > >>> > >>> IaaS Cloud Design & Build< > >> http://shapeblue.com/iaas-cloud-design-and-build//> > >>> CSForge – rapid IaaS deployment framework< > http://shapeblue.com/csforge/> > >>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> > >>> CloudStack Software Engineering< > >> http://shapeblue.com/cloudstack-software-engineering/> > >>> CloudStack Infrastructure Support< > >> http://shapeblue.com/cloudstack-infrastructure-support/> > >>> CloudStack Bootcamp Training Courses< > >> http://shapeblue.com/cloudstack-training/> > >>> > >>> This email and any attachments to it may be confidential and are > >> intended solely for the use of the individual to whom it is addressed. > Any > >> views or opinions expressed are solely those of the author and do not > >> necessarily represent those of Shape Blue Ltd or related companies. If > you > >> are not the intended recipient of this email, you must neither take any > >> action based upon its contents, nor copy or show it to anyone. Please > >> contact the sender if you believe you have received this email in error. > >> Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue > >> Services India LLP is a company incorporated in India and is operated > under > >> license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a > >> company incorporated in Brasil and is operated under license from Shape > >> Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic > of > >> South Africa and is traded under license from Shape Blue Ltd. ShapeBlue > is > >> a registered trademark. > >> > >> Find out more about ShapeBlue and our range of CloudStack related > services > >> > >> IaaS Cloud Design & Build< > >> http://shapeblue.com/iaas-cloud-design-and-build//> > >> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/ > > > >> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> > >> CloudStack Software Engineering< > >> http://shapeblue.com/cloudstack-software-engineering/> > >> CloudStack Infrastructure Support< > >> http://shapeblue.com/cloudstack-infrastructure-support/> > >> CloudStack Bootcamp Training Courses< > >> http://shapeblue.com/cloudstack-training/> > >> > >> This email and any attachments to it may be confidential and are > intended > >> solely for the use of the individual to whom it is addressed. Any views > or > >> opinions expressed are solely those of the author and do not necessarily > >> represent those of Shape Blue Ltd or related companies. If you are not > the > >> intended recipient of this email, you must neither take any action based > >> upon its contents, nor copy or show it to anyone. Please contact the > sender > >> if you believe you have received this email in error. Shape Blue Ltd is > a > >> company incorporated in England & Wales. ShapeBlue Services India LLP > is a > >> company incorporated in India and is operated under license from Shape > Blue > >> Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in > Brasil > >> and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd > is > >> a company registered by The Republic of South Africa and is traded under > >> license from Shape Blue Ltd. ShapeBlue is a registered trademark. > >> > > > > > > > > -- > > Rafael Weingärtner > > Find out more about ShapeBlue and our range of CloudStack related services > > IaaS Cloud Design & Build< > http://shapeblue.com/iaas-cloud-design-and-build//> > CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/> > CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/> > CloudStack Software Engineering< > http://shapeblue.com/cloudstack-software-engineering/> > CloudStack Infrastructure Support< > http://shapeblue.com/cloudstack-infrastructure-support/> > CloudStack Bootcamp Training Courses< > http://shapeblue.com/cloudstack-training/> > > This email and any attachments to it may be confidential and are intended > solely for the use of the individual to whom it is addressed. Any views or > opinions expressed are solely those of the author and do not necessarily > represent those of Shape Blue Ltd or related companies. If you are not the > intended recipient of this email, you must neither take any action based > upon its contents, nor copy or show it to anyone. Please contact the sender > if you believe you have received this email in error. Shape Blue Ltd is a > company incorporated in England & Wales. ShapeBlue Services India LLP is a > company incorporated in India and is operated under license from Shape Blue > Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil > and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is > a company registered by The Republic of South Africa and is traded under > license from Shape Blue Ltd. ShapeBlue is a registered trademark. > -- Rafael Weingärtner
