As I understand here we depend on a redback 1.2 release to fix that ? When this one will be released ? Perso, I don't have any objections to try an other release (take 4) if the next rednack release which fix that is available at the end of the week. (Now I know exactly what to do to cut a continuum releases all scripts are ready ;-) ). I consider this issue as blocker if we want to update the continuum instance in vmbuild.
Thoughts ? Thanks, -- Olivier 2008/9/17 Wendy Smoak <[EMAIL PROTECTED]>: > On Mon, Sep 15, 2008 at 3:59 AM, Olivier Lamy <[EMAIL PROTECTED]> wrote: > >> The last release is 9 months and no one has been done since the TLP >> graduation. >> I'd like to release continuum 1.2. >> We fixed 128 issues : >> http://jira.codehaus.org/secure/ReleaseNote.jspa?version=13779&styleName=Html&projectId=10540&Create=Create >> >> The staging repo is here : http://people.apache.org/~olamy/staging-repo/ > > If you're using project group permissions, there's a fairly serious > security issue in 1.2. Any project group admin can grant roles all > the way up to system administrator, to himself and others. > (CONTINUUM-1867) > > I'm conflicted about releasing this as-is. On one hand, if you're > depending on the roles to prevent access to projects, it's seriously > broken. On the other hand... most people I've talked to aren't using > this feature, and even if the roles *are* working, any developer can > check in a script, which runs as the Continuum user, and do pretty > much anything they want. > > Thoughts? > > -- > Wendy >
